Colette

Colette is a Trojan horse written in VBS. It attacks Win95/98 systems however it frezess WinME. It is distribiuted as 7zip self extracting archive EXE.

Infection

After execution, the trojan extracts all of the needed files to C:\WINDOWS\Web folder, then it overwrittes Win.INI file, to make it launch at startup. Next it starts a simple VBS scrpit that generates a different message every time it is ran. Here is some of the messages:

You cant get away from me EVER!
Dont run away!
I just want to be friends!
How many cool brawlers!
Look! My favorite Brawler!
Im gonna catch you!
Just wait there! I ll be right back
I just want your autograph!

Behavior

Then the program launches the main payload which is in a file called "S3.VBS" probably to inpersonate S3 video driver. This program checks if the day is 5th of any month. If it is then it activates the payload, if it isn't it quits.
This check is made every time the OS starts.
Due to a bug it won't activate the payload if you run the trojan for the frist time on the 5th.
The 5th day of the month rutine firstly shows a message box with quote from Win9x.Smash "Seems like your bad dream came true." then overwrittes every file in C:\Windows and C:\WINDOWS\SYSTEM with copy of S3.VBS. This breaks the files, as they have VBS code inside but, are still the original file format.

Variants

There are no know modded versions of the trojan however it has 3 versions as the latest being 3.0
The first one is lost as there are no archives of it.
The second one described on now deleted video by the creator, it didn't have quotes from Brawl stars's character Colette instead it inpersonated DirectX installer and had bugs.
The third one described here.

Effects

Due to quick deletion of this trojan from it's github repo, it only infected few computers, most of them were VMs of the creator and he's friends.

Name

The program gained it name after the Brawl stars's character Colette, the creator thought it will be funny to make a trojan with quotes from his younger brother's favourite game.
However file name on his desktop was "Colette" back in 2.0

Antivirus Aliases

ESET - VBS/Agent.SBT Trojan

Origin

The trojan has been written in Poland in Early 2024

Creator

The creator known as Mihot7 online, has been writting other malware samples in mainly in batch and C++, this is his first attempt at VBS malware.

Other Facts

The trojan's github page has been made private, to prevent legal issues.
Due to creator himself reporting the trojan to ESET it is the only knew alias for this malware.
It was written for friend of his for viewer made malware seires.

Sources

https://www.youtube.com/channel/UCiUj8YuJXLDTsfuA1iZf_FQ/community?lb=Ugkx3DeAZs1zvk00aLFRMlpe2TDeZP1B9mMw
https://github.com/Mihot7/Colette.A (Now private)

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License