The script within the archive is usually unreadable to the naked eye. It employs (using Chr() codes), string reversal , and junk code insertion to bypass signature-based antivirus detection.
: Look for wscript.exe or cscript.exe running with high CPU usage or unusual network connections. Who_wants_to_strip_this_babe.rar
: The script executes and modifies registry keys to ensure persistence (restarting the malware upon reboot). The script within the archive is usually unreadable