Worm Code Analysis Help
Results 1 to 2 of 2

Thread: Worm Code Analysis Help

  1. #1
    Join Date
    Aug 2001

    Worm Code Analysis Help

    Last edited by Zetaphor; February 19th, 2013 at 04:49 PM.
    3 Easy Steps To Fixing Windows (Permanently!)
    1) Insert Linux Installation CD (Any Distro)
    2) Read Included Documentation on \"Installing\"
    3) Install Linux

  2. #2
    Join Date
    Jul 2003
    This is not VB but VBS which are different languages, but have similarities.

    A simple search on Google yielded http://www.visualbasicforum.com/t84868.html

    Yes, in my opinion. VBScript is just a scripting version of VB. There are some minor syntax differences, a few limitations (since it's not full blown VB), a few different built-in functions, and a few minor language differences (for example, all variables are variants - there are no specific types). Even with the slight differences they are very similar. If you know VB, it's easy (IMO) to work with VBScript.

    Stated roughly: VB is a compiled language. You write code and compile it to an EXE to distribute it and use it (unless you just run it and use it in the IDE, in which case it's compiled as needed behind the scenes). A scripting language, like VBScript, is interpreted, which means it's compiled/interpreted on-the-fly by a scripting host (some program or Dll that's called when needed to do the interpreting).

    "The main difference between VBS and VB is that VBS is for the web."

    Not true. You can write .vbs (text file with .vbs extension) full of VBScript that can execute with a double-click (or as a scheduled job). For example, you might write a .vbs instead of a batch file to automate a simple task for windows (if you didn't feel like writing a program). Incidentally, with the right tools one can use VB to handle server-side processing for the web (VB CGI), it's just kind of a pain in the butt (IMO) and ASP is a lot easier to code and manage.

    VB6 has a project type called "IIS Project" which involves a little known (and little used) technology called 'web classes' that do server-side processing for the web similar to ASPs in full blown VB. One problem with web classes is that they compile to a DLL (can be a pain to update compared to a text/ASP file) and they have some clunky syntax issues (IMO).

    Lastly, one can write ActiveX Dlls in VB and create objects from them in ASP/VBScript...to use VB indirectly in a web setting.

    "They are similar. No intelli-sense though."

    As Flyguy indicates, intellisense has nothing to do with the language itself. For example, if you write ASPs with VBScript and use Visual InterDev as your editor, you get intellisense popups with both (properly formed) client and server-side VBScript blocks (and JavaScript blocks too, for that matter).

    As for the code you are referring to, it did set off a virus alert, so please be careful because some may not take it as lightly as I do. Looking at the code, it seems pretty straightforward, and even as a non-VB person can see what it does roughly (Anna Kornikova):

    It writes a value in the registry HKEY CURRENT USER\software\onthefly\ with a comment by the author.

    then it makes a filesystem object in the root directory with the name AnnaKournikova.jpg.vbs. The triple file extension is common to try to hide worms/virii. Then the program checks of the virus has been mailed. If mailed then end the program.

    If the month is Jan (or feb becuase I do not know if VBS counts months starting at 0 or 1) and the day is the 26, then show the infected user a web site.

    This is probably the infection routine

    Set thisScript = FileSystemObject.opentextfile(wscript.scriptfullname, 1)
     If Not (FileSystemObject.fileexists(wscript.scriptfullname)) Then
     End If
    Then create an e-mail on the infected user's machine and send it to everybody on the address list with the subject and body with the worm attached. That is pretty easily deduced by just looking at it.

    This kind of infection and mailing routines is pretty common, even though the process and the algorthims might differ. It's basically this way:

    Find a non-infected user.
    Infect the user (insert other nasty side effects here)
    mail to other non-infected users
    if user is infected go to the next person

    This is not true 100% of the time and this does not include all worms or virii. Some are written in C,C++,Pascal, ASM, etc etc.... and all have different functions and different payloads (if any). The basic idea is to infect as many as possible as quietly as possible. These kinds of virii my friend are not quiet but quick and dirty.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts