Demo virus in Windows PowerShell
The "Ready Rangers Liberation Front" (RRLF) is at it again: they have made headlines again with what appears to be a PowerShell virus. Almost exactly a year ago, they managed to make news with the alleged first virus for Vista. On closer examination, however, the whole affair turned out to concern a trivial shell script written by a novice programmer for the new Microsoft Command Shell.
In the meantime, the Microsoft Command Shell has been renamed the "Windows PowerShell", prompting RRLF member sk0r to respond in the seventh issue of the RRLF magazine with the "the first PowerShell Worm which changes it (sic) variable names". And yet, the worm does not contain anything more complex than would be found in the introductory sections in a manual or anything that would not be possible in any other script language: it overwrites files with itself, stores registry entries, and replaces variable names with random strings in an array. Files such as "Microsoft Windows Vista Cd-Key.txt.msh" in the Shared directory of the Kazaa client allow the files to be disseminated. Then, after 5 p.m., the file displays a pop-up window with a message from the author.
- MSH/Cibyz!p2p McAfee's description