A couple of days ago, my wife complained that something is wrong with her USB flash drive (I got this one at a Facebook interview). Every time she tried copying a file from her laptop to the flash drive, instead of the file being copied, only a shortcut was created. My first reply was that she should explicitly copy and paste the file, instead of dragging it with the mouse. When that didn't work, I went to take a look.
She was right, something was fishy, trying to copy a file called file.txt to the USB flash drive resulted in this:
You can see (hopefully) that file.txt and ybogunuqhp.vbs are hidden, and that a shortcut called file was created. The target of this newly created shortcut is 'C:\Windows\system32\cmd.exe /c start ybogunuqhp.vbs&start file.txt&exit'. OK, evidently we have some kind of virus here. Looks like this script creates a shortcut to every file on the USB flash drive, and then hides the original file. Each of this shortcuts execute the script and open the original file (which is hidden). So an unsuspecting user might not notice anything. If I didn't have my folder viewing options set to show hidden files and full extensions, all I'd see is a shortcut to a text file named file... sneaky!
My next step was checking out ybogunuqhp.vbs, which looks like this:
Well, I'm not a VB programmer, but obviously the actual code of the virus is encrypted in this first very long line. The next few lines simply decrypt, and execute the code encoded in the first line. Quickly googling for the VB command to print a string, I commented out the last line of code, and replaced it with 'Wscript.Echo anas'.
Running this modified script via 'cscript.exe ybogunuqhp.vbs' gave the following output:
First thing I noticed was the Skype name at the top. I wonder why the the guy who wrote this chose to add this... weird. Going over the code, this script does the following:
- Installs itself by copying the script file to the host machine and adding itself to registry for start-up.
- Run in an infinite loop and:
- Look for uninfected files on USB flash drives and infect them (by hiding them and creating a shortcut similar to the one mentioned above).
- Poll http://khdt1.zapto.org:43443/ for orders. Orders include downloading/uploading files, retrieving machine information, updating the virus code and executing any command on the host.
Opening http://www.zapto.org/ redirects to http://www.noip.org/ which is a dynamic DNS provider. I guess the guy who's spreading this virus, registers his dynamic as this hostname to control infected machines.
Luckily, http://khdt1.zapto.org no longer exists, so no orders came down the line. Oh well, this is probably a good time for me to finally install some antivirus software (never liked'em).
No comments:
Post a Comment