PSN-L Message - Subject: PSN-L: .vbs scripts and spying

PSN-L Email List Message

Subject: PSN-L: .vbs scripts and spying
From: walt_williams@........
Date: Thu, 4 May 2000 15:13:18 -0800
All,

Programs which autoexecute .vbs scripts are at risk. Indeed there 
is a 'SPY' script which auto-downloads from WEBSITEs named, 
'network.vbs'.  This script downloads via java enabled 
webbrowsers. The script is dropped into three locations,

c:/
c:/windows/
c:/windows/start menu/programs/startup

The .vbs program is spawned by java, it attaches itself to the 
winsocket, and OLEs (pipes) MS products; grabs e-mail 
addresses from your MS e-mail programs (eg., outlook), and logs 
webbrowser surfing activity into the root in a file, 
'networklog.log'. It then creates a peer to peer virtual 
hard-disk to a remote dynamically identified URL and uploads the 
logged information stored in 'network.log' file. At some pseudo 
random time in the future the .vbs script deletes the .log file 
and the .vbs spy script, 'erasing its tracks'

I discovered this script when I rebooted my system one evening 
and an 'open' dialog request box appeared asking how I wanted to 
open the script. I don't use ANY products which auto-spawn .vbs 
and due to this, the script program failed to gather my personal 
information. This activity is patently illegal as it is 
unconstitutional and an invasion of privacy. 

This particular spy script has been floating around the InterNet 
about eight weeks. 

I have copies of the script, (functionally disabled) should
anyone care to study how it works, it is interesting to see how
the virtual hard disk is created without using LMHOSTS type
tables. I rename the script extension to .sbv and then change
the internal 'dim' statements to prevent accidental execution. 

Best Wishes, 

Walt Williams
SETV/OSR
============================================
------- Forwarded Message Follows -------
Date:          Thu, 04 May 2000 07:14:51 -0700
From:          Doug Crice 
Organization:  GeoRadar Inc.
To:            PSN-L Mailing List 
Subject:       Virus Aleart
Reply-to:      psn-l@..............

PSN folks.

I just received two copies of a virus this morning, both from
geophysical contacts.  Beware of a a message that says "Love
Letter for You" with a .vbs extension  (visual basic). My normal
virus filter didn't see it, so it's very new.

Doug Crice
-- 
Doug Crice			 http://www.georadar.com
19623 Via Escuela Drive		      phone 408-867-3792
Saratoga, California  95070  USA	fax 408-867-4900
__________________________________________________________

Public Seismic Network Mailing List (PSN-L)

__________________________________________________________

Public Seismic Network Mailing List (PSN-L)
[ Top ] [ Back ] [ Home Page ]
Larry Cochrane <cochrane@..............>