|
|
|
VIRUS
NAME : Bat/Bwg.a@MM
Internet
Worm Characteristics
AVERT has not received
any field samples of this threat. It is a worm generated using a virus
construction kit called "Bwg" ("Batch worm generator").
This threat is detected as VBS/Generic@MM since the release of the
4141 DATs (May 2001).
The virus arrives as an email attachment, b.bat, and it will send an email,
using Outlook, to all recipients in the address book in the following
format:
Subject: aaa
Body: bbb
When the attachment is double-clicked, the virus drops several copies
of itself - C:\a.bat, C:\b.bat, C:\pro\a.jpg.bat and %Windir%\b.arv.bat.
Then it drops a VBS script, c:\dkhcz.vbs that contains the code to massmail
the virus.
It checks to see if mIRC or pIRCch is installed. If they are, it edits
mIRC's script.ini to send C:\pro\a.jpg.bat. b.arv.bat is dropped into
the windows directory and Pirch's events.ini is modified to send this
file.
It can infect %windir%\startm~1\progra~1\autost~1\*.bat and drop %windir%\Start
Menu\Programs\StartUp\bjits.bat. Also, it can copy itself to %windir%\Desktop\*.ifk
and rename %windir%\Desktop\*.ifk to *.bat.
The virus also overwrites MIRC.INI and EVENTS.INI files to propagate through
mIRC and pIRCh, respectively. The file sent through mIRC has the name
"a.jpg.bat" and through pIRCh - "b.arv.bat".
The most interesting thing about this virus is that it is an attack on
the EICAR test file. Bat/Bwg.a@MM starts with the EICAR string, which
when the worm is run, generates a "File not found" error but
the execution goes on. Many AV products misdetected this virus as EICAR
test file when it first appeared.
Symptoms
Presence of C:\a.bat, C:\b.bat, C:\pro\a.jpg.bat, %Windir%\b.arv.bat.
|
|
|
