Here you have, ;o)

Steve Orrin sorrin at lockstar.com
Tue Feb 13 07:37:08 PST 2001


Actually the part that looks like executable code is just encoded and the
second part of the virus is a script to decode it. Once decoded it is
executed and it is this decoded script that actually executes the virus
methods (adding things to registry, replication and a timed DoS against some
web site in .nl)
The real interesting thing is that the virus was created by a Worm Generator
(known as VBSWG 1.50b). It creates the worm for any script kiddie, thus
doing the hard work like obfuscating the code and using randomly generated
object names as well as the replication code and Registry entries.
-Steve
-----Original Message-----
From: Declan McCullagh <declan at well.com>
To: Adam Back <adam at cypherspace.org>
Cc: Vin McLellan <vin at shore.net>; Com Cypherpunks at Toad.
<cypherpunks at toad.com>
Date: Tuesday, February 13, 2001 10:07 AM
Subject: Re: Here you have, ;o)


>Yep. Vorm writers are getting smarter. It seems as though VB
>lets you embed executable (compiled, I assume) code in a .vbs
>file, so a casual observer can't easily tell what this one does.
>
>-Declan
>
>
>On Mon, Feb 12, 2001 at 09:37:33PM -0400, Adam Back wrote:
>> Heh, heh.  Guess who uses outlook :-)
>>
>> Endless source of amusement as a linux user watching the VB
>> script worms play out.  I think you actually have to click
>> on this one, though the double extension helps as many
>> users won't see the 2nd .vbs, just the .jpg.
>>
>> Adam
>>
>> On Mon, Feb 12, 2001 at 08:09:32PM -0500, Vin McLellan wrote:
>> > Hi:
>> > Check This!
>>
>>
>





More information about the cypherpunks-legacy mailing list