H-Worm or Houdini Worm is a VB Script which uses obfuscation techniques in an attempt to hide code. I'm not here to reinvent the wheel, there's already good articles on H-Worm, including This Fireeye article.
I will however point out that with the right indicators in Snort, network traffic can be used to pin down a host which may be beaconing to a known URI structure for H-Worm, including the POST is-ready indicator.
I had observed one host which had a VBS file in startup named adobe_flash_player.vbs. Since this host had tripped my snort signature, I decided to look at this as a file of interest. This particular file had a couple layers of obfuscation.
In this screen capture we see the file appears to be a JPG file (although, it doesn't actually display, it really appears to be garbage)
This is an attempt to have an analyst potentially brush it off as a malformed JPG. However, if we scroll down to the end of the file we see something interesting.
When I delete all the garbage above this I end up with the following VBS.
For the purpose of saving space here, I only included a screen capture. To understand the magnanimity of of the aawaawaaaawaawswaaaaa string, if taking away wordwarpping it is 62 pages of text.
To deobfuscate this I took note of the Execute (awasw(aawaawaaaawaawswaaaaa) command and replaced it with some very common simple code.
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write (awasw(aawaawaaawaawswaaaaa)) & vbCrLf
The result of this is.....
Hopefully this simple method for deobfuscating is found to be useful to others. Happy hunting!