In association with heise online

02 August 2006, 09:36

Demo virus in Windows PowerShell

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The "Ready Rangers Liberation Front" (RRLF) is at it again: they have made headlines again with what appears to be a PowerShell virus. Almost exactly a year ago, they managed to make news with the alleged first virus for Vista. On closer examination, however, the whole affair turned out to concern a trivial shell script written by a novice programmer for the new Microsoft Command Shell.

In the meantime, the Microsoft Command Shell has been renamed the "Windows PowerShell", prompting RRLF member sk0r to respond in the seventh issue of the RRLF magazine with the "the first PowerShell Worm which changes it (sic) variable names". And yet, the worm does not contain anything more complex than would be found in the introductory sections in a manual or anything that would not be possible in any other script language: it overwrites files with itself, stores registry entries, and replaces variable names with random strings in an array. Files such as "Microsoft Windows Vista Cd-Key.txt.msh" in the Shared directory of the Kazaa client allow the files to be disseminated. Then, after 5 p.m., the file displays a pop-up window with a message from the author.

Also see:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit