1R2N Virus & Anti-Virus

1r2n virus and anti-virus is made using scripting language and virus works similarly like shortcut virus. Actually I don’t like calling it virus, it just an automated script but having basic characteristics of virus makes it one of them. And anti-virus is not a actual anti-virus but it was an antidote for this virus and it can also restore the file manipulated by shortcut virus and launch default anti-virus (Windows Defender) whenever new device is detected. For more technical detail click on project link.

Project Link : https://gitlab.com/arabindra/1R2N-Virus-and-Anti-Virus

Why virus name is 1r2nv1.vbs & 1r2nv2.vbs ?

Well, first 4 word is given after my name ArBn = 1r2n, and v1, v2 denotes the virus version with different functionality and .vbs is the extension of file.

Interesting Part

When I was writing this blog, I googled this virus name and I got more than thousand of results. So I used google dork to get exact result with this virus title. Actually 1r2nv2 can self replicate and was suppose to search & delete 1r2nv1 from the system. So in most of the blog they used 1r2nv1 name and shared 1r2nv2 code. Search result detail :

I had never imagined that it will spread out in other country also. There is even articles about it. They also stated that it affected more than 200,000 organizations and 230,000 computers in over 150 countries. Well I don’t believe that because it can spread only through removable storage device and its just 97 line of shit. But the worst part is they explained this virus as severe malware, trojan, adware, browser hijacker and even linked with useless browser extension and software. Before writing anything about it atleast they had gone through lines of code. They even explained lengthy process to remove this virus. If they had gone through lines of code, they could clearly understand the whole working process. This project was for self-learning and education purpose so the file and codes was not encrypted. I will explain the removal process at the end.

Story Behind This

In 2016 when I was in BIM 2nd SEM I use to make simple batch file to automate my task and was trying to learn how the virus and anti-virus works. And in college we have to do lot of presentation and I don’t used to make presentation file and most of us really don’t like doing presentation all the time. And we used to make many excuses but it wont’t work every time. So I thought of making an automated code that act like virus. And i made first version of it and named it “1r2nv1”. It has to be manually installed in the computer and after that it will start doing abnormal activities like light indicator fluctuation, eject cd-drive, rotate screen display & turn of computer. And with this we could easily escape from presentation. But it was really frustrating to the victim (especially teacher😜😜), they could not use their PC properly. So I decided to make new upgraded version of it.

And I made new version of it which is similar to Shortcut Virus functionality and no more manual installation required but in fact it can self replicate and search specific file (ast.vbs) to run form removable storage device and named it “1r2nv2”. Though it was less harmful, no abnormal activities but once in a month (Day 9) it will auto turn-off the computer when removable storage device is detected and twice in a week (Monday, Thursday) it switches the mouse button functionality. For fun, I used it in one of friend computer. One day i found my own pen-drive infected with my own virus while using on computer lab. I was shocked that it was widely spread in whole college. As the virus was new so it was not detected by antivirus also. Just because of this virus some of my friend had even re-installed the window. When I knew that I felt very bad so I made an anti-virus that would delete this virus form the system and even restore the file damaged by actual Shortcut Virus and activate anti-virus (Windows Defender) on removable storage device detection.

Later on, in college .NET project we demonstrated the whole activities how the virus and anti-virus works. And the project name was “Xoogle Antivirus” named after my friend nick name “Xuppu”.πŸ˜‚πŸ€£

Now after 2 year this virus is detected by most of the antivirus. Found post in Microsoft forum some user had even submitted this virus file to Windows Defender Security Intelligence (WDSI), thanks to them. Hope it doesn’t exist anymore. I apologize for the trouble caused by this virus as it was totally unintentional but I am sure that no software or hardware is harmed by this virus.

Process to remove this 1r2n virus

It copies itself in startup folder (which help to run when windows boot up). So you can simply delete it from there. if you don’t know then follow this step:

  1. Press Windows + R (for run dialog box)
  2. Type “shell:startup” and press OK
  3. And delete 1r2n* file and “Windows Service.lnk” file (Make sure show hidden file is enabled because 1r2n file is hidden in that folder)
  4. Also kill “wscript.exe” from task manager (Thought its not necessary but virus will be running in memory so to completely remove either kill task or restart)

Disclaimer : The project sample (Excluding .NET project) link is given for educational purpose only. So if you modify anything and use it then I won’t be responsible for any harm or damage.

Leave a Reply