VBS backdoor that spreads via USB | Joachim De Zutter
December 2013

Filename: usbAl.vbs
Filesize: 150772
MD5: e30c9abfdf3f7f63e72ec38acf3bb9d0
SHA1: f8176d562830cc80e1a81f997d1e5698bdc4fc01
SHA256: cfe69d41b6716931d0f8652823e26261e8b48b9ee44f88bad85fc3f5a55e112d
File had attributes hidden and system.


The file started with:
'  VBS CRYPT3R | By: K4YT0 K!D
'  b-a-programmer.blogspot.com

Dim Z4W7rQVxlYzzju3e

The file could easily be deobfuscated by changing the last line from:
execute Z4W7rQVxlYzzju3e
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write Z4W7rQVxlYzzju3e 
And saving the file as usbAl.modified.vbs

After this, we can run the modified vbs with:

wscript usbAl.modified.vbs

in the windows Command Prompt.

So that in decoded.vbs.txt we can see in the beginning:

'<[ recoder : houdini (c) skype : houdini-fx ]>

'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

host = "windowsinternet.sytes.net"
port = 80
installdir = "%temp%"
lnkfile = true
lnkfolder = true
Filename: decoded.vbs.txt
Filesize: 14273
MD5: 41a0d54aafecdad8c430efc40426e33c
SHA1: f3adfa7411d99dc15e7242fae7f095bf109109f5
SHA256: 888a0554f7880cb1211c6d781c8df6eae6b04a811c44c1218e9bf7dc3a3cda9e