background main top

September 2002

Visual Basic Virus

By Carol Robbins

All computer viruses, without exception, are programs, just like a word-processor, a computer game or the application used by a bank to process electronic transfers. The difference however, lies in the actions that these programs carry out. While these examples are designed to offer a beneficial service to the user, the payload of a virus normally involves reproducing itself and carrying out some sort of damaging action on the victim's computer.

To create a virus that worked and could enter users' PCs undetected used to require not just a large helping of malevolence, but also a considerable knowledge of computer programming. It was no easy task.

For some time now however, there has been an abundance of viruses written in simple programming languages. One of these languages, Visual Basic, is easy to both learn and to put into practice. Despite the obvious differences, this language is similar in many ways to the old DOS batch language used with .BAT files.

Visual Basic scripts are generated in Microsoft Visual Basic Scripting Edition, part of Microsoft's Visual Basic programming language. It is light, fast and portable and can be used in web browsers. Programs written in this language are able to access numerous Windows functions, from simply opening or closing files to complex operations such as sending e-mails, shutting down the system and many others.

The first programs to use Visual Basic internally were Microsoft office applications. Some ten years ago, macros could be programmed in Word 2.0, for example, in Visual Basic. Later, with the launch of Office 4.2, this possibility was fully implemented in Word 6.0 and Access 2.0. Later the facility was included in other Microsoft applications, as well as those of other software producers. With Windows 98 and Internet Explorer, the script interpreter is integrated directly in the system. This implies that viruses written in Visual Basic will be able to function throughout Microsoft architecture, giving them enormous propagation potential.

The great ease with which this language can be learned and used has prompted many virus writers to use Visual Basic. The most famous example was the infamous 'I LOVE YOU' virus. A closer look at the code of this virus, or any other in VBS, reveals that this language uses terms that are in essence quite simple, and which could give even the layman an idea about how the virus works. This probably explains why so many viruses are being written in this language.

These viruses not only use e-mail as a channel for spreading rapidly but are now increasingly using IRC or 'chat' channels. With millions of users worldwide, most of whom are oblivious to the threat of infection, IRC is becoming one of the most popular mediums for virus propagation.

The first VBS virus to have a significant impact was Melissa. This virus was spread in a Microsoft Word document supposedly containing the passwords for access to certain Internet porn sites. Once the user opened the document, the Visual Basic code would run Microsoft Outlook and send itself to the first 50 addresses in the address book. Despite this 'limitation', the virus spread like wildfire.

This system of virus programming was quickly taken up by others, albeit in a number of different forms. Bubbleboy included two malicious innovations: the ability to execute when the message was viewed in the preview pane and the formatting of the hard disk without the user realizing.

The Loveletter virus (I Love You) is another example of a virus written in Visual Basic. Its code could be written on a single sheet of paper, yet it caused more widespread damage than any other virus to date. The devastation caused by this virus made the headlines around the world on May 4 2000 and many companies were forced to suspend e-mail services due to the avalanche of infected e-mail traffic.

So what was behind the incredible virulence of this malicious code? Basically two things: first the perfect bait for getting people to open an e-mail -a love letter- Perhaps nowadays it's not so common for someone to say 'I love you'.

The second factor was the ability of the virus to resend itself to all addresses in the victim's address book. Bearing in mind that a medium-sized company may well have hundreds of contacts listed in its e-mail address books, not to mention employees' personal address books, the scope for rapid worldwide propagation is daunting.

The continuation of these types of viruses in the future is assured. With many training centers using Visual Basic as an introductory system for programmers, this could easily become a breeding ground for future virus writers.

The best solution to avoid infection from this type of virus is, obviously, to have a reliable antivirus installed and ensure that it is permanently up-to-date. In the light of the rapid spread of viruses like 'I Love You', which propagate globally in a matter of hours, nothing short of daily updates is sufficient to ensure computers remain out of the reach of malware.

However, another factor must be taken into account: the antivirus should warn of the existence of dangerous script. Even if an antivirus is not updated, the application's scan engine should include heuristic script scanning to ensure that it is capable of detecting completely new Visual Basic viruses. This is the only real guarantee of complete protection. Security technology needs to anticipate threats, not just react to them. To this end, heuristic scan engines are as important to all computer users as keyboards, screens or any other component. Insufficient heuristic protection could mean the potential loss of all the information on a system.

background main bottom