VBS script virus features and how to prevent 3 (RPM)

5. Introduction to the principle of VBS virus production machine
　　
The so-called virus production machine refers to the software that can produce virus source code directly according to the user's choice. This may seem incredible to many people, but it's very easy to implement for a script virus.
　　
The scripting language is interpreted, does not need to be compiled, and does not require any validation and positioning in the program, separating each statement with a clearer one. In this way, the virus function is made into a number of separate modules, after the user makes the virus function selection, the production machine only need to put together the corresponding functional modules, and finally the corresponding code replacement and optimization. Due to the length of the relationship and other reasons, there is no detailed description.
　　
Third, how to prevent VBS script virus
　　
1. How to extract (encrypt) a script virus from a sample
　　
For a script virus that is not encrypted, we can find it directly from the virus sample, and now we'll show you how to extract the encrypted VBS script virus from the virus sample, and here we take the new happy hour example.
　　
Open Folder.htt with Jediedit. We found this file in total only 93 lines, the first line, a few lines after the comment to start, the end of the section. Believe that everyone knows what kind of file it is!
　　
Line 87th to 91, is the following statement:
87:
　　
Lines 87th and 91 do not have to be explained, line 88th is the assignment of a string, which is obviously a virus code that has been encrypted. Take a look at the last piece of code in line 89 Thistext = Thistext & Tempchar, plus the following line, we can certainly guess thistext inside is the virus decryption code (familiar with the VBS brother can certainly analyze this decryption code, too Simple! should be able to see it without looking at the code at all). The 90th line is to execute the code that was just Thistext (after the decrypted code).
　　
So, what's the next step? Very simply, we can solve the problem by outputting the contents of Thistext to a text file after the virus code is decrypted. Since the lines above are VBScript, I created the following. txt file:
　　
First, copy 88th, 892 lines to the. txt file you just created, and of course you can enter the 90th line at the end if you want to see how the new Happy Hour will perform. Then enter the create file and write the Thistext to the file VBS code on the following line, as shown in the entire file:
　　
exestring = "Afi ..." 88th line of code
Execute ("Dim Keyar ... ' 89th line of code
Set Fso=createobject ("Scripting.FileSystemObject")
' Create a File system object
Set Virusfile=fso.createtextfile ("Resource.log", True)
' Create a new file Resource.log,
Used to store the decrypted virus code virusfile.writeline (Thistext)
' Write the decrypted code to Resource.log
　　
Ok! As simple as that, save the file, change the file suffix. txt to. vbs (. VBE also), double-click, you will find that the file directory is more than one file Resource.log, open this file, how about? is not the source of "new Happy Hour" Ah!
　　
2. VBS script Virus Weaknesses
The VBS script virus, because it is written in a script, is not as flexible as a PE file, and its operation is conditional (although this condition is available by default). The author believes that the VBS script virus has the following weaknesses:
1) The vast majority of VBS script viruses need to use an object when running: FileSystemObject
　　
2) VBScript code is passedWindowsScript host to interpret the execution.
　　
3) The operation of the VBS script virus requires the support of its associated program Wscript.exe.
　　
4) virus that spreads through Web pages requires ActiveX support
　　
5) virus transmitted by email requires OE's automatic email support, but most viruses are mainly transmitted by email.
　　
3. How to prevent and remove VBS script viruses
　　
In response to the above mentioned VBS script virus weaknesses, the author puts forward the following centralized preventive measures:
　　
1) Disable File system object FileSystemObject
　　
Method: Use regsvr32 scrrun.dll/u This command to prohibit file system objects. Where Regsvr32 isWindowsthe executable file under System. or directly find the Scrrun.dll file to delete or rename.
　　
Another way to do this is to find an entry for the primary key {0d43fe01-f093-11cf-8940-00a0c9054228} under Hkey_classes_rootclsid in the registry, click.
　　
2) UninstallWindowsScripting Host
　　
In theWindows98 (NT 4.0 or above), open the [Control Panel]→[Add/Remove Programs]→[Windowsinstaller]→[attachment], cancel "WindowsScripting Host "one item.
　　
As in the above method, a key of the primary key {f935dc22-1cf0-11d0-adb9-00c04fd58a0b} is found under Hkey_classes_rootclsid in the registry, clicked.
　　
3) Delete the VBS, VBE, JS, jse file suffix name and application mappings
　　
Click the [MyComputer]→[View]→[Folder Options]→[file Type], and then delete the VBS, VBE, JS, jse file suffix name and application mappings.
　　
4) inWindowsdirectory, find WScript.exe, change the name or delete, if you think you have the opportunity to use later, it is better to change the name, of course, can be re-installed later.
　　
5) to fully control VBSNetworkworm, and you need to set up your browser. We first open the browser and click the [Custom Level] button on the "Internet Options" Security tab in the menu bar. Set all ActiveX controls and plugins to disabled, so you're not afraid. Oh, for example, the new happy Hour of the ActiveX component if not run,Networkthe spread of this function is finished.
　　
6) The automatic mail-sending function of OE is forbidden.
　　
7) Since most worms use files to extend a masterpiece, avoid it by hiding the extensions of known file types in your system. WindowsThe default is "Hide extension names for known file types" and modify them to show extension names for all file types.
　　
8) Put the system'sNetworkthe security level setting for a connection is at least medium, and it can prevent some harmful Java programs or some ActiveX components from violating the computer to some extent.
　　
9 hehe, the last one does not say everyone should also know, antivirus software is really necessary, although some antivirus software quite let the vast number of users disappointed, however, the choice is on both sides of the OH. In this virus flying sidewaysNetwork, if your machine is not loaded with anti-virus software I think it is quite incredible.
　　
Iv. prospects for the development of all script-like viruses
　　
WithNetworkof rapid development,Networkworms are getting popular, and VBS scripting worms are more prominent, not only large, but also powerful. Since the use of scripting virus is relatively simple, in addition to continue to popular current VBS script virus, will gradually appear more other script-like virus, such as Php,js,perl virus. But scripts are not the best tool for real virus technology enthusiasts to write viruses, and scripting viruses are easier and relatively easy to prevent. The author believes that the script virus will continue to be popular, but can have like macro virus, new happy time as the big impact of the script worm virus is only a few

VBS script virus features and how to prevent 3 (RPM)