VBS/Pub.A
Analysis
Specifics
This VBScript virus contains instructions to send itself
by email as an attachment, infect other script files
and also delete all files in all folders on the hard
drive, and each mapped drive. The VBScript code contains
encrypted instructions, with a decryption loop, and
is polymorphic.
The VBScript incorporates a technique of manipulating the instructions by changing the case of the code between upper and lower case, presumably in an effort to foil detection efforts. The virus does not auto-start or auto-load and only runs when infected files are opened. Infected files contain the viral code appended to the original host. The viral body is approximately 5620 bytes.
Encrypted/Polymorphic VBScript Decryption
If an infected file is opened, the host content will
activate and then the appended virus body VBScript code
will execute. The main code body is stored in a two-layered
encrypted form. The encryption uses a character offset
algorithm and a formula method of decryption. The decryption
loop runs and writes a file "pubprn.vbs" to
the Windows folder which contains a second layer of
encryption, and another decryption loop. The created
file "pubprn.vbs" is then executed. When this
occurs, a second instance of WScript.exe will run in
memory, and is visible in the task list.
When "pubprn.vbs" is decrypted, the instructions are stored in a variable and then executed directly in memory. The code is polymorphic in addition to being encrypted; the polymorphic routine uses a randomizer to change the case of the instructions alternating between upper and lower case in random fashion. For instance, instructions may exist in varying formats such as these examples -
eND IF
EnD iF
enD If
and so on. The decrypted code contains instructions to perform the following actions -
* search recursively through all directories for target files to append its VBScript code; files with these extensions may become infected - .VBS, .VBE, .HTM, .HTT, .HTA, .HTML and .ASP
* delete all files in all folders on the current drive, and on all mapped drives, if the day of the month is the 6th, 13th, 21st or 28th
* send itself as an attachment by MAPI email with the subject "rE", "RE" or "Re" - the attached file could be any infected file from the host system
In testing, the mass-mailing functionality failed.
Script File Infection
The virus may search for files with the extensions -
.VBS, .VBE, .HTM, .HTT, .HTA, .HTML and .ASP and append
its code. For files which are not .VBS or .VBE, the
virus takes care to insert VBScript tags to allow the
HTML code to execute.
File Deletion Payload
When opening infected files and the day of the month
is the 6th, 13th, 21st or 28th, the virus will invoke
its file deletion routine. The VBScript enumerates files
in all folders and deletes each file found. Then using
the instruction "SeekNetCopyDrives" the virus
identifies all mapped drives and begins to delete files
in all folders for each drive found.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, enable blocking of
these extensions via MAPI, POP3 and IMAP services
-
.vbs
.vbe
.htt
.hta
.aspThe omission of .HTM and .HTML is because these file types are not inherently dangerous and are often non-malicious attachments to emails. For added security, block these two extensions
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2018-10-30 | 63.81200 | Sig Updated |