So this virus has hit our school very hard because the antivirus our school implemented could not keep up with the supposed recovery solution they installed.
(Apparently AhnLab V3 Internet Security expired due to slightly incorrect CMOS clock and lack of internet connectivity -- I call them V3 Intranet Insecurity)
I managed to pull the samples and obfuscated VBS file from one of the badly infected computer.
I traced the source to a wrapper with supposed game installer inside from one of the computer in the class.
It has infected 60% of entire computers in the class.
1. "hello.vbs" and the infamous "(software)_package.exe"
It is essentially a obfuscated VBS file in a wrapper that runs legitimate file AND the script at the same time, so the user is fooled into proceeding.
It is based on MPRESS and Batch to EXE Converter.
The batch script inside is shown below despite it being so simple even 8 year old child can do it:
The script is easily reversed with text editor, due to the way obfuscation is implemented.
The script is encoded in decimal with spaces replaced with eight digit number, like "23844594".
The obfuscation code is shown below (the code section has been snipped to prevent code reuse) :
Then I did the exactly same thing with Notepad++ (ditto about code snip) :
So I went online and fed it into converter, which returned (ditto) :
The code is exactly same as the infamous Dunihi VBS Worm, but with its host and few things changed, mostly settings.
I hope this qualifies as reversing
(please don't kill me)
(Apparently AhnLab V3 Internet Security expired due to slightly incorrect CMOS clock and lack of internet connectivity -- I call them V3 Intranet Insecurity)
I managed to pull the samples and obfuscated VBS file from one of the badly infected computer.
I traced the source to a wrapper with supposed game installer inside from one of the computer in the class.
It has infected 60% of entire computers in the class.
1. "hello.vbs" and the infamous "(software)_package.exe"
It is essentially a obfuscated VBS file in a wrapper that runs legitimate file AND the script at the same time, so the user is fooled into proceeding.
It is based on MPRESS and Batch to EXE Converter.
The batch script inside is shown below despite it being so simple even 8 year old child can do it:
Code: Select all
2. The "hello.vbs"@echo off
set name=Binding+of+Isaac+Rebirth
start hello.vbs
start %name%_package1.exe
exit
The script is easily reversed with text editor, due to the way obfuscation is implemented.
The script is encoded in decimal with spaces replaced with eight digit number, like "23844594".
The obfuscation code is shown below (the code section has been snipped to prevent code reuse) :
Code: Select all
So I searched for SPLIT function, and found that it essentially removes the string in the last section from the first section.anas = "398686764(snip)"
anas = SPLIT(anas,"8686764")
FOR X = 0 TO UBOUND(anas) -1
Xmy = Xmy & ChrW(anas(X))
NEXT
EXECUTE ((Xmy))
Then I did the exactly same thing with Notepad++ (ditto about code snip) :
Code: Select all
Then found out it is decimal ASCII.anas = "39 60 91 32 114 101 99 111 100 101 114 32 58 32 104 111...So I went online and fed it into converter, which returned (ditto) :
Code: Select all
SUCCESS!'<[ recoder : houdini (c)...The code is exactly same as the infamous Dunihi VBS Worm, but with its host and few things changed, mostly settings.
I hope this qualifies as reversing
(please don't kill me)
