gmonkey.gif (29622 bytes)

VBScript worm. It uses MIRC, OUTLOOK and PIRCH to send itself in a ZIP file. When run, it shows a test that says what a name adds up to in ASCII characters and it tests if
that number is 666. Then it will create "WINTEMP.TXT" in the temporary directory. It will use "DEBUG.EXE" to create "WINTEMP.EXE" also in the temporary directory using "WINTEMP.TXT" as script. This EXE file is PKZIP 2.50 for DOS. Using this file it will create "666TEST.ZIP" with the worm inside at Windows directory. Then it will copy this ZIP file to Windows "SYSTEM" directory as "WINSWAP.SWP". So the ZIP file will be in both directories with different names. After that it will create "REGSVR.VBS" at Windows "SYSTEM" directory and it will add this file in the registry to be run at startup. This file will try to modify MIRC and PIRCH, so the ZIP file with the worm inside will be send like most IRC worms. Since this file is run at startup, it will make the worm work in new MIRC and PIRCH installations. Also, this file will check if "666TEST.ZIP" file exists, and if it doesn't (for example because someone tried to remove the worm), it will copy "WINSWAP.SWP" from Windows "SYSTEM" directory to "666TEST.ZIP" in Windows
directory, so the worm will be working again. After adding "REGSVR.VBS" to the registry the worm will try to use OUTLOOK to send itself to all contacts in the address book, using "666 test" as subject, "> Does your name add up to 666 in ASCII characters? Are you going to go to hell?" as body and the ZIP file with the worm inside as attachment. This OUTLOOK code won't be run if the "HKEY_LOCAL_MACHINE\Software\MIRC/OUTLOOK/PIRCH.VanHouten\" registry key is true. If it doesn't
exist it will be created, so the mails won't be send more than one time. If day is 5 or "666TEST.ZIP" and "WINSWAP.SWP" not exist, the VBS file from startup will create
"VANHOUTEN.BMP" (image of Milhouse Van Houten from "The Simpsons") at Windows directory and it will change the Windows wallpaper to this file. The worm has a very simple encryption in strings (ASCII values in hexadecimal with the order of the values changed). The encryption is in this way because this function also works to create
binary files and it is used to create "VANHOUTEN.BMP" for example. Anyways, this function was too slow creating "WINTEMP.EXE" (PKZIP 2.50 for DOS), so for this file I used "DEBUG.EXE" to create it. Thanks to Stramonium for his help in this matter.