Virus Profile: Virus
Name Date Added Virus Characteristics This is a VBScript worm.
When the worm is first run it drops a copy of itself in the Windows folder as
either a name from the Recent Documents folder or a random Name and has a random extension chosen from Doc, Xls, Mdb, Bmp, Mp3, Txt, Jpg, Gif, Mov, Url, Htm, Txt and the real extension, ".vbs" The worm will modify that copy by adding random comments to its body.
It modifies the registry keys:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\" and
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\"
to run the copy in the Windows folder.
This worm will arrive in an email message with this format:
Subject: Starts with "FW: " and is either a name from the Recent Documents folder or a random name
If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not normally present on Windows 95 or Windows NT unless Internet Explorer 5 is installed.
The worm uses Microsoft Outlook to send copies of itself to all entries in the address book.
This worm searches all drives connected to the host
system and replaces all files with copies of itself and it adds the
extension .VBS to the original filename. So PICT.JPG would be replaced
with PICT.JPG.VBS and this would contain the worm. The original file is
then deleted. It does not replace all the files with itself - due to a bug, the files it creates instead of the originals are 0-bytes long. It fails to write itself there.
Indications Of Infection Method Of Infection Removal Instructions
Note- It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.
PE,Trojan,Internet Worm and memory resident: Virus Information
VirusScan 4x:
VirusScan 4x:
Dr Solomon's 8x:
Minimum Dat Minimum Engine |