A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #29304  by FTL2000
 Sat Oct 01, 2016 11:13 am
So this virus has hit our school very hard because the antivirus our school implemented could not keep up with the supposed recovery solution they installed.
(Apparently AhnLab V3 Internet Security expired due to slightly incorrect CMOS clock and lack of internet connectivity -- I call them V3 Intranet Insecurity)

I managed to pull the samples and obfuscated VBS file from one of the badly infected computer.
I traced the source to a wrapper with supposed game installer inside from one of the computer in the class.
It has infected 60% of entire computers in the class.

1. "hello.vbs" and the infamous "(software)_package.exe"
It is essentially a obfuscated VBS file in a wrapper that runs legitimate file AND the script at the same time, so the user is fooled into proceeding.
It is based on MPRESS and Batch to EXE Converter.

The batch script inside is shown below despite it being so simple even 8 year old child can do it:
Code: Select all
@echo off
set name=Binding+of+Isaac+Rebirth
start hello.vbs
start %name%_package1.exe
exit
2. The "hello.vbs"
The script is easily reversed with text editor, due to the way obfuscation is implemented.
The script is encoded in decimal with spaces replaced with eight digit number, like "23844594".

The obfuscation code is shown below (the code section has been snipped to prevent code reuse) :
Code: Select all
anas = "398686764(snip)"
anas = SPLIT(anas,"8686764")
FOR X = 0 TO UBOUND(anas) -1
Xmy = Xmy & ChrW(anas(X))
NEXT
EXECUTE ((Xmy))
So I searched for SPLIT function, and found that it essentially removes the string in the last section from the first section.
Then I did the exactly same thing with Notepad++ (ditto about code snip) :
Code: Select all
anas = "39 60 91 32 114 101 99 111 100 101 114 32 58 32 104 111...
Then found out it is decimal ASCII.
So I went online and fed it into converter, which returned (ditto) :
Code: Select all
'<[ recoder : houdini (c)...
SUCCESS!

The code is exactly same as the infamous Dunihi VBS Worm, but with its host and few things changed, mostly settings.

I hope this qualifies as reversing :oops:
(please don't kill me)