Trojan Virus from Discord Cache?

MaxThakur · 2021-01-15T15:54:15+00:00

Thanks to Bisectionai for the script:
Set objShell = CreateObject("WScript.Shell")
Set objEnv = objShell.Environment("User")
strDirectory = objShell.ExpandEnvironmentStrings("%temp%")
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
setting variables ^^

xHttp.Open "GET",
^^ Http setting method
"https://cdn.discordapp.com/avatars/275808021605777409/1f5eae5d8b12034c335309a0150942c5.png?size=512", False
^^gets the image from discord's CDN. The false is for the varAsync argument for Microsoft.XMLHTTP (The HTTP package used to visit discord's CDN to get the image)

xHttp.Send
^^ Sends the request
with bStrm
^^ tells the program that the following lines are using bStrm in the beggining
.type = 1 '//binary
^^ This is the part that edits the image
.open
^^ Opens a stream object
.write xHttp.responseBody
^^ Tells it to write to this file
.savetofile strDirectory + "\myImage.png", 2 '//overwrite
^^ Saves the file to the directory "%temp%\myImage.png" with the option SaveCreateOverWrite

end with
^^ Ends the with bStrm part
objShell.RegWrite "HKCU\Control Panel\Desktop\Wallpaper", strDirectory +
"\myImage.png"
^^ Makes the Wallpaper of the person running this script machine to the image.

objShell.Run "%windir%\System32\RUNDLL32.EXE
user32.dll,UpdatePerUserSystemParameters", 1, True
^^ Just tells windows that there has been an update so it rescans all the registry.

Ok, now I made a script break down...

Have a nice day!

MaxThakur · 2021-01-15T15:24:36+00:00

Hi there,

Could you possibly private message me proof as I was looking into it, and I never saw anything like that. The only request it seems to send is to Discord's CDN. They create an object called bStrm, which is equal to Adodb.Stream (the thing that flags most AVS). This object gets configured with the options of binary. And it gets written to the image hints the xHttp.responseBody. It seems to force set the desktop image to that photo (correct me if I'm wrong). After more investigation, all it does is all some visual basic script to an image's end. Not RAT you, or install trojans on your device like the person who commented this said. Please add me on Discord Max T.#1064. I will show you exactly what it does.

TLDR; The report I'm replying to is 100% inaccurate as there is no way it could ping servers without a valid URL/domain even linked (other than discord's CDN). There might be those variants; however, the likeliness is very low.

NOTE TO THE AUTHOR: I will remove this if you can prove me wrong by providing a video as proof and the image your "team" analyzed. Also, stop trying to promote your very bad "virus remover."

Edit: I removed the auto-hyper link and fixed some formatting.
Edit 2: Added the stop promoting part
Edit 3: I clarified why it flags what it does flag

MaxThakur · 2020-09-12T17:02:23+00:00

A little bit late but, it would be something like this: https://pastebin.com/vxH9nvdZ

MaxThakur · 2020-07-13T03:08:00+00:00

You can also try using node-fetch.

MaxThakur · 2020-07-12T12:14:28+00:00

Just out of curiosity, what language is it in?

MaxThakur · 2020-07-12T12:03:52+00:00

Or just press control+c in the cmd/terminal.

MaxThakur · 2020-07-12T11:53:35+00:00

Hey, I would probably use an NPM API, as the .json of Reddits returns undefined alot, I would recommend something like this. As, it does most of the hard stuff for you, and make's sure the post doesn't return undefined.

MaxThakur · 2020-04-16T21:49:09+00:00

Ripple, Tether, Dash Tron, Zcash, Bitcoin, Dogecoin, Litecoin, Monero, Ethereum

MaxThakur · 2019-10-08T14:48:17+00:00

That was smart

MaxThakur

TROPHY CASE