Analysis of the virus principle of a VBS script virus _vbs

First, the preface

Virus class teacher threw us a copy of the VBS script virus code to try to analyze, here the analysis process sent out for everyone's reference, if found in what is wrong or what is suggested, you can leave a message to me, thank you!

Ii. Table of Contents

The entire analysis process can be divided into the following sections:

0x00 Preparation Work
0x01 Decryption part
0x02 function Analysis

III. Analysis Process

0x00 Preparation Work

Windows XP virtual machines (also available under your own Windows)

Some basic syntax of VBS

0x01 Decryption part

Right-click on the virus file and then edit to open or directly after the suffix modified into txt directly open all line, you can see a large section of ciphertext, and called a function decrypt. Just see this for the moment, then look down.

Drag to the bottom of the code, found that there is a decrypt, that is, after two times encryption, where the implementation of the comments out, and then output the decrypted results to the text file. In addition, you can see that the encryption is done with Base64.

Now look at the decoded results. Find that the code is still unreadable, then continue to see how he handled it.

Here you can see that the previous string is "|dz|" Division, and then get the ASCII code, these ASCII code corresponding to the character stitching up the good, you get the result. The same routines output the decrypted results to the file to continue the analysis.

Then this time the result is real virus code. The next step is to analyze his function.

0x02 function Analysis

Look at it from the beginning. Displays some configuration information, including the domain name of the server. Can be traced to the server is the United States, try to ping the next, Ping impassability, may be the server set up to not ping, it may be the server has not been used, but also may be our country's fire wall directly off the wall ...

Then there are some variables to use later, not too much explanation here.

Then it's the Code start section. Then because the inside call the various functions, so here in the order of execution to call the function number, so as to read, otherwise it will feel very messy.

Here we call the instance function first.

1.instance function

Assign a value to a previous parameter usbspreading and write to the registry

After the instance function is executed, it enters a dead loop of while true, constantly reading commands from the server and executing. After entering the while inside, the install process is invoked first.

2.install process

In the install, and then called the upstart, and then go in and see.

2.1 Upstart Process

This sets the virus script to boot from the registry.

And then from the upstart process to continue to see install the rest of the code, a bit more directly to the function to tell you.

Scan all drivers, if the class model is 1, there will be action, for 1 o'clock to represent the mobile device, which is to infect the USB flash drive, such as mobile devices. It copies the script to the root directory of the removable device, then sets the file properties, 2 is a hidden file, can read and write, 4 is a system file, can read and write.

Then get all the files of the removable device root directory, if not the LNK file, and set it as a hidden system file to read and write. The corresponding shortcut is then created, and the program that points to is Cmd.exe, with the parameter "/C Start" & Replace (Installname, "", ChrW () & "& ChrW ()) &" &s Tart "& Replace (File.name," ", ChrW () &" "& ChrW ()) &" &exit "means that the script virus is launched after clicking the shortcut, and then the real file is started, Then quit CMD.

Then do the same thing with the folders under the root directory. Now that the analysis of the install is over, the function post is parsed.

3.post function

You can see that Post's function is to send information about the infected machine to the server and get the virus creator's command data from the server. In the inside there is a call to the function information to get the information about the infected machine, and then see how it is implemented.

3.1 Information function

The information function is used to obtain the hard drive serial number, system-related information, and security software installed on the computer.

Now execute it from the post function and get the server command. Then is the parsing of the command, followed by a VBS switch...case ... The structure of the different commands to resolve the execution.

4. Analytical execution of the various commands

4.1 Execute command

This directly executes the received command.

4.2 Update command

This is to get the data from the server to update the virus

4.3 Uninstall command

Call the uninstall procedure to restore the registry modifications before the virus, and delete the virus scripts that were previously copied to several other directories.

4.4 Send Command

Invoke the download procedure to download files from the server

4.5 site-send Command

This call Sitedownloader process, the same from the server loading things, but this download looks like the site source code and so on ...

4.6 recv Command

Call the upload function to upload the specified file.

4.7 enum-driver, ENUM-FAF, enum-process command

Call the appropriate function to get an enumeration of all drive-related information, all files and folders in the specified directory, and all processes of the system

4.8 Cmd-shell Command

This calls the Cmdshell function to execute the received to cmd command and get the command result back to the server.

4.9 Delete command

Call procedure DELETEFAF Delete the specified file or folder

4.10 exit-process Command

Call ExitProcess to end the specified process

4.11 Sleep Command

Set the sleep time for a script

All commands are resolved to this end, the virus sleeps the specified time after executing the appropriate command, and then continues to get commands from the server.

Iv. Summary

Here to the previous analysis of the summary, summed up through this analysis of the study:

1. First the study of Base64 coding, the actual analysis does not need to know the implementation details, at least to use it.

2.vbs of learning.

3. Set the specified program's Self startup by setting the registry.

4. Basic debugging capabilities, for obscure parts of the code, the output of the results will be understood faster.

Then in the experiment also made clear, my method is to intercept a piece of ciphertext and then search, contains the field of the VBS file to delete, so that the registry is not modified, but to start the file has been deleted, so it does not matter. Another way is to take the uninstall module out of the virus and call it individually to restore all the changes.

Then, this time you can see that the virus through the VBS implementation of communication with the server, modify the file system, modify the registry, and so on. Other languages can also be implemented, I think it may be because most windows have a VBS interpreter, easy to spread, and VBS easy to learn, virus authors choose him to write. In short, different languages have their own characteristics, the key to see whether their strengths and their needs to match it.

The above is a small set for you to introduce a VBS script virus principle analysis, I hope to help you, if you have any questions please give me a message, small series will promptly reply to everyone. Here also thank you very much for the cloud Habitat Community website support!