Re: Opportunist?

[aferber () TECHFAK UNI-BIELEFELD DE (Andreas Ferber)]

On Thu, May 04, 2000 at 08:34:20PM -0700, Blue Boar wrote:

> I'll be the first to admit that I'm not much of a VBScript coder,
> but the code as the URL below looks a little suspicious to me.
> Perhaps I'm just being paranoid today.

As far as I can see, the script is OK.  It first checks, if a
characteristic registry entry
(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32)
is there.  Then it deletes all files with extension ".vbs" on the disc
(but it misses ".vbe").  Then it deletes all LOVELETTER registry
entries and sets the start page of the IE new (to an invalid URL:
http://NTNV2/intravision).

I stumbled a little bit on the "sub clean_mail", which is called as
the last cleanup.  At first it looks as if it (like the Virus) does
something with the whole OE address book.  But if you look closer, you
see, that it was first intended as to delete the addressbook, but in
the distributed version, the line, which actually deletes the registry
entries, is commented out.

During the operation, the script also writes a simple logfile with all
actions it is taking.

CU, Andreas

--
We must believe that it is the darkest before the dawn of a beautiful
new world.  We will see it when we believe it.
                -- Saul Alinsky