I found a virus..this virus infected document word and make them to be .scr (screensaver) extension with word document icon.....if you click infected document then the virus extract himself to be .exe and copying himself in application data folder,infected registry and open clicked document word......I have tried recovered document using vb... I thought the virus adding document in the body program and when virus clicked it extract himself and document into somewhere then decrypt document file using rc4 method....so I read byte by byte body program and try to split document and virus into two part and write new document byte into new file ......but the main problem I still confused about how to read body program file byte by byte...as seen on http://blog.fox-it.com/2012/08/09/xd...reading-virus/ ........exlained :
1.You can find this from the separator �[+++scarface+++]� at offset 0x24a00 or 0�25000 depending on the infector version
2.The RC4 key appears to be consistent in all versions: \x0d\x0a\x05\x0f\x59\x7b\x38\x5a\x5b\x36\x31\x69\x7e\x0d\x0d\x09
my question:
1. how to find mark "[+++scarface+++]" in body program? should I read byte by byte body program? or hexa/decimal?or I decrypt it before? I see they can see using pda pro program for disassembling but Im'not experienced using that program
2. \x0d\x0a\x05\x0f\x59\x7b\x38\x5a\x5b\x36\x31\x69\x7e\x0d\x0d\x09 (this rc4 key for decryption?)
3.I using this rc4 method to decrypt but still not understand this for decrypt or encrypt and this for byte or string...
and using this to read byte
can anybody help to find way or give me suggestion what should I do next?
1.You can find this from the separator �[+++scarface+++]� at offset 0x24a00 or 0�25000 depending on the infector version
2.The RC4 key appears to be consistent in all versions: \x0d\x0a\x05\x0f\x59\x7b\x38\x5a\x5b\x36\x31\x69\x7e\x0d\x0d\x09
my question:
1. how to find mark "[+++scarface+++]" in body program? should I read byte by byte body program? or hexa/decimal?or I decrypt it before? I see they can see using pda pro program for disassembling but Im'not experienced using that program
2. \x0d\x0a\x05\x0f\x59\x7b\x38\x5a\x5b\x36\x31\x69\x7e\x0d\x0d\x09 (this rc4 key for decryption?)
3.I using this rc4 method to decrypt but still not understand this for decrypt or encrypt and this for byte or string...
Code:
Public Function RC4(ByVal Expression As String, ByVal Password As String) As String
On Error Resume Next
Dim RB(0 To 255) As Integer, X As Long, Y As Long, Z As Long, Key() As Byte, ByteArray() As Byte, Temp As Byte
If Len(Password) = 0 Then
Exit Function
End If
If Len(Expression) = 0 Then
Exit Function
End If
If Len(Password) > 256 Then
Key() = StrConv(Left$(Password, 256), vbFromUnicode)
Else
Key() = StrConv(Password, vbFromUnicode)
End If
For X = 0 To 255
RB(X) = X
Next X
X = 0
Y = 0
Z = 0
For X = 0 To 255
Y = (Y + RB(X) + Key(X Mod Len(Password))) Mod 256
Temp = RB(X)
RB(X) = RB(Y)
RB(Y) = Temp
Next X
X = 0
Y = 0
Z = 0
ByteArray() = StrConv(Expression, vbFromUnicode)
For X = 0 To Len(Expression)
Y = (Y + 1) Mod 256
Z = (Z + RB(Y)) Mod 256
Temp = RB(Y)
RB(Y) = RB(Z)
RB(Z) = Temp
ByteArray(X) = ByteArray(X) Xor (RB((RB(Y) + RB(Z)) Mod 256))
Next X
RC4 = StrConv(ByteArray, vbUnicode)
End Function
Public Function CryptRC4(sText As String, sKey As String) As String
Dim baS(0 To 255) As Byte
Dim baK(0 To 255) As Byte
Dim bytSwap As Byte
Dim lI As Long
Dim lJ As Long
Dim lIdx As Long
For lIdx = 0 To 255
baS(lIdx) = lIdx
baK(lIdx) = Asc(Mid$(sKey, 1 + (lIdx Mod Len(sKey)), 1))
Next
For lI = 0 To 255
lJ = (lJ + baS(lI) + baK(lI)) Mod 256
bytSwap = baS(lI)
baS(lI) = baS(lJ)
baS(lJ) = bytSwap
Next
lI = 0
lJ = 0
For lIdx = 1 To Len(sText)
lI = (lI + 1) Mod 256
lJ = (lJ + baS(lI)) Mod 256
bytSwap = baS(lI)
baS(lI) = baS(lJ)
baS(lJ) = bytSwap
CryptRC4 = CryptRC4 & Chr$((pvCryptXor(baS((CLng(baS(lI)) + baS(lJ)) Mod 256), Asc(Mid$(sText, lIdx, 1)))))
Next
End Function
Private Function pvCryptXor(ByVal lI As Long, ByVal lJ As Long) As Long
If lI = lJ Then
pvCryptXor = lJ
Else
pvCryptXor = lI Xor lJ
End If
End Function
Public Function ToHexDump(sText As String) As String
Dim lIdx As Long
For lIdx = 1 To Len(sText)
ToHexDump = ToHexDump & Right$("0" & Hex(Asc(Mid(sText, lIdx, 1))), 2)
Next
End Function
Public Function FromHexDump(sText As String) As String
Dim lIdx As Long
For lIdx = 1 To Len(sText) Step 2
FromHexDump = FromHexDump & Chr$(CLng("&H" & Mid(sText, lIdx, 2)))
Next
End FunctionCode:
ff = FreeFile
Open "h:/a.virus" For Binary As #ff
strcontents = Input$(LOF(ff), ff)
Close #ff
ff = FreeFile
Open "h:/recovery.doc For Binary As #ff
Put #ff, , RC4(strcontents, "\x0d\x0a\x05\x0f\x59\x7b\x38\x5a\x5b\x36\x31\x69\x7e\x0d\x0d\x09")
Close #ffCode:
Dim conten As String
Dim data2 As String * 38
'conten = Space(47565)
'conten = Space(47559)
conten = Space(47566)
Open "h:/a.virus" For Binary Access Read As #1
Get #1, 259147, conten
ff = FreeFile
Open "h:/recovery.doc" For Binary As #ff
Put #ff, , RC4(conten, "\x0d\x0a\x05\x0f\x59\x7b\x38\x5a\x5b\x36\x31\x69\x7e\x0d\x0d\x09")
Close #ff
Close #1can anybody help to find way or give me suggestion what should I do next?