Re: unobfuscation of AnnaKournikova.jpg. vee bee ess worm

[Dzzie Z <dzzie () YAHOO COM>]

> According  to  Kaspersky Lab (AVP) this is old virus (and it really is
> because I've catched it with outdated bases) created with "[K]Alamar's
> Vbs  Worms  Creator"  generator.  They've  published  full  review (in
> classification of Kaspersky it's called I-Worm.Lee.o)

this is from the worm generator documentation:

[...]
HEY!
I'M TRYING TO FIND THE CREATOR OF THE LEE WORM, CAUSE ALL WORM CREATED
WITH THE OLDER VBSWG ARE DETECTED AS I-WORM.LEE
[/..]

and todays bit of trivia just for fun : )

[...]
Sorry for the bugs, after all, I'm just 17 years old!.
[/..]

generator just basically pastes routines from other vbs worms together although the obsfuscation I think is his.. not 
from zulu or such ...is a shifted ascii->hex string with random 11 character function and variable names

aghh point and click worms

sidethought..mabey the Lee worm is where he got his obsfuscation routine and that is why his are being picked up by as 
it...

anyway  TL security has the generator if you want to play with it...norton flags it as "Trojan.Horse"  but looks to me 
like a pure vb5 exe with nothign wrapped in and it dosent open any ports or lodge in memory so *shrugs*