Back   Home   Programming   Blog  

Examples of malicious VBS code

The example VBS scripts would generally be sent as an external email attachment. All code / files passed AV scan at time of being published, click here for images of both Norton and McAfee AV scans. Please note that although these scripts passed an AV scan at time of being published a good AV program can still help against these types of Viruses/scripts if configured properly. Norton and McAfee now both trigger to VBS Viruses when the file itself is executed , not when scanned. To see images of McAfee and Norton's reaction to a VBS Virus/script file click here. What is the difference? Well, a lot of folks don't run AV software locally on their PC, they rely on the 3rd party email servers AV software (i.e. Yahoo, Hotmail)...If it will pass their scan they will run it. You see, let's say I have this script that will trigger an AV alert when scanned...one thing I could do is encode the script. So the Yahoo email server will scan that encoded gibberish and find nothing. Then the user downloads the file and executes it because Yahoo AV scan said it was ok. So the user executes this file and the first thing it does is decode itself back into it's original state then runs as usual.

If you think you may have been infected with a VBS Virus then open your task manager (CTRL ALT DEL) and go to the processes tab. and find "wscript.exe" in the process list, click here for example, now right click on the highlighted portion and choose "end process" to kill what ever script is running. Click here to see how to do this from the command line.

If you are overly  concerned about being infected by a VBS virus then you could also set the default scripting host to CScript instead of WScript at the DOS prompt. This will make a black (DOS) screen flash when a VBS script file attempts to run. To reset your default scripting host just open your DOS prompt and type in: c:\>cscript //H:CScript , this will maybe clue you in that something just happened...or you could remove Wscript host all together.

VBS/dlH -
Say hello Virus source code and executable

UPDATE: This script has been re coded and I also added a removal tool for it.

This is the source code for the Hello virus I wrote. The virus when ran will go through each directory in the infected machine and will write a 'Hello' note for each file and subfolder it finds in the directory.

View Source (Will open in new window)

VBS/dlRB -
System reboot Virus source code and executable

When this file is ran it will create a registry entry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\. This script will then write a script file to C:\%systemroot%\system32\ called dlRB.vbs. This file (dlRB.vbs) will reboot the computer when ran and yup you guessed it...because of the registry entry this 'reboot' file runs each time the target tries to log into Windows. After the script is done it will force a system reboot.

View Source (Will open in new window)

IE browser startpage swapper Virus source code and executable

This VBS start page swapper file will change the targets I.E. browsers start page and default page settings, then it writes a basic duplicate script file in the %systemroot%\system32\ directory and adds that script file to the registry location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ in order to run the file on each reboot. I also added a short-cut version and information on bypassing AV scans.

View Source (Will open in new window)

VBS/dlBD -
Birthday / Timebomb Virus source code and executable

NOTICE: as of Sept. 6th, 2004 Panda AV will detect this Virus using the heuristic scan...click here for images.

This is the source code for a birthday (timebomb) virus I wrote. This VBS file when ran will:1) Check the date (This Virus is only active on my birthday therefore being classified a timebomb virus)   2) If it is NOT my birthday the file will create a rough copy of itself in %systemroot%\system32\ and then link that file to the registry location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ in order to run the file on each reboot. This file will continue to run on each reboot checking the date...this will continue until my birthday. Deleting the original 'host' file will NOT effect the trojanized copy.   3) If it IS my birthday the Virus will be activated. The Virus itself will search the entire machine for files ending with: .jpg, .gif, .log, .ini, .doc and .exe. When it finds a file with these extensions it will overwrite the original data with a 'happy birthday' message and then replace the current extension with a .txt extension. When it is done it will write and launch a batch file that says a happy birthday message.

View Source (Will open in new window)

Sign up for our newsletter and get a free eBook!
Twitter Get the latest, subscribe via Twitter!


Copyright © ...