Author Topic: VBS/Worm.Raider  (Read 7509 times)

0 Members and 1 Guest are viewing this topic.

March 05, 2008, 11:08:37 am
Read 7509 times

jimmyleo

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 29
It's a popular vbs worm.
and it has been updated to v8.5 orz...
and it's obscured many times.
If you are interested in it.You can try to decode it ;D

I've uploaded both the origin script and the result I already decoded. Enjoy it!

March 12, 2008, 06:50:07 am
Reply #1

sowhat-x

  • Guest
Hey jimmyleo,could you share a bit of the tricks you did there in order to decode it?  ::)

March 13, 2008, 07:40:18 am
Reply #2

jimmyleo

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 29
hello,sowhat-x:

I've wrote a blog entry to describe the process following:
http://www.jimmyleo.com/read.php?33

But language maybe is the barrier.
So, I can share some here simply.

first level:ASCII ,you can use FreShow to decode it.(Malzilla also)

second level:function uc(b) is the key. You can replace the execute to **.value and get it to textarea just like eval() , don't forget to add language type as VBScript.and remember that function should be reserved for further use.

third level:You maybe puzzled by great amount randomize variables.Don't worry, ":"Colons is the key.You can sort them with a syntax highlighting editor.and execute() is the following key. also get the plain text by textarea method.and you will get the following code:

Code: [Select]
:execute(uc(dyz)):execute(uc(zcx)):function gt():execute(uc(gtz)):end function:function ei(name,wt):execute(uc(eiz)):end function:function df(wh):execute(uc(dfz)):end function:function bf(wh,wt,da):execute(uc(bfz)):end function:function bi(wh):execute(uc(biz)):end function:function rt(wh,li):execute(uc(rtz)):end function:function wr(rna,rda):execute(uc(wrz)):end function:function rr(rna,pa):execute(uc(rrz)):end function:function ar(file,cg):execute(uc(arz)):end function:function dn(loc,web,ris,min):execute(uc(dnz)):end function:function pr(pcs,gs):execute(uc(prz)):end function:function ec(wt):execute(uc(ecz)):end function:function co(wh):execute(uc(coz)):end function:function rs(sw):execute(uc(rsz)):end function:function hi(sw):execute(uc(hiz)):end function:function gi(ids,fid,eid,fname,furl):execute(uc(giz)):end function:function dw(pcs,fn,furl,kill):execute(uc(dwz)):end function:function us(sw):execute(uc(usz)):end function:function cu():execute(uc(cuz)):end function:function km(sw):execute(uc(kmz)):end function:function cf(wh):execute(uc(cfz)):end function
they may look shock,but I tried to find some parameter of them eg.furl and failed.
sure, they are obscured use.
and knowing that, you can add them together.


next, you mixed up uc()function , the variables you've sorted before, and last trick we've done to a standalone .html file.

and at last, use textarea method to show the mass result.

cheers!

sorry for my poor english~

regards,
jimi

March 13, 2008, 08:59:01 am
Reply #3

sowhat-x

  • Guest
Thanks jimmyleo!
Saw your blog entry regarding it,but yeah,I couldn't find a way to translate it... 
hope I didn't bother you much with it...  :-[
I had got stuck in the "third level",thought what in the world is going on there...
I also tried fiddling with Microsoft's Script Debugger,
after a bit of trial and error,it gave me a partial decoding of it...
but nowhere as clear/full results as you did it...  8)