Source: Ghost blog
Preface:
Not long ago, I got a vbs script virus. My mother was confused, i'm lucky enough to find a complete introduction to the decryption process. Thanks to this wonderful post, I just got a step-by-step solution. Now I have this post today.Click to view original post
Warning:
1. The following Code indicates that the source code of the vbs virus may harm your computer's virus. Run it in a virtual machine. If you are accidentally infected with this virus, we recommend that you referNon-mainstream virus-Simple Analysis and Handling of script virus (VBS virus)
Clear the virus
2. Do not use the restored source code to engage in illegal activities.
Virus source garbled
1. txt
First decryption process
Note that
: Y = "execute": z = "& chr (& h": w = ")": execute ("do while len (x)> 1: if isnumeric (left (x, 1) then y = y & z & left (x, 2) & w: x = mid (x, 3) else y = y & z + left (x, 4) + w: x = mid (x, 5) "& vbcrlf &" loop "): Intercept (y ): end: Change execute (y) to Intercept (y)
Intercept code Sub Intercept (y)
WScript. Echo y
OutPutFile = "decode_2.txt"
Set objFSO = CreateObject ("Scripting. FileSystemObject ")
Set objTXT = objFSO. CreateTextFile (OutPutFile, True, False)
ObjTXT. Write y
ObjTXT. Close
Set ob1_sh = CreateObject ("WScript. Shell ")
Ob1_sh. Run OutPutFile
WScript. Quit
The End subsave object contains the vbs file and then runs it to decode_2.txt.
Decode_2.txt
Second decryption
Decode_2.txt
Execute is still modified to Intercept
Save the following code as vbsand run it later.
Decode_3.txt
Third decryption
In the source program, modify the code field named decode_3.txt to execute (uc (l0 + q0) to B = 10 + q0.
C = vbcrlf: d = 127: f = 11: j = 12: h = 14: m = 31: r = 83: k = 1: n = 8: s = 114: u =-5: v = 5
I = "if a =": t = "then": e = "elseif a >=": a =" and a <= ": g = "a = a +": o = t & c & g: p = c & e: q = c & I
Execute (l & "for ii = 1 to len (B): a = asc (mid (B, ii, 1 )) "& q &" d "& t &" a = 13 "& q &" f "& t &" a = 10 "& q &" j "& t & c & "a = 34" & c & e & "h" & a & "m" & o & "r" & p & "k" & a & "n" & o & "s" & p & "53" & a & "57" & o & "u" & p & "48" & a & "52" & o & "v "& c & "end if" & c & "uc = uc + chr () "& c &" next "& c &" uc = rn + c + uc ") change the new execute to Intercept
Save the following code as vbs and run it to decode_4.txt.
Decode_4.txt
Fourth decryption
Open the original garbled program and follow: execute (uc (lO + qO) to change execute to Intercept
Save the following code as vbsget decode_5.txt
Decode_5.txt
Fifth decryption
Open decode_5.txt. Click execute (ext & "dyz)" & ext & "zcx)" & fut & "gt () "& ext &" gtz "& aft &" ei (name, wt) "& ext &" eiz "& aft &" df (wh) "& ext &" dfz "& aft &" bf (wh, wt, da) "& ext &" bfz "& aft &" bi (wh) "& ext &" biz "& aft &" rt (wh, li) "& ext &" rtz "& aft &" wr (rna, rda) "& ext &" wrz "& aft &" rr (rna, pa) "& ext &" rrz "& a still changes execute to Intercept
Save the following code as vbsget decode_6.txt
Decode_6.txt
Sixth decryption
Open decode_5.txt and add the following code at the end of the Code:
Run the following code export decode_6.txt SourceStr = ": execute (uc (dyz): execute (uc (zcx): function gt (): execute (uc (gtz): end function: function ei (name, wt): execute (uc (eiz): end function: function df (wh): execute (uc (dfz): end function: function bf (wh, wt, da): execute (uc (bfz): end function: function bi (wh): execute (uc (biz): end function: function rt (wh, li): execute (uc (rtz): end function: function wr (rna, rda): execute (uc (wrz): end function: function rr (rna, pa): execute (uc (rrz): end function: function ar (file, cg): execute (uc (arz): end function: function dn (loc, web, ris, min): execute (uc (dnz): end function: function pr (pcs, gs): execute (uc (prz )): end function: function ec (wt): execute (uc (ecz): end function: function co (wh): execute (uc (coz): end function: function rs (sw): execute (uc (rsz): end function: function hi (sw): execute (uc (hiz): end function: function gi (ids, fid, eid, fname, furl): execute (uc (giz): end function: function dw (pcs, fn, furl, kill): execute (uc (dwz )): end function: function us (sw): execute (uc (usz): end function: function cu (): execute (uc (cuz): end function: function km (sw): execute (uc (kmz): end function: function cf (wh): execute (uc (cfz): end function"
Use the following code to export decode_3.txt Function uc (B)
C = vbcrlf: d = 127: f = 11: j = 12: h = 14: m = 31: r = 83: k = 1: n = 8: s = 114: u =-5: v = 5
I = "if a =": t = "then": e = "elseif a >=": a =" and a <= ": g = "a = a +": o = t & c & g: p = c & e: q = c & I
Execute (l & "for ii = 1 to len (B): a = asc (mid (B, ii, 1 )) "& q &" d "& t &" a = 13 "& q &" f "& t &" a = 10 "& q &" j "& t & c & "a = 34" & c & e & "h" & a & "m" & o & "r" & p & "k" & a & "n" & o & "s" & p & "53" & a & "57" & o & "u" & p & "48" & a & "52" & o & "v "& c & "end if" & c & "uc = uc + chr () "& c &" next "& c &" uc = rn + c + uc ")
End Function
Save the following code for vbs to obtain the final decrypted virus source code
2. txt
