Homepage

Bob Kleemann rkleeman at energoncube.net
Wed May 16 14:41:24 CDT 2001 

~sdpm~
I'm not real good in VB either, but if my casual parsing is correct, it
loads up one of four random webpages and then it sends itself to people in
your addressbook.  Looks like a classic Outlook worm to me.

On Wed, 16 May 2001, cabney wrote:

> ~sdpm~
> On Wed, 16 May 2001, Bob Kleemann wrote:
> 
> > It's looking like we have a virus here, text of the attachment:
> 
> Can anyone tell me what it's doing? (I get dizzy reading VB)
> 
> Uh, here you can look at it with this:
> 
> =8<====
> #! /usr/bin/perl -w
> 
> use strict;
> 
> my ( $OutLookVirusF, $bad_by_definition, $yehrite );
> 
> $OutLookVirusF = shift;
> 
> die "File not found\n" unless -f $OutLookVirusF;
> 
> open V, "< $OutLookVirusF" or die ("problem opening $OutLookVirusF: $!\n");
> 
> while ( <V> )
> {
> 	my $line = $_;
> 	if ( $line =~ /Execute DeCode/i ) {
> 		my ( $pre, $post );
> 		$line =~ /^(.*)"(.*)"(.*)$/;
> 		($pre, $yehrite, $post) = ($1,$2,$3);
> 		$bad_by_definition .= "${pre}__ICKENC__${post}";
> 	} else {
> 		$bad_by_definition .= $_;
> 	}
> }
> 
> close V, or die ("problem closing $OutLookVirusF: $!\n");
> 
> $yehrite = pack "C*", map {
> 	($_==15) ? 10 :
> 	($_==16) ? 13 :
> 	($_==17) ? 32 :
> 	($_==18) ? 9  :
> 	$_-2
> 	} unpack "C*", $yehrite;
> 
> $bad_by_definition =~ s/__ICKENC__/\'$yehrite\'/;
> 
> print $bad_by_definition;
> =8<====
> 
> CA
> -- 
> There was a time
> A wind that blew so young
> For this could be the biggest sky
> And I could have the faintest idea
> 
> ~sdpm~
> 
> The posting address is: san-diego-pm-list at hfb.pm.org
> 
> List requests should be sent to: majordomo at hfb.pm.org
> 
> If you ever want to remove yourself from this mailing list,
> you can send mail to <majordomo at happyfunball.pm.org> with the following
> command in the body of your email message:
> 
>     unsubscribe san-diego-pm-list
> 
> If you ever need to get in contact with the owner of the list,
> (if you have trouble unsubscribing, or have questions about the
> list itself) send email to <owner-san-diego-pm-list at happyfunball.pm.org> .
> This is the general rule for most mailing lists when you need
> to contact a human.
> 
> 

~sdpm~

The posting address is: san-diego-pm-list at hfb.pm.org

List requests should be sent to: majordomo at hfb.pm.org

If you ever want to remove yourself from this mailing list,
you can send mail to <majordomo at happyfunball.pm.org> with the following
command in the body of your email message:

    unsubscribe san-diego-pm-list

If you ever need to get in contact with the owner of the list,
(if you have trouble unsubscribing, or have questions about the
list itself) send email to <owner-san-diego-pm-list at happyfunball.pm.org> .
This is the general rule for most mailing lists when you need
to contact a human.

More information about the San-Diego-pm mailing list