Shulou(Shulou.com)06/03 Report--

This article shares with you the content of a sample analysis of vbs scripting viruses. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

I. Preface

The virus teacher threw us an encrypted vbs script virus code to try to analyze. Here, the analysis process is sent out for your reference.

II. Catalogue

The whole analysis process can be divided into the following parts:

0x00 preparation work

0x01 decryption part

0x02 function analysis

III. Analysis process

0x00 preparation work

Windows xp virtual machine (you can also do it under your own windows)

Some basic syntax of vbs

0x01 decryption part

Right-click the virus file and edit it to open it, or change its suffix to txt and open it directly. You can see a large ciphertext and call a function deCrypt. That's all I can see for the time being, so let's move on.

Drag to the bottom of the code and find that there is a deCrypt once, that is, it has been encrypted twice. Here, comment out the execution part, and then output the decrypted result to a text file. In addition, you can see that it is encrypted with base64.

Now let's look at the decoded results. If you find that the code is still unreadable, continue to see how it handles it.

Here you can see that the previous string is divided according to "| dz |", and then you get the ascii code. Just concatenate the corresponding characters of these ascii codes, and you get the result. The same pattern outputs the decrypted results to a file for further analysis.

And then the result this time is the real virus code. Next, his function is analyzed.

0x02 function analysis

Look at it from the beginning. Displays some configuration information, including the domain name of the server. It can be found that the server is from the United States. After trying ping, ping is not available. It may be that the server has been set up not to let people ping, it may be that the server is no longer in use, or it may be that the fireproof Great Wall of our country has fallen directly.

Then there are some variables to be used later, which are not explained too much here.

And then there's the code start part. Then because there are various functions called inside, so here according to the order of execution of the function number, in order to read, otherwise it will feel very messy.

First, the instance function is called.

1.instance function

Assign a value to the previous parameter usbspreading and write to the registry

After the instance function is executed, it enters an endless loop of while true, constantly reading commands from the server and then executing them. After entering the while, the install procedure is called first.

2.install process

In install, you call upstart again, and then go in and have a look.

2.1 upstart process

Here, the virus script is set to boot automatically through the registry.

Then from the upstart process to continue to look at the rest of the install code, a little more, directly tell you the function.

Scan all drivers, if the class model is 1, there will be an action. A value of 1 represents a removable device, which is intended to infect a removable device such as a flash drive. It copies the script to the root directory of the removable device, and then sets the file properties, 2 for hidden files, readable and writable, 4 for system files, readable and writable.

Then get all the files in the root directory of the removable device, and if it is not a lnk file, set it to a hidden system file that can be read and written. Then create the corresponding shortcut, which points to the program cmd.exe, whose parameters are "/ c start" & replace (installname, ", chrw (34) &" & chrw (34)) & "& start" & replace (file.name, ", chrw (34) &" & chrw (34)) & "& exit", which means that the script virus will be started first after clicking the shortcut. Then start the real file, and then exit cmd.

Then do the same for the folder in the root directory. At this point, the analysis of the subroutine install ends here, followed by the analysis of the function program post.

3.post function

You can see that the function of post is to send information about the infected machine to the server and get the command data of the virus maker from the server. In it, the function information is called to get the information about the infected machine, and take a look at how it is implemented.

3.1 information function

The information function is used to obtain the serial number of the hard disk, information about the system, and security software installed on the computer.

Now finish executing from the post function and get the command from the server. Then there is the parsing execution of the command, followed by a switch...case... in vbs To parse and execute different commands

4. Parsing execution of various commands

4.1 execute command

The received command is executed directly here.

4.2 update command

Here is to get data from the server to update the virus.

4.3 uninstall command

Call the uninstall procedure to restore the previous changes to the registry made by the virus and delete the virus scripts that were previously copied to several other directories.

4.4 send command

Call the download procedure to download the file from the server

4.5 site-send command

This calls the sitedownloader procedure and also downloads something from the server, but this download seems to be the source code of the website and so on.

4.6 recv command

Call the upload function to upload the specified file.

4.7 enum-driver, enum-faf, enum-process commands

Call the corresponding functions respectively to get information about enumerating all drives, all files and folders in the specified directory, and all processes of the system.

4.8 cmd-shell command

Here, the cmdshell function is called to execute the received cmd command, and the command result is returned to the server.

4.9 delete command

Call procedure deletefaf to delete the specified file or folder

4.10 exit-process command

Call exitprocess to end the specified process

4.11 sleep command

Set the sleep time of the script

At this point, all the commands have been parsed, and after executing the corresponding commands, the virus will sleep for a specified time, and then continue to obtain commands from the server.

IV. Summary

Here is a summary of the previous analysis, summing up what has been learned through this analysis:

1. First, the study of base64 coding, the actual analysis does not need to know the implementation details, at least to be able to use it.

2.vbs 's study.

3. Sets the self-startup of the specified program by setting the registry.

4. Basic debugging capabilities, for obscure parts of the code, output the results will be faster to understand.

Then in the experiment is also clear about the virus, my method is to directly intercept a section of ciphertext and then search, including the field of the vbs file will be deleted, so that the registry has not been modified, but since the file has been deleted, so it does not matter. Another way is to take out the uninstall module in the virus, call it separately, and restore all changes.

Then, this time you can see that the virus communicates with the server, modifies the file system, modifies the registry, and so on through vbs. Using other languages can also be achieved, I think it may be because most windows have vbs interpreter, easy to spread, and vbs is easy to learn, virus authors choose him to write. In short, different languages have their own characteristics, the key depends on whether their advantages are consistent with their own needs.

Thank you for reading! This is the end of this article on "sample analysis of vbs script viruses". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.