Script encoding

09/09/2000

Hi all.

First, when reading this, consider that English is not my native language, so expect some mistakes in the text. :)

I was going to submit my last worm for the zine, but well, instead of that I decided to write some things about encoded scripts (JScript/VBScript) and only use that worm as an example. With this I mean Microsoft's encoding, not other manual ways of encoding or making your code harder to read.
So this is my first article for a zine, most of my viruses/worms where included in many, but just that, not real articles or tutorials.

Script encoding in HTML files

Script encoding started with Internet Explorer 5, in that time it was possible to use the "<script>" tag of HTML files to write scripts in JavaScript, JScript or VBScript, but this version added new values for the "language" property of that tag, those values were "JScript.Encode" and "VBScript.Encode".
Examples:

<script language="JScript.Encode">

<script language="VBScript.Encode">

I said that Internet Explorer 5 started this because it included version 5 of both JScript and VBScript, which are the ones that included this new feature.

For encoding your script you need Script Encoder which is available from http://msdn.microsoft.com/scripting. This Win32 command line program will read your HTML file with a script tag having "VBScript" as it's "language" value and it will write a new HTML file with your code encoded and with the "language" attribute changed to "VBScript.Encode". Similar thing happens when using JScript.
For example, something like this:

<script language="VBScript">
  MsgBox "Example"
</script>

Will be changed to:

<script language="VBScript.Encode">#@~^GgAAAA==@#@&P~t/TAWXPr36m:2VJ@#@&7gUAAA==^#~@</script>

Have in mind that this encoding is really designed for casual readers of your code, the truth is that it's trivial and will not protect your code from people that is decided to view it.

Of course that this things are only supported in Internet Explorer, not in other browsers. Script languages are not part of the HTML language, not even the "language" attribute is part of HTML 4, the correct attribute would be "type", but well, that is another matter that is not virus related.

At the time of writing this I know only one virus using this feature in HTML files, it is HTML.Lanus which I wrote time ago. Anyway, I explained script encoding in HTML files to show how it was possible, but as we know, HTML files are not a real target for viruses since scripting in them needs authorization from the user when using most needed objects unless we are using some kind of bug to skip the warning message.

Script encoding in Windows Script Host

Windows Scripting Host 1 (also known as WSH in this text) was included for the first time in Windows 98. It supported JS (JScript) and VBS (VBScript) files to do scripting, and with this, a new type of viruses was started by Lord Natas. No encoding was possible.

Time later Windows Scripting Host changed it's name to Windows Script Host and version 2 was out. One of the things that this new version added was the possibility of encoding our scripts like it was possible with HTML files by using two new extensions, JSE and VBE.
JSE are JS files after using the encoder, the same happens with VBE and VBS.

For using the encoder with JS and VBS files is the same as with HTML files, it reads a VBS file with our script and it creates a VBE file which has our encoded script.

NETWORK/OUTLOOK.FakeHoax

NETWORK/OUTLOOK.FakeHoax is an example of script encoding in Windows Script Host. It is the first virus/worm using the JSE and VBE extension (at least not as auxiliary files), so it has two versions, one in JScript and other in VBScript.

It uses OUTLOOK and the network shares for spreading. The main code is a COM object written in XML and VBScript using Windows Script Component, so the code in the JSE and VBE file is trivial. Both versions create a WSC file (the COM object defined in XML) and then both call methods and change properties of that object, no real spreading code is in those files.

The worm was written in this way to make it easier to port it to any other language, this way I was able of creating a JSE and a VBE file without really porting the main code. Also, it's possible to create new versions using Delphi, Visual C++, or any other by using "REGSVR32.EXE" to register the WSC file as a COM object before calling it's methods or changing it's properties.

This worm was written to show how JSE and VBE files could be used in viruses/worms, since before this they where only used as auxiliary files (some versions of HTML.rahC by 1nternal and OUTLOOK.Monopoly by me for example). Besides, since it needs Windows Script Host 2 or later, it won't be good spreading itself at the time of writing this.

