This worm generator promises to take the world by storm, and damage computers along the way.

K]Alamar loves attention. That's why the Argentinian malicious code writer has updated his infamous VBS Worms Generator. Whereas the earlier versions were ostensibly provided for "educational" purposes, this new generator promises to do some serious damage.

Even the license agreement on this beta-release freeware states that users have to agree to take full responsibility "for any damage caused by the files you could create with this program."

An earlier version of the VBS Worms Generator, version 1.5b, is responsible for creating the Anna virus last month. Anna's author, OnTheFly, didn't have to work too hard. The worm generator did most of the work. OnTheFly has since said he released Anna, which didn't damage files, to educate the public about the danger of .vbs worms like ILOVEYOU. But unlike that earlier version, [K]Alamar's new VBS Worms Generator 2 packs more of a bite.

Getting started

Version 2 of the VBS Worms Generator program is smaller, at 118Kb, than version 1.50b's 145Kb, although that may be due to better compression of the zip file. A single .exe installs and launches the program. Gone is the cluttered interface of 1.50b. Buttons across the top access the many features in this version: Startup, Email, Irc, Infect, Payload, Extras.

Figure A: Version 2 offers a slim new pop-up interface.

Features

Startup
Startup allows wanna-be virus authors to chose whether or not the worm should start with the launch of Windows and under what name the worm should install itself under the system registry.

Email
Email allows virus writers to use Outlook to distribute their creation. This option exists to send the worm as an attachment, or within the code of an HTML-enhanced email. A box exists to create a catchy subject for the email. A larger text box allows for whatever body text should accompany the worm.

Figure B: The VBS Worms Generator's e-mail capabilities have been expanded in Version 2.

IRC
Another popular method of worm distribution is through IRC chats. Microsoft's IRC (mIRC) is a popular target.

Infect
Infect controls which files should be infected with the worm. The most popular choices of late have been .vbs and .vbe files since these scripts will execute automatically on Windows machines with Windows Scripting Host enabled once the infected user clicks on them.

Payload & extras

Payload is what happens on a machine that's been infected with a worm created by this generator. For example, a virus writer can display a message by playing an icon on the desktop, or the worm can automatically connect a user to a particular Web site. A worm can also change the registration of the software on the computer to another name. In Windows 95, 98, and Me, a worm can shut down the computer. The option exists here for any of the above activities to occur randomly or on a specified date.

Figure C: The payload options have also increased.

Extras
Extra contains the little files that make each worm created with the generator a little different from each other. For example, the option for "Anti deletion" will make it hard to remove the key files of this worm, while "Anti Registry Deletion" goes one step farther toward that goal. A lot of worms today use differing degrees of encryption. Here the virus writer has the option of using encryption or not, and if so, what kind of encryption: String encryption or Full code encryption. A new feature, Join exe, allows the virus writer to add an .exe file to the worm. For example, a virus writer might attach an additional malicious code to the VBS worm, taking advantage of the worm's ability to spread quickly. A new feature for polymorphism has not be implemented in this beta release.

Be prepared

This worm generator will be used. It's not enough to deny that it's out there; consider it another warning that computers and computer users should be vigilant regarding email worms. Here are the basic steps for containing future worms generated by the VBS Worms Generator 2:

1. Download Microsoft's Outlook Security Patch. If you haven't already installed it, download the Outlook 98 Security Patch or the Outlook 2000 Security Patch. Please note that this patch does not include Outlook Express.

2. Turn off Windows Scripting Host. Recent virus outbreaks have exploited known vulnerabilities in Visual Basic Scripting under Windows. To limit your risk of infection, you should turn off Windows Scripting Host.

3. "Don't open attachments!" One of the best ways to prevent virus infections is not to open attachments, especially when viruses such as this virus are being actively circulated. Even if the email is from a known source, be careful. A few viruses take the mailing lists from an infected computer and send out new messages with its destructive payload attached. Always scan the attached files first for viruses. Unless it's a file or an image you are expecting, delete it.

4. Stay informed. Did you know that there are virus and security alerts almost every day? Keep up-to-date on breaking viruses and solutions.

5. Get protected. If you don't already have virus protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any top-rated programs then following the installation instructions. If you're on a network, check with your network administrator first.

6. Scan your system regularly. If you're just loading anti-virus software for the first time, it's a good idea to let it scan your entire system. It's better to start with your PC clean and free of virus problems. Often the anti-virus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.

7. Update your anti-virus software. Now that you have virus protection software installed, make sure it's up-to-date. Some antivirus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat.