VBScript worm. It uses MIRC, OUTLOOK
and PIRCH to send itself in a ZIP file. When run, it shows a test that
says what a name adds up to in ASCII characters and it tests if
that number is 666. Then it will
create "WINTEMP.TXT" in the temporary directory. It will use "DEBUG.EXE"
to create "WINTEMP.EXE" also in the temporary directory using "WINTEMP.TXT"
as script. This EXE file is PKZIP 2.50 for DOS. Using this file it will
create "666TEST.ZIP" with the worm inside at Windows directory. Then it
will copy this ZIP file to Windows "SYSTEM" directory as "WINSWAP.SWP".
So the ZIP file will be in both directories with different names. After
that it will create "REGSVR.VBS" at Windows "SYSTEM" directory and it will
add this file in the registry to be run at startup. This file will try
to modify MIRC and PIRCH, so the ZIP file with the worm inside will be
send like most IRC worms. Since this file is run at startup, it will make
the worm work in new MIRC and PIRCH installations. Also, this file will
check if "666TEST.ZIP" file exists, and if it doesn't (for example because
someone tried to remove the worm), it will copy "WINSWAP.SWP" from Windows
"SYSTEM" directory to "666TEST.ZIP" in Windows
directory, so the worm will be working
again. After adding "REGSVR.VBS" to the registry the worm will try to use
OUTLOOK to send itself to all contacts in the address book, using "666
test" as subject, "> Does your name add up to 666 in ASCII characters?
Are you going to go to hell?" as body and the ZIP file with the worm inside
as attachment. This OUTLOOK code won't be run if the "HKEY_LOCAL_MACHINE\Software\MIRC/OUTLOOK/PIRCH.VanHouten\"
registry key is true. If it doesn't
exist it will be created, so the
mails won't be send more than one time. If day is 5 or "666TEST.ZIP" and
"WINSWAP.SWP" not exist, the VBS file from startup will create
"VANHOUTEN.BMP" (image of Milhouse
Van Houten from "The Simpsons") at Windows directory and it will change
the Windows wallpaper to this file. The worm has a very simple encryption
in strings (ASCII values in hexadecimal with the order of the values changed).
The encryption is in this way because this function also works to create
binary files and it is used to create
"VANHOUTEN.BMP" for example. Anyways, this function was too slow creating
"WINTEMP.EXE" (PKZIP 2.50 for DOS), so for this file I used "DEBUG.EXE"
to create it. Thanks to Stramonium for his help in this matter.