Vulnerability Development mailing list archives
Re: Opportunist?
From: aferber () TECHFAK UNI-BIELEFELD DE (Andreas Ferber)
Date: Fri, 5 May 2000 15:09:41 +0200
On Thu, May 04, 2000 at 08:34:20PM -0700, Blue Boar wrote:
I'll be the first to admit that I'm not much of a VBScript coder, but the code as the URL below looks a little suspicious to me. Perhaps I'm just being paranoid today.
As far as I can see, the script is OK. It first checks, if a characteristic registry entry (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32) is there. Then it deletes all files with extension ".vbs" on the disc (but it misses ".vbe"). Then it deletes all LOVELETTER registry entries and sets the start page of the IE new (to an invalid URL: http://NTNV2/intravision). I stumbled a little bit on the "sub clean_mail", which is called as the last cleanup. At first it looks as if it (like the Virus) does something with the whole OE address book. But if you look closer, you see, that it was first intended as to delete the addressbook, but in the distributed version, the line, which actually deletes the registry entries, is commented out. During the operation, the script also writes a simple logfile with all actions it is taking. CU, Andreas -- We must believe that it is the darkest before the dawn of a beautiful new world. We will see it when we believe it. -- Saul Alinsky
Current thread:
- Re: ethernet cards & promisc mode, (continued)
- Re: ethernet cards & promisc mode Granquist, Lamont (May 04)
- Help me audit a mail filter in C, please? Bennett Todd (May 04)
- Re: ethernet cards & promisc mode David LaPorte (May 04)
- Re: ethernet cards & promisc mode Granquist, Lamont (May 05)
- Re: ethernet cards & promisc mode Bluefish (May 07)
- "I don't think I really love you" Michal Zalewski (May 07)
- Re: ethernet cards & promisc mode Granquist, Lamont (May 07)
- Possible new strain of [CENSORED] Blue Boar (May 05)
- Re: ethernet cards & promisc mode Dragos Ruiu (May 04)
- Opportunist? Blue Boar (May 04)
- Re: Opportunist? Andreas Ferber (May 05)
- Reminder: MaxClientRequestBuffer Marc (May 03)
- Re: Blind Remote Buffer Overflow Max Vision (May 02)
- Re: Blind Remote Buffer Overflow Blue Boar (May 02)
- Re: Blind Remote Buffer Overflow Bluefish (May 03)
- Re: Blind Remote Buffer Overflow Bluefish (May 02)