VBS/Luser also known as Zulu is the first encrypted Visual Basic
Script (VBS) virus.
The virus contains 2 simple functions to decrypt its body. This it
performs the decryption in several steps, decrypting different parts
of itself. When an infected file is executed, the virus drops the file
WINSTART.VBS in Windows system directory. The virus creates this file
from encrypted strings in its body. The virus uses a function named A
to decrypt them. After that the virus modifies the Registry to
automatically run the WINSTART.VBS file each time the computer is
restarted. When this file is executed, it uses a function named B to
decrypt the other strings it uses. One of these strings is the message
in Spanish which the virus displays on the 1st of every month.
Each time when it executes, the virus chooses randomly one directory
and its sub directories and search for HTM and HTML files to infect
them. This path depends on the environment. For example it will infect
one of the following directories: Desktop directory; Documents
directory; Program files directory; Temporary directory; Windows Help
directory; Temporary Internet Files directory.
When the virus infects, it encrypts itself back using a function named
W and appends itself at the end of the infected files.
![](/images/pixel.gif"){kind=tracking}
