GUESS WHO'S STILL ALIVE
ok but am i?
i am, just kidding. i started working and totally lost track of everything but I'm back now. and I'm gonna do one blog entry a week lessgoooo
so this is ILOVEYOU malware challenge from BTLO. pretty straightforward but fun nonetheless. lets hope I get to do an update where I do an actual binary analysis on the malware. done December 3.
ok so learning what all this means one by one. rem is used to write comments, and dim is used to define variables.
then we define vbscopy which is used for file reading. then wscr is used to create a shell script object, then it reads registry keys in windows scripting host/settings/timeout, and if its >= 1, then its turned to zero. why tho??? what does it do??
lemme google girls wait. ah ok so time out basically tells how long the processor has to wait before executing whatever command. ok lets move on.
then we find some special folders(????) in windows, temp and system directory. then the vbscopy is copied into mskernel32,windll32 etc etc. now that is the real deal. thats what i wanna analyse. anyway, maybe later.
then we have some function definitions i think?? regruns, html, spreadtoemail and listadriv. so we'll see these functions one by one.
regruns
defines two variables num and regread. then we add two reg keys in the run directory that are for mskernel32 and win32dll vbscripts so they both run on startup. then we get the internet explorers download directory from the registry keys and if its not there we use c drive.
then it looks for winfat32.exe, which i read was a trojan, and if it does exist, it randomises a number from 1 to 4, then depending on whaever number, edits the regkey so the ie start page navigates to a website where it downloads win-bugsfix.exe. ok i think we've reached the second question.
yup, had to tell the domain which is added to homepage.
now, we move to the next function
listadriv
wait there are more questions we can answer. the place where vbscopy happened, its up there, win32, mskernel32 and love letter fo you
the file that looks for filesystem is winfat32.exe.
now listadriv will list out the folders for you.
now infectfiles function happens, which creates a mic script. now what is that???
ok its a windows specific scripting language. anyway
so its long, but the basic thing is it copies itself into specific files with specific extensions, like first into js, jse, css, wsh, sct, hta extension, then with jpg or jpeg extension, then with mp3, mp2 extension.
then a bunch of functions that were defined before
now, spreadtoemail
go to outlook and get namespace. then the rest is pretty straightforward sending an email but what is WAB in the registry keys??? googlay time.
oh, windows address book, got it
right, i keep forgetting, i have to answer questions. right, script.ini for the file generated, barok was the trojan, the email service should be outlook, the entry is done tooooooo, wait, ok its this long one im pasting from iloveyou
oh the last question is cool, i think it should be the dword that is set to 1? let me see.
yup! done. now to try and do a micro analysis on the actual malware would be more fun. i hope i do an update to this soon. BYE!
Comments
Post a Comment