|
|
|
VIRUS
NAME : VBS/Jord.a
Virus
Characteristics
This threat is detected
as W32/Trilisa.vbs. The virus copies itself as ORD.doc.vbs, ORD_photo.jpg.vbs
and JERRY.vbs to the Windows Font directory. It then edits the following
registry keys:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Please...,
<WINDOWS font directory>\JERRY.vbs"
Checks to see if the
value of
HKEY_CURRENT_USER\Control Panel\International\iCountry = 34, and
if not creates the key "HKEY_LOCAL_MACHINE\Software\Singapore","0".
If the registry key does equal 34, then the virus creates the key "HKEY_LOCAL_MACHINE\Software\Singapore","1"
If the registry key "HKEY_LOCAL_MACHINE\Software\Singapore"
does not equal 1, the virus then proceeds with the damaging payload routine.
The following files are deleted from fixed, network, and RAM Disk drives:
- *.ace
- *.asf
- *.asm
- *.arj
- *.avi
- *.bmp
- *.doc
- *.gb
- *.gba
- *.gbc
- *.gif
- *.jpeg
- *.jpg
- *.js
- *.lhz
- *.log
- *.mdb
- *.mid
- *.mod
- *.mov
- *.mp
- *.mp2
- *.mp3
- *.mpeg
- *.mpg
- *.pdf
- *.ppt
- *.rar
- *.rm
- *.rtf
- *.smc
- *.txt
- *.wav
- *.wp
- *.xls
- *.zip
- regedit.*
- regedb32.*
If day is 12th of June,
a message will be displayed.
Symptoms
The above message displayed and the list of files deleted. Also the presence
of the following files in the Windows Font directory:
- ORD.doc.vbs, ORD_photo.jpg.vbs
and JERRY.vbs
Method
Of Infection
Executing one of these files ORD.doc.vbs, ORD_photo.jpg.vbs or JERRY.vbs
|
|
|
