What Is VBS Malware?

Written by gigmocha in Uncategorized

What Is VBS Malware?

Any program or software that is harmful to your device is malware. There are different types of malware that go in and affect other parts or systems of your device once such is VBS malware.

VBS stands for basic visual script and is a third-generation programming language. The primary purpose of using VBS malware is to control the computer as soon as it’s loaded into memory. What VBS malware does is try to delete specific files from your system. 

This article will look at a sample VBS malware that tries to delete files on the computer it’s running on.

Why Would Two Programs Want To Delete Each Other?

Many people probably make VBS malware, and hackers fight about who has more right over their creation! Also, some bugs were found in VBS earlier, so now they’re just deleting any VBS file they encounter. VBS malware is still in its early stages, and I think we can expect even more exciting things from VBS soon.

What Does The VBS Script Do?  

VBS malware has two VBS scripts inside the VBS file. One VBS script aims to delete specific files from your computer, while another VBS script is just for show, meaning it doesn’t do anything at all.

  • VBS script 1 (attempts to delete files)
  • VBS script 2 (nothing, VBS malware just shows it)

How VBS Malware Script Works

VBS malware gets executed when you double click on a VBS file.

VBS Script 1 (Attempts To Delete Files)

VBS malware then deletes the VbsExecute file and automatically starts VbsHddVirus. 

VBS Script 2 (Nothing, VBS Malware Just Shows It) VBsHddMalware

VBS malware then creates a VBS Malware folder in your Desktop and VBsExecute file into that VbsHddMalware folder. 

VbsExecute

VBS malware deletes the VbsExecute file and starts VBsHddMalware by running VBsHddMalware. VBsHddMalware VBS file is another VB script in which VBS malware begins when it’s done applying the changes made to your computer, meaning after you’ve given permission for VBS files to delete some files on your computer (and they did). VbsKillFileList VBS file is also a VB script that VBS malware creates when started.

How To Prevent VBS Malware

VBS malware is spread through infected VBS files, so if you want to prevent VBS file infection, always check what the VBS file does before executing it.

VbsExecute VBsHddMalware VBsKillFileList VbsHddVirus VbsHddMalware folder Check which VB script gets executed by running the following command 

White list example: [“cscript”, “vbselpm.vbs”, “Get”, {“whitelist”: “your white list”}]:

[‘ cscript vbs elpm . vbs ‘, ‘ Get’ , { W h i t e l i s t : y o u r w h i t e l i s t }, 1 ];

Black list example:

 [“cscript”, “vbselpm.vbs”, “Get”, {“blacklist”: “your black list”}] 

VBS malware deletes the VbsExecute file and VBsHddMalware folder as soon as it’s executed, so VB should be prevented from executing VBS files first, then VBS malware will not harm your computer.

How To Recognize VBS Files

The first thing you need to do is checking if a file you downloaded was a VBS file or an EXE/PDF/DOC/XLS etc. To see which extension a VB script has associated with its type ‘[assoc . vbscr ipt]‘ in cmd line, this will return ‘VBScript’ as VB script has VBS extension. VB malware usually comes as a VBS file, but sometimes it comes as an EXE file. VbsExecute VBsHddMalware VBsKillFileList VbsHddVirus VbsHddMalware folder.

How To Remove VBS Malware

1) If you’ve opened a downloaded infected pdf/doc, xls etc. and got your computer infected with vb malware, then all you need to do is rename the BsHddMalware folder on your Desktop to VBsHddVirus and VbsExecute file on your desktop into VBsHddVirus.

2) If VBS malware came as VBS, then renaming VBsHddMalware will only work if the script that deletes the VbsExecute file is already deleted, meaning you might be required to run the ‘[tasklist / m o c u s b ]’ command first.

After running ‘tasklist /m o c u s b’, VBS malware should not delete all of its files because it can’t find the VbsExecute file anymore, so you will still be able to rename VBsHddMalware VBsHddVirus. VbsExecute VBsHddMalware VBsKillFileList VbsHddVirus VbsHddMalware folder.

 If renaming the VBsHddMalware doesn’t work, you might need to restart in Safe Mode by doing F8 when your computer starts up, choosing ‘Safe Mode with networking’ and finally renaming the VBsHddMalware using safe mode.

You can also try to use ‘[taskkill / f / t ] tasklist . exe’, ‘[reg import “HKLM\Software\Microsoft\Windows NT\CurrentVersion”] [DWord] DisableTaskMgr’, and ‘[rundll32.exe user32.dll,LockWorkStation’] commands to disable VB malware which might help you rename VBsHddMalware VBsHddVirus VbsExecute VBsHddMalware VBsKillFileList VbsHddVirus VbsHddMalware folder

After renaming the VBsExecute file, you should restart your computer and check if the problem is resolved. If not, then type ‘[tasklist / m o c u s b ]’ again in the cmd line, make sure VB malware isn’t running anymore by looking at the ‘State’ column of the returned task list, for example, after doing that run ‘[rundll32.exe user32.dll, LockWorkStation]‘ command also in cmd line. VbsExecute VBsHddMalware VBsKillFileList VbsHddVirus VbsHddMalware folder You can also try ‘[Delete] VBScript.Autorun‘.

After doing that, you should be able to rename VBsHddMalware VBsHddVirus (see VBS malware deletes the VbsExecute file and VBsHddMalware folder as soon as it’s executed so VB should be prevented from executing VBS files first, then VBS malware will not harm your computer.

3) If you’ve got your computer infected by opening a downloaded VBS file, then follow the following steps.

Step 1

Type [‘ attrib – h ‘, { ” filename “: filename }] where filename is the name of the file which has vbscript.exe written next to it, this will not delete the file. Instead, it will put vbscript.exe into the hidden state so that Windows does not execute it anymore (now, if you upgrade your windows or do an update etc., only then VB will break out of its hidden state). VbsExecute VBsHddMalware VBsKillFileList VbsHddVirus VbsHddMalware folder

Step 2

Type in [‘attrib – s ‘, { ” filename ” : filename } ] where filename is name of file which has vbscript.exe written next to it, this will make the file read only VbsExecute VBsHddMalware VBsKillFileList VbsHddVirus VbsHddMalware folder 

Step 3

Type in [‘attrib – h ‘ , { ” filename ” : filename } ] where filename is name of file which has vbscript.exe written next to it, this will put VBsHddMalware VBsKillFileList VbsHddVirus VbsHddMalware folder VbsExecute VBsHddMalware VBsKillFileList VbsHddVirus

Step 4

Delete filename which had vbscript.exe written next to VbsExecute VBsHddMalware VBsKillFileList VbsHddVirus Vbs Malware folder VbsExecute VBsHddMalware VBsKillFileList VbsHddVirus .

If you can’t see hidden files then type [‘attrib – h ‘, { ” VbsExecute VBsHddMalware VBsKillFileList Vbs Virus ” : filename } ] where filename is name of file which has vbscript.exe written next to it.

After deleting VBS malware, please restart your computer in normal mode; the Malware remediates you.

Conclusion

With VBS, you can create movies, animations and play games, but also do malicious stuff like deleting files, stealing sensitive information etc.… By using a VBS, you can spawn new processes, create mutex objects and much more.

Recent Posts