VBS/Pub.A

Analysis

Specifics
This VBScript virus contains instructions to send itself by email as an attachment, infect other script files and also delete all files in all folders on the hard drive, and each mapped drive. The VBScript code contains encrypted instructions, with a decryption loop, and is polymorphic.

The VBScript incorporates a technique of manipulating the instructions by changing the case of the code between upper and lower case, presumably in an effort to foil detection efforts. The virus does not auto-start or auto-load and only runs when infected files are opened. Infected files contain the viral code appended to the original host. The viral body is approximately 5620 bytes.

Encrypted/Polymorphic VBScript Decryption
If an infected file is opened, the host content will activate and then the appended virus body VBScript code will execute. The main code body is stored in a two-layered encrypted form. The encryption uses a character offset algorithm and a formula method of decryption. The decryption loop runs and writes a file "pubprn.vbs" to the Windows folder which contains a second layer of encryption, and another decryption loop. The created file "pubprn.vbs" is then executed. When this occurs, a second instance of WScript.exe will run in memory, and is visible in the task list.

When "pubprn.vbs" is decrypted, the instructions are stored in a variable and then executed directly in memory. The code is polymorphic in addition to being encrypted; the polymorphic routine uses a randomizer to change the case of the instructions alternating between upper and lower case in random fashion. For instance, instructions may exist in varying formats such as these examples -

eND IF
EnD iF
enD If

and so on. The decrypted code contains instructions to perform the following actions -

* search recursively through all directories for target files to append its VBScript code; files with these extensions may become infected - .VBS, .VBE, .HTM, .HTT, .HTA, .HTML and .ASP

* delete all files in all folders on the current drive, and on all mapped drives, if the day of the month is the 6th, 13th, 21st or 28th

* send itself as an attachment by MAPI email with the subject "rE", "RE" or "Re" - the attached file could be any infected file from the host system

In testing, the mass-mailing functionality failed.

Script File Infection
The virus may search for files with the extensions - .VBS, .VBE, .HTM, .HTT, .HTA, .HTML and .ASP and append its code. For files which are not .VBS or .VBE, the virus takes care to insert VBScript tags to allow the HTML code to execute.

File Deletion Payload
When opening infected files and the day of the month is the 6th, 13th, 21st or 28th, the virus will invoke its file deletion routine. The VBScript enumerates files in all folders and deletes each file found. Then using the instruction "SeekNetCopyDrives" the virus identifies all mapped drives and begins to delete files in all folders for each drive found.

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  
• Using the FortiGate manager, enable blocking of these extensions via MAPI, POP3 and IMAP services -

  .vbs
  .vbe
  .htt
  .hta
  .asp

  The omission of .HTM and .HTML is because these file types are not inherently dangerous and are often non-malicious attachments to emails. For added security, block these two extensions