Skip to content


aToad #19: script to encode/decode a VBS

Bummer, just got myself a little virus while cleaning up a USB key a little carelessly :s
Most anti-viruses are unable to catch it (virustotal reported about 3 to 6 detections out of 56 anti-viruses, depending on the file), probably because it’s not that nasty. All it seems to do is copy itself into D:\$RECYCLEBIN (note that this is just slightly different from the real D:\$RECYCLE.BIN folder). And to USB keys (and you might want to check other external storage devices, too). And of course add itself to startup via wscript.exe. More specifically it runs this at the end:
WshShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\VideoLAN","C:\WINDOWS\system32\wscript.exe /e:VBScript.Encode D:\$RECYCLEBIN\Vlc.rar","REG_SZ"
WshShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\C-cleaner","C:\WINDOWS\system32\wscript.exe /e:VBScript.Encode D:\$RECYCLEBIN\Adobe.rar","REG_SZ"

It also tries to create new links to your browser(s), so that when you launch the browsers using those links it will open up some page of the site chercheztout[dot]com. Yes, apparently it’s all about getting a few bucks out of Google Search, geez…

These Vlc.rar, Skype.rar and Adobe.rar are all actually encoded VBS files. And here comes the tool this post is about: this script by arnavsharma on Microsoft TechNet was very useful to me, as I was able to decode all files after simply changing their extension from .rar to .vbe.

Last but not least, to delete this virus, all I had to do was:
– remove the run entries
– remove the files from D:\$RECYCLE.BIN
– remove the files from the USB key (both in $RECYCLE.BIN + some shortcuts called “dossier” and “nouveau dossier”)
– actually, I even formatted the USB key after that, but I don’t believe that was really necessary

Posted in A Tool A Day.


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA