Disclaimer: This post is about a real virus, really seen in the wild. It was written on the sole goal of helping the reader to better protect itself. This post is NOT about writing viruses. I will NOT provide any source code nor any directions to build a virus. If this is what you were looking for: Please, I beg you to change your mind and start building something useful to the community instead of attacking it. Thanks for reading.
I recently identified a virus called “iTunesHelper.vbe” on my Dad’s personal laptop. By the time we noticed it it already had infected the whole House. Let aside the (pretty bad) surprise I found interesting that none of the (up to date) Antivirus were able to detect it. And, interestingly enough this virus is script based, hence easily studied. Let’s dive in it.
This first post is a purely qualitative approach, voluntarily avoiding any source reading. For a more in-depth approach, you may be interested in reading the second part of this post.
1/ Lab system
- Windows XP, in a virtual Machine
- NO updates
- NO antivirus software
Infection test was run from this VM. Analysis was performed directly on my Linux laptop with no special security as it lacks the required runtime.
When an infected USB mass storage is connected to a target system, all files on its root folder appears as shortcuts instead of plain files. This set aside, icons are as expected and “files” behaves apparently behave as expected too.
Diving a little deeper the shortcut appears to really be a shortcut:
Here is the full, plain text target:
C:\WINDOWS\system32\cmd.exe /c start iTunesHelper.vbe&start Secret" "Text" "File.txt&exit
Which basically means:
- run “iTunesHelper.vbe”
- open the real “Secret Text File.txt”
- and you’re done
Huh huh, interesting. But where are theses files located ? Turning off “Hide protected operating system files” in “Folder Options” will do the trick. Yes ! This nice piece of software pretends to be an essential piece of the Operating System. Simple and efficient way to dissimulate itself from almost all computers. Here is what one could then see:
Last but not least, the name “iTunesHelper.vbe” itself has been chosen for dissimulation. “iTunesHelper.exe” being an actual.. “iTunes background Helper”.
Long story short: The virus dissimulate itself under the name of a common software and pretending to be an essential system file. Nonetheless, it is still quite easy to suspect it’s presence as it replaces all files on the root of the drive by shortcuts.
2/ Propagation Mechanism
With all this initial analysis done it is now straightforward to guess the virus' propagation mechanism:
- System is clean
- Infected drive is inserted. Nothing happens
- A file is opened from the drive
- The virus payload is executed, then the real file is opened
- [hypothesis] The virus installs itself
- [hypothesis] The virus manages to watch for new USB drives
The last point is easy to check: Insert a clean drive and observe: files will quickly be replaced by shortcuts.
In fact the virus remains in memory. Speaking of memory, it consumes quite a lot of it… Around 1/2GB!
When the computer is rebooted, the virus is reloaded with it via the registry. Even more Ironic, being a script ran by “wscript.exe” from Microsoft, its is reported as a Microsoft program. Trustworthy? Simple and efficient.
3/ Counter measures, cleaning
All these informations gathered It is also possible to guess a way to efficiently get rid of it:
- Remove any USB drive from the computer
- Kill any “wscript.exe” process, especially if it eats up all your memory !
- Disable further automatic restarts. A tool like CCleaner will help. It will also give the path to the resident payload
- Delete the resident Payload
- Show system protected files
- For each infected drive:
- Insert it. DO NOT open any file from it
- Delete iTunesHelper.vbe along with ALL shortcuts
- Reset files to regular attributes
- Hide system protected files
Which also appears to be quite close from the real uninstall procedure, hardcoded in the virus.
4/ Last word
This Post dived into a virus from a purely qualitative point of view, following the same general approach the author used to quickly get rid of this file. All the informations from this post have been cross-verified against the virus source code which appears to be only poorly obfuscated. But that’s another topic, for a future post.
This virus has been reported to an antivirus editor. Hopefully it’s signature will quickly be added to official databases.
For a more technical approach, please read on: second part.]1