. .: .:.. :.. .. .:.::. :. ..: <<-==млллллм=млллллм=млллллм===< .:: ллл ллл:ллл ллл.ллл ллл .:. . .:.мммллп.плллллл.ллллллл:.. ...лллмммм:ммммллл:ллл ллл.::. >===ллллллл=ллллллп=ллл ллл=->> .: .:.. ..:. .: ..:.::. ::.. :.:. ICQ visions by Benny/29A ICQ application is one of the most spreaded Instant Messenger programs at all. And like every such utility program it has its own evidency of all communicating persons. This gigant centralized database contains many private datas that can be abusable. Becoz of a high spread of this system it is logic to focus on ways it would be able to abuse these datas for some malware code spreading. Just imagine it - worm that retrieves private datas of all accessible persons, composes e-mail messages and spreads itself to all addresses. Hard to say why there still had not happened such data compromity and following epidemy. 1. Accessing data from ICQ application While coding I-Worm.Serotonin I had an idea - ICQ application stores a contact-list on a hard-drive. What about find a way it would be possible to extract stored datas? While searching for communication interface I found something very strange. In an ICQ folder there is ICQAutomation.DLL file. As the filename means, it should be something like object using COM/OLE automation tech. Let's look at the list of methods with their prototypes that provides their interface: HRESULT ICQIsInstalled([out, retval] long* pVal); HRESULT ICQIsRunning([out, retval] long* pVal); HRESULT OpenICQ(); HRESULT WaitToICQ([in] long pTimeInterval); HRESULT ClientVersion([out, retval] long* pVal); HRESULT ClientBuild([out, retval] long* pVal); HRESULT IsPackageInstalled([in] BSTR pPackageName, [out, retval] long* pVal); HRESULT InstallPackage([in] BSTR pPackageName,[in] BSTR pPackageURL); HRESULT OwnerUIN([out, retval] BSTR* pVal); HRESULT OwnerNickName([out, retval] BSTR* pVal); HRESULT OwnerFirstName([out, retval] BSTR* pVal); HRESULT OwnerLastName([out, retval] BSTR* pVal); HRESULT OwnerBirthDate([out, retval] DATE* pVal); HRESULT OwnerCountry([out, retval] BSTR* pVal); HRESULT OwnerCountryCode([out, retval] VARIANT* pVal); HRESULT OwnerGender([out, retval] BSTR* pVal); HRESULT OwnerIP([out, retval] long* pVal); HRESULT OwnerProperty([in] BSTR pPropertyName, [out, retval] VARIANT* pVal); HRESULT OwnerStatus([in] BSTR pStatusCLSID, [in] long pServiceID, [out, retval] BSTR* pStatus); HRESULT OwnerStatusDescription([in] BSTR pStatusCLSID, [in] long pServiceID, [out, retval] BSTR* pStatusDesc); HRESULT OwnerSessionKey([out, retval] unsigned long* pVal); HRESULT UserType([in] BSTR pUIN, [out, retval] BSTR* pVal); HRESULT UserHandle([in] BSTR pUIN, [out, retval] BSTR* pVal); HRESULT UserFirstName([in] BSTR pUIN, [out, retval] BSTR* pVal); HRESULT UserLastName([in] BSTR pUIN, [out, retval] BSTR* pVal); HRESULT UserNickName([in] BSTR pUIN, [out, retval] BSTR* pVal); HRESULT UserBirthDate([in] BSTR pUIN, [out, retval] DATE* pVal); HRESULT UserCountry([in] BSTR pUIN, [out, retval] BSTR* pVal); HRESULT UserCountryCode([in] BSTR pUIN, [out, retval] VARIANT* pVal); HRESULT UserGender([in] BSTR pUIN, [out, retval] BSTR* pVal); HRESULT UserIP([in] BSTR pUIN, [out, retval] long* pVal); HRESULT UserProperty([in] BSTR pUIN, [in] BSTR pPropertyName, [out, retval] VARIANT* pVal); HRESULT UserStatus([in] BSTR pUIN, [in] BSTR pStatusCLSID, [in] long pServiceID, [out, retval] BSTR* pStatus); HRESULT UserStatusDescription([in] BSTR pUIN, [in] BSTR pStatusCLSID, [in] long pServiceID, [out, retval] BSTR* pStatusDesc); HRESULT GetNumOfUsers([in] BSTR pType, [out, retval] long* pVal); HRESULT GetContactListUINs([in] BSTR pType, [out, retval] VARIANT* pVal); HRESULT SetLicenseKey([in] BSTR pName, [in] BSTR pPassword, [in] BSTR pLicenseKey); HRESULT NumberOfEventsWaiting([in] BSTR pUIN, [out, retval] long* pVal); HRESULT ActivateDialog([in] BSTR bsUIN, [in] BSTR bsClsId, [in] long iServiceId, [in] VARIANT varParameterNames, [in] VARIANT varParameterValues); HRESULT OpenWaitingEvent([in] BSTR pUIN); I tried to create following VBScript file that would be able to deal with such interface: set obj = CreateObject("ICQAutomation.MIICQAutomation") obj.OpenICQ It did NOT work. The object creation is ok, but accessing any methods or properties results in nonspecified error. It's mystirious. I spent huge time while exploring and analysing different ways that could work. It did NOT work. When I tried to find some documentation I figured out that NOBODY knows about it. Try it! Open www.google.com and type "ICQAutomation". On whole Internet there does NOT exist anything info about this interface. De facto it's only ICQ developers, me and now you who knows it. If you will find any way how to make the VBScript code working, I will be very grateful to you if you will send me a mail (benny@post.cz) about it. 2. Accessing data from ICQ website This model is theoretical for now, but I think there's no problem at this. On ICQ website (www.icq.com) there is whole database accessible to anyone, without any limitations. All you have to do is send HTTP request to search engine and you will recieve an HTML document (you have to extract wanted datas from it then). You can get not only e-mail addresses of all users the malware could spread to, but also all private datas that can be used to create an impressive electronic messages, where some text would differ on base of each person's datas. Virus/worm manipulating with datas of ICQ users has imho real chance to become a serious treat. Even I personaly dislike malware code spreading and I don't spread my creations to the wild, I find this idea at least a bit interesting. ................................ . . Feb 19 2003 Benny/29A . benny@post.cz . ... searching for perfection ...