Download vbswg

Upload a Thing! Customize a Thing. Download All Files. Select a Collection. Save to Collection. Tip Designer. Share this thing. Send to Thingiverse user. Remixed from: Select a Collection. Following the trend to feature a set of replication methods, the VBSWG kit also offers the possibility of using the popular mIrc program as replication platform.

If one of these drawers is found and the typical mirc. The routine itself generates a new mIrc configuration file, which includes commands to send the malicious code to other people. Afterwards, again, a simple marker is set, which indicates that the ini file for the IRC client was successfully generated. This marker prevents the worm from running the same code twice. Similar functionality has been seen in various mIrc worms lately. These similarities can easily be detected by modern heuristic engines.

This routine is nearly identical to the routine written for mIrc and should be able to be detected by heuristic engines without any problem. Additionally, the kit is able to generate code to spread the worm on all accessible drives by overwriting all found files with the extensions. The files will be overwritten and are not restorable.

Speaking of the latter file type, the kit is not able to generate code that is encrypted based on the Microsoft VBS encryption routines. Looking at the quality of the generated code, some lines can be seen as obsolete. Besides that, it is written in a straightforward manner and leaves enough attack points for heuristics, such as:.

Basically, this function checks within a loop to see if the file from which the worm was started accessible via the scripting. If not, the file will be recreated based on previously-read content. This routine is written using old style "poll" techniques, but the style is again straightforward.

The kit also offers two "traditional" payloads, called "Crash system" and "Crash system2". The first payload tries to allocate a lot of memory within a recursive loop and performs string operation, which shall the system make run out of memory. Similar operations have been seen a few times in the macro virus field.

Within an infinite loop new instances of the notepad application will be started. A variant. The generated worm first checks to see if the standard download directory for the Internet Explorer IE has been set. If not, it will be expected that the download directory is located at the root directory of harddrive "c:".

Next it looks for the file to be downloaded in certain locations the IE download directory and an additional directory. If the file is not found in one of the two locations, then the IE start page is set to the URL, which points to the file. As a result, at the next IE start, the file will be downloaded or directly opened depending on the user interaction.

If the file is found within the IE download directory, then it will be started within a special folder and the IE start page will be set to a blank page. NOTE If the file was moved to quarantine , you need to collect the file from quarantine before you can submit it.

If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product. Note You need administrative rights to change the settings.

Find the latest advice in our Community. See the user guide for your product on the Help Center. Chat with or call an expert for help. AF is written to spread vie email using Outlook Application but it fails to send the script code as an attachment. Therefore it sends only clean message with the following contents:. Since the mass-mailing routine fails to send the script code as an attachment antraxinfo.

AF does not spreads via email. After this the virus adds a registry key 'Antrax' and uses it as an infection marker so it will not try to excecute the mass-mailing routine again on already infected machines. The worm then randomly chooses one of four possible adult-orientated website addresses, and displays it using the default web browser. All rights reserved. Products Products for Business For Business. Security Operations. Products for Home For Home. Sophos Home.