|
|
|
VIRUS
NAME : VBS/VBSWG.aq@MM
Virus
Characteristics
AVERT has yet to receive
a field sample of this threat.
This threat is currently detected as New Script with script heuristics
enabled. This threat will be detected as VBS/VBSWG.gen@MM with the 4205
dats. This worm arrives in an email message containing the following information:
Subject: Shakira's Pictures
Body: Hi :
i have sent the photos via attachment
have funn...
Attachment: ShakiraPics.jpg.vbs
When the attachment is run, the script mails itself to all addresses found
in the Outlook Address Book and the file c:\mirc\script.ini is overwritten
with instructions to send itself to IRC users who join the same channel
as the infected user. A message box is displayed.
The script copies itself to the WINDOWS directory and attempts to overwrite
.VBS and .VBE files. After the virus runs, it creates the following registry
key values:
- HKEY_CURRENT_USER\Software\ShakiraPics\mailed=1
- HKEY_CURRENT_USER\Software\ShakiraPics\Mirqued=1
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Registry=wscript.exe C:\WINDOWS\ShakiraPics.jpg.vbs %
Symptoms
Presense of the registry keys mentioned above
Method
Of Infection
This VBScript worm mass-mails itself to all users in the Microsoft Outlook
Address book. It also modifies the mIRC script.ini file to spread via
IRC and may also overwrite .VBS and .VBE files.
|
|
|