Also, this was a good opportunity for using Windows Script Component for the first time because it made possible to write a JScript and a VBScript version without needing to port the whole code, so this is also the first virus/worm using it's own COM object.

NETWORK/OUTLOOK.FakeHoax text file including source code: network_outlook.fakehoax.txt.
NETWORK/OUTLOOK.FakeHoax ZIP file (text file and working copies of the worm): network_outlook.fakehoax.zip.

Script encoding support

When writing viruses you must know in which systems your code will work. Even that script encoding is not new, it was not a valid feature for viruses since not many systems supported it. But this is changing in this days and encoding is now possible for a worm with good spreading capabilities.

Script encoding in HTML files: supported in any system with JScript/VBScript 5+ (included in Internet Explorer 5+).

JSE and VBE files: supported in any system with Windows Script Host 2+ (included in Windows 98 SE, Windows 2000 and Windows Me).

Also, JScript/VBScript 5+ and Windows Script Host 2+ can be installed as separate packages. For example, an encoded script in a HTML file could be run in Internet Explorer 4 if JScript/VBScript 5+ separate package is installed.

Trick to run JSE and VBE files in systems with WSH version 1

By using a trick I found, JSE and VBE files can be run in systems with WSH version 1 instead of version 2 if JScript/VBScript 5+ is installed.

Let's see an example, a system has Windows 98 (not Windows 98 SE) and Internet Explorer 5 installed. WSH 2+ separate package was not installed.
So this system has WSH 1 and JScript/VBScript 5, since WSH 1 was included with that Windows version (unless it was not selected in a custom installation) and JScript/VBScript 5 was included with Internet Explorer 5.
This system is able to understand encoded scripts, it just doesn't has the JSE and VBE extension support. So to run a JSE or VBE file we can create a WSH file that calls the encoded script.

This means that instead of running a VBE file directly (not possible in the example), we can run a WSH file (which is supported in WSH 1) that runs a VBE file.

This method was used in OUTLOOK.Monopoly, the worm was a VBS file that created a WSH and a VBE file and then runs the WSH file, so the main code was encoded and it worked in the first edition of Windows 98 with Internet Explorer 5 installed. WSH 2+ was not needed in this worm.

I won't explain how WSH files work, to know more about them, create a JS file and then view it's properties, changing some of them will create a WSH file in that same directory. Then view it and play with those values. :)

Other file types in which script encoding may be used

Script encoding can be used in any file format that accepts the "<script>" tag. Anyway some file formats like WSC and WSF are not supported by the actual version of Script Encoder, but you can include encoding in those file types by creating the "<script>" tag in a HTML file and then copying the encoded code to the WSC or WSF file.
Script Encoder recognized extensions are ASA, ASP, CDX, HTM, HTML, JS, SCT and VBS.

Script encoding and viruses

You can use this feature in HTML viruses/worms even that they are not something very interesting, or you may use it in worms in JSE or VBE format, which will be better methods.

Normal viruses in JSE and VBE format are not interesting since it would be like JS and VBS viruses, there are not many files to infect since they are not used much by people, well, maybe you can find lot's of them in my computer since I'm so crazy about scripting and I use it for lot's of simple tasks, but most users don't use WSH. :)
Also, encoding won't make a file simple to infect, since it would be necessary to decode it, infect it and then encode it again.

This days there are a lot of worms in VBS files (not happening the same with JScript ones), well, all this worms could be easily encoded.

Encoding VBS files will have two advantages:

1) The code will be encoded, so it will be harder to read and most users won't do that.
2) VBS files are a known target for worms, but VBE files are not. So VBE extension is far better for them.

But there are also two disadvantages:

1) Some old systems may not be able of running VBE files.
2) The script will be a few bytes bigger. But they are only a few so this is not really a big disadvantage.

Well, that's all, let me know in case of any error you find about technical things or for any question you have.
Bye all.

Zulu
zulu_vx@techie.com
http://coderz.net/zulu