VBScript found in a Windows PE - ZZNet Worm

[recvfrom]

Overview Analyze the ZZNet Worm and write a ClamAV signature that detects it

Proposal The VBScript has ASCII art that says "ZZNet Worm", and I couldn't find any prior reporting on it. It appears to facilitate infection by registering a debugger for several processes, and appears to spread itself to USB devices.

This is from a binary created with VbsEdit, a tool that creates PEs from a given VBScript. We've written a ClamAV bytecode signature that extracts the underlying scripts from these executables, and would like to leverage that to match on the underlying malicious VBS (so, we need a signature on the script contents itself).

Technologies Involved

• VBScript

Expected Difficulty

• Beginner/Easy - Can be accomplished with basic RE, there is little to no obfuscation involved, there are less than 200 lines of code to analyze, and write-ups exist that walk through reversing this malware

Technical Info PEs containing the VBScript:

7ae3b394c5aed4f4ba9b60db668b2e0ad6ba7e91fa298a9847cfd6e8a96e0d7f

Use clamscan --debug --leave-temps <sample dir> 2>&1 | grep "bytecode: scanning extracted file" to extract.

Link to download the sample: https://malshare.com/sample.php?action=detail&hash=b3bf11613c07eb87df9ecb8a259058d5

[demonduck]

This looks really interesting! I would like to work on this