WinScript.Rabbit - 10 Strings Going To Shake The World!

03 Nov 1998
Virus News

New computer virus is written in Windows command language! Will it be the real nightmare for users of the Internet?

The last week of October 1998 brought a real surprise in the computer world. Kaspersky Lab Int. experts detected a computer virus using new methods of contamination and infecting Windows scripts (programs written in Windows command language). When started this virus looks for other files (scripts) on the disk and substitutes them with its copy. But the most dangerous feature of this virus is that it is capable to transmit itself via the Internet � the most advanced browsers execute infected scripts on a local computer even when they are located on the remote Web server.

The concept of this type of virus was earlier implemented in several viruses for UNIX. In the late 80ties viruses that were written in the command language of UNIX clones became a real curse for global computer networks. The most famous members of this family were network worms called Christmas Tree, HI.COM and Wank Worm. This new Windows script-virus may well become the patriarch of the new family of network worms.

The detected virus is the first known virus infecting Windows scripts. Its structure is very simple and contains about 10 commands. This virus might well be just the first attempt to write a virus of this kind of one of the virus-writers participating in vary famous hacker club of CodeBreakers. There are a set of inaccuracies that immediately unmask this virus once it appears within a system: when started from the remote Web server this virus infects all the files in the browser cache and copies them onto the computer Desktop � the browser working directory. At that the computer Desktop turns out to be filled with icons of infected scripts � the virus reproduces itself as a rabbit, that is why it was named WinScript.Rabbit.

Despite of all these inaccuracies and the simplicity of the code this virus is a potential threat for users of the Internet. Its mechanism of self-distribution is based on the powerful features of contemporary global networks. This virus might well be taken as a model for the new viruses that will adopt the same method of self-distribution.

We expect many more new viruses of this type infecting not only scripts but also other elements of Windows OS and also Web servers. This virus is capable of working under all versions of Windows32 (Windows95/98/NT) where Microsoft Scripting Host can be found. Script-support is a standard feature of Windows98 and NT 5.0. Other versions of Windows and Windows NT may obtain this feature through updates.

For the purpose of self-protection we strongly recommend all users Windows 95/98/NT to install the browser add-in from Kaspersky Lab. AntiViral Toolkit Pro (AVP) for browsers will protect you from all the ever-detected script viruses. This protection is included in the last AVP update.

In the nearest future Kaspersky Lab plans to release AVP Inspector for Web Server � special version of our reliable antivirus program that will monitor all the changes within Web sever pages.

WinScript.Rabbit Technical Description