Decoding H-Worm

H-Worm or Houdini Worm is a VB Script which uses obfuscation techniques in an attempt to hide  code. I'm not here to reinvent the wheel, there's already good articles on H-Worm, including This Fireeye article.

I will however point out that with the right indicators in Snort, network traffic can be used to pin down a host which may be beaconing to a known URI structure for H-Worm, including the POST is-ready indicator.

I had observed one host which had a VBS file in startup named adobe_flash_player.vbs. Since this host had tripped my snort signature, I decided to look at this as a file of interest. This particular file had a couple layers of obfuscation.

In this screen capture we see the file appears to be a JPG file (although, it doesn't actually display, it really appears to be garbage)

This is an attempt to have an analyst potentially brush it off as a malformed JPG. However, if we scroll down to the end of the file we see something interesting.

When I delete all the garbage above this I end up with the following VBS.

For the purpose of saving space here, I only included a screen capture. To understand the magnanimity of of the aawaawaaaawaawswaaaaa string, if taking away wordwarpping it is 62 pages of text.

To deobfuscate this I took note of the Execute (awasw(aawaawaaaawaawswaaaaa) command and replaced it with some very common simple code.

Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write (awasw(aawaawaaawaawswaaaaa)) & vbCrLf

The result of this is.....

Hopefully this simple method for deobfuscating is found to be useful to others. Happy hunting!