VBS/Dracv.a@MM

User solutions

Corporate solutions

Featured product

VIRUS NAME : VBS/Dracv.a@MM

Virus Characteristics

This threat is detected as VBS/Generic@MM. This virus may arrive as an email attachment vcards.vbs and will send email using Outlook to all recipients in address list in the following format:

Subject: You have received a special VCard!
Body: Hi! Click the "vcards.vbs" to view your card! One of your friends is giving you a voyeuristic glimpse of their personal images. The images were randomly chosen and are totally uncensored! There is no telling what you will see! Click the "vcards.vbs" file that is attached to this email to see the uncensored images, and send your own images out to the people in your address book!
+ + + + + + + + + + + + + + + + + + + + + + + +
Message from your friend:
+ + + + + + + + + + + + + + + + + + + + + + + +
If you are not interested? Just delete this email. VCards "Lets get with hot communications"
Attachments: vcards.vbs, vcrd01.vcrd, vcrd02.vcrd and vcrd03.vcrd

On executing the virus, the following message is displayed
If the user chooses no, the virus will not proceed. If yes is chosen, the following message is then displayed:
and user can enter a message. If all the attachments were not saved in the same directory, a message is then displayed.

The virus creates the directory C:\vcache and saves the files vcrd01.vcrd, vcrd02.vcrd and vcrd03.vcrd. It goes on to search the hard drive for three .jpg files and then creates the file imgDisplay.html to display the pictures found.

The virus then checks to see if the registry key
HKEY_CURRENT_USER\software\vcards\mailed" = "1" and if not proceeds to send the email out to all in addresslist in the above format. Once this has finished the virus will then edit the registry key:
HKEY_CURRENT_USER\software\vcards\mailed" "1"

Symptoms

The presence of the following files and directory: