VBS file

Discussion in 'Software' started by IrOnMaN, May 2, 2013.

  1. IrOnMaN

    IrOnMaN Specialist

    This seemed like the best place to post about this. Ive come across a file on my domain network. in just about all of the shares on the servers i find a W610QT.VBS file. i googled it but i didnt find anything about it. i dont want to attach the file in case its malicous or something but here is the code thats in it...




    Thanks for any help on this,
    KJ
     
    Last edited by a moderator: May 2, 2013
    IrOnMaN, May 2, 2013
    #1
  2. GermanOne

    GermanOne Guest

    It's some kind of malware. Currently I translate the script to somewhat human readable. I will PM you.

    I suggest you to ask an admin to remove the source code from your post. Otherwise we leave a draft for scripters in this forum ...

    Regards
    GermanOne
     
    GermanOne, May 2, 2013
    #2
  3. GermanOne

    GermanOne Guest

    OK that's what it tries to do:
    - copying itself as C:\Windows\System32\W610QT.VBS
    - autorun via registry
    - selfcopy to each found network drive
    - write an email to each found address in MS Outlook with the script attached

    Regards
    GermanOne
     
    GermanOne, May 2, 2013
    #3
  4. IrOnMaN

    IrOnMaN Specialist

    Ill make sure all the servers are scanning asap... tomorrow morning lol. probably lucky we arent using outlook but its still annoying to find in your drives.

    Thanks for the help!!
     
    IrOnMaN, May 2, 2013
    #4
  5. GermanOne

    GermanOne Guest

    You're welcome.

    It's probably not enough to remove it from the server shares. If any client already run the script it will be executed automatically each time the computer starts up (in case the client had rights to write to HKEY_LOCAL_MACHINE of course).

    Regards
    GermanOne
     
    GermanOne, May 2, 2013
    #5
  6. Adrynalyne

    Adrynalyne Guest

    Appreciate the help, GermanOne.

    IrOnMaN, please be careful with posting that stuff here. We don't want others to get infected.
     
    Adrynalyne, May 2, 2013
    #6
  7. IrOnMaN

    IrOnMaN Specialist

    sure next time ill just pm it to someone that offers to look at it.
     
    IrOnMaN, May 3, 2013
    #7
  8. GermanOne

    GermanOne Guest

    Don't worry, you were simply not aware it was malicious code.
    Of course you can always PM me whenever you found an obscure script :)
     
    GermanOne, May 3, 2013
    #8
  9. IrOnMaN

    IrOnMaN Specialist

    i scanned the servers today and it did find it and remove it. i didnt see it in the registry on my computer or the server i found it on but ill try to check when im on computers at the sites. The scanner picked it up as VBS:SelfMailer-D[WRM]
     
    IrOnMaN, May 3, 2013
    #9
  10. GermanOne

    GermanOne Guest

    Yeah perhaps you're lucky and the clients don't have rights to write in C:\Windows\System32 or even HKEY_LOCAL_MACHINE. In that case it was only copied to the net drives.
     
    GermanOne, May 3, 2013
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds