Actions by .vbs and .bat Files Monitored by Viruscope But Not Reversed [M1157]

A. THE BUG/ISSUE (Varies from issue to issue)
Can U reproduce the problem & if so how reliably?:
Every time
If U can, exact steps to reproduce. If not, exactly what U did & what happened:
1:I ran the virus on the default settings for CIS (except that Viruscope was enabled)
2:After running the virus had spread all over the place on the external disk USB
3:The virus put shortcuts on My Apps, and is also opening any shortcut automatically starts the virus
4: After testing this I killed the process using Killswitch and choosing "terminate tree and reverse "
5: However, not all actions were undone.
One or two sentences explaining what actually happened:
The vbs file, although monitored by Viruscope and not trusted, was allowed to make actions which were not undone using terminate tree and reverse.
One or two sentences explaining what you expected to happen:
If monitored the actions for all files should be able to be undone if “terminate tree and reverse” is selected.
If a software compatibility problem have you tried the conflict FAQ?:
NA
Any software except CIS/OS involved? If so - name, & exact version:
NA
Any other information, eg your guess at the cause, how U tried to fix it etc:
After extensive testing on viruscope it appears that it does not support reversal of the extensions vbs and bat. bat has been tested more than once and by more than one sample, and the in each test the actions were not reversed. This is shown in the attached video.

Looking at the show activites shows that viruscope monitored the movements of each sample of the type of bat, vbs but when you work “terminate tree and reverse” of killswitch you find that it does not reverse any of the events that were left behind by the sample.

I think the reason that this bug may occur because this extension type works through other processes which are trusted, such as in this case wscript.exe, where the sample works through the implementation of commands through the process wscript.exe.

test inside sandbox (*vbs)

test outside sandbox (*vbs)

test outside sandbox (*bat)

B. YOUR SETUP
Exact CIS version & configuration:
CIS 7.0.317799.4142
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Default configuration (except Viruscope is enabled)
Have U made any other changes to the default config? (egs here.):
Just enabling Viruscope
Have U updated (without uninstall) from CIS 5 or CIS6?:
No
if so, have U tried a a a clean reinstall - if not please do?:
NA
Have U imported a config from a previous version of CIS:
No
if so, have U tried a standard config - if not please do:
NA
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
In real system , windows 7 x64
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=None b=None

Can you please specify what you mean when you say that all events were not cleared?

Thanks.

The worm copies itself to a single external disks and made shortcuts, but the option “terminate tree and reverse” Not cleans shortcuts and also a worm that copies itself has

I believe that undoing things like creation of new files and shortcuts is part of VirusCope. Thus, after it is improved in the next version I hope that this option in KillSwitch will be updated to remove these as well. However, for now I do not believe that it is not intended that behaviors like this are undone through KillSwitch.

That said, although I hope this will be implemented in a subsequent version, I do think it would be a good idea to submit a Wish Request for this.

Is my understanding of this issue correct? If so I will move this to Resolved.

Thanks.

The worm copies itself, but option “terminate tree and reverse” not deletes the worm copied, although it was designed for this purpose Maybe this property was not designed to delete the shortcuts, but it’s certainly designed to delete any file creator and also copied files, because it is affiliated of the original file

I’m currently looking into whether this is intended behavior or not. Also, please post a screenshot where you see the option “terminate and reverse”.

Thanks.

Also, do you have Viruscope enabled? The only way I can get this terminate tree and reverse option is if I enable Viruscope.

Please watch the video at minute 3:00 , the Video answers to all your questions

Sorry it’s been so long since I last responded. Things have come up which have drastically taken away my time such that I was unable to respond until now. I hope you understand.

My understanding is that there was no Viruscope alert. However, the file was sandboxed.

My understanding of how it works is that currently sandboxed files are not monitored by Viruscope. I don’t believe trusted files are either. Therefore, what seems very strange to me, and what I noticed on my own computer, is that all files have that “terminate tree and reverse” option as soon as Viruscope is enabled, regardless of whether they were monitored by it or not. I would consider this a bug.

Would you agree that this is likely the bug you have encountered? By that I mean that a file which was not actually monitored by Viruscope was still shown the option of reversing the actions (which is impossible if it wasn’t monitored in the first place).

Thanks.

PM sent.

thanks

What I have noticed, and perhaps you can double-check this on your own system is this. First disable Viruscope. Then restart your computer. Then, after restarting, check KillSwitch. You will see that there is no option to “terminate tree and reverse” shown. This makes sense because Viruscope was disabled, so it isn’t possible for anything to be monitored.

However, now enable Viruscope. Then, without restarting the computer, go to KillSwitch. You will see that every process now has that option, regardless of whether it is run in the Auto-Sandbox, trusted, or even a critical Microsoft file.

Do you see this behavior on your system as well? If so then I believe the underlying bug is that this option is shown fall all objects if Viruscope is enabled, regardless of whether they were monitored or not. This would therefore cover all behaviors I have seen related to this.

What do you think?

HI Chiron

Please Watch this video and also attached picture
The test was outside the Sandbox and as you can see Vairoscop Gan monitored the sample but does not have a cleared of events

[attachment deleted by admin]

I watched most of the video. I’m confused about one thing. You ran belle.vps. However, after that the events were for wscript.exe (which KillSwitch marked as Trusted). What is wscript.exe and how is it related to belle.vps? Let’s see if we can narrow down exactly what’s happening for this situation.

Thanks.

Process wscript.exe running the extensions vbs , “*vbs” is run through the process wscript.exe
Such as “*bat”

Please see the picture in the previous post , You will notice that the process wscript.exe Is the one who has run the sample

:a0

Sorry, I am inquiring with others about this issue. I’ll respond when I have more information. Don’t worry, I haven’t forgotten it.

Hi Sal

Yes belle.vbs is an interpreted file that is run on the MS wscript.exe runtime

The Killswitch display of such file can be unhelpful

Please try reversing belle.vbs, which is the file that should be detected (if it did something recognised), and see what happens.

Please also post an active process list and killswitch display of the complete virus process tree when it is depositing its files. You may need to fiddle with refresh rates to catch it.

There are some limits on file other than .exe esp when run directly off explorer.exe and we may be hitting those.

Also if you think about it VS cannot determine where in any tree the virus starts. It only knows what process it detects, which is the highest one in any process calling tree which exhibits any part of the virus activity it detects (from my experiments).

Many thanks in anticipation

Best wishes

Mike

There is no a process under the name belle.vbs Only process wscript.exe

All commands in the sample belle.vbs Be implemented by the process wscript.exe

The active process list is supposed to display such files as virtual processes, but you cannot reverse it from there, so I see the problem.

Does the vbs file or rather wscript on its behalf run anything else?. I think that link is only some of it’s activities?

Does it reverse any of it’s activities?

Best to post the Active process List display and we can work on it from there.

I think this is probably due to the fact that it runs (or wscript runs it to be strictly correct) directly in the context of explorer.exe. In my experiments, activities partly carried out by a batch file executed by (ie run on a command processor invoked from) an unknown .exe file got reversed, those executed by a batch file ‘running’ (ie run on the command interpreter, which ran) directly from explorer.exe did not.

This I understood to be ‘by design’ in the current build sequence. Though of course correcting this is a valid wish or debatable. Personally I’d see it as ‘unanticipated by users’ so reportable as a bug which they will no doubt make a debatable when they process it in the tracker.

Anyway lets see what the APL screenie, taken when it is dropping files, looks like.

Best wishes

Mouse