VBS/Chick-F  Aliases: I-Worm.Brit-G

Discussion in 'malware problems & news' started by FanJ, Jun 6, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: VBS/Chick-F
    Aliases: I-Worm.Brit-G
    Type: Visual Basic Script worm
    Date: 6 June 2002


    VBS/Chick-F arrives as a compressed HTML file (CHM). When the
    file is opened the worm displays the text "Enable activeX To See
    Korea Japan results".

    If the user enables the ActiveX script the worm will search
    drives C:, D: and E: looking for a mIRC installation. If the
    mIRC executable is located, the worm will copy itself into
    C:\<windows>\koreajapan.chm. VBS/Chick-F creates a mIRC script file
    script.ini in the mIRC directory. The script attempts to forward
    a copy of the worm to users that join the same IRC channel.

    Script.ini is detected by Sophos Anti-Virus as mIRC/Simp-Fam.

    Finally VBS/Chick-F sends an email to the first entry in the
    user's Outlook address book.

    The email will have the following characteristics:

    Subject line: RE: Korea Japan Results
    Message text: Take a look at these results ...
    <Current user>
    Attached file:<name of the worm file that is currently

    The following registry entry will be set to the value of "1"
    when the emailing routine has been executed:


    This value acts as a marker and will prevent the emailing code
    from executing next time the worm is activated.

    Read the analysis at
  2. FanJ

    FanJ Guest

    Beware of Virus Authors Exploiting World Cup Themes
    Kaspersky Labs warns of attempts to exploit the popular World Cup theme.

    Kaspersky Labs, an international data-security software developer, warns
    users about the first appearance of malicious programs taking advantage
    of the hugely popular and widespread World Cup theme. Despite the
    popular theme the network worm Brit.G, also well known as Chick.F, does
    not threaten to be the cause of a new Internet virus epidemic.

    The original version of the Brit. Internet worm was a simple virus-worm
    that spread via e-mail and IRC channels in the attached CHM file,
    "Britney.CHM". To launch this virus a user would have to open the
    attached file, only after this would the worm infect the computer and
    send out copies of itself only to the first address in the MS Outlook
    address book.

    Currently, Kaspersky Labs is familiar with six different versions of
    this program - b,c,d,e,f,g - , distinguished by their subjects and
    attachment file names. The author of the most recent version, "Brit.g",
    attempts to draw attention by exploiting today's most popular theme as
    bait - The World Cup football championship.

    Message Subject - RE: Korea Japan Results
    Attachment File Name - KOREAJAPAN.CHM

    However, due to a range of technical errors in the worm's code, the
    probability of it spreading in the wild is virtually zero.

    "Virus authors are still actively employing social engineering methods
    in trying to manipulate the behavior of users, such as by using
    promising file names that compel users to open suspicious files",
    commented Eugene Kaspersky, the head of anti-virus research at Kaspersky
    Labs. "We don't count out the appearance of new virus "masterpieces" and
    in connection with this we look very negatively upon attempts by other
    anti-virus companies to rate new virus programs. Such ratings may
    actually encourage competition among virus authors."

    Kaspersky Labs once again urges users of the necessity to be extremely
    careful with e-mail containing popular subject themes. We also recommend
    users refrain from "checking out" file attachments supposedly connected
    to the World Cup football championship, especially without the use of an
    anti-virus program armed with a freshly updated anti-virus database.

    For more detailed information about the Brit. series of worm viruses please
    click here (http://www.viruslist.com/eng/viruslist.html?id=48005).
  3. FanJ

    FanJ Guest

    See also here:

Thread Status:
Not open for further replies.