Discussion in 'malware problems & news' started by FanJ, Sep 25, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: VBS/Corica-A
    Type: Visual Basic Script worm
    Date: 25 September 2002

    At the time of writing Sophos has received no reports from users
    affected by this worm. However, we have issued this advisory
    following enquiries to our support department from customers.

    VBS/Corica-A is a VBScript worm that sets the following registry entry so that any attempt to be edit a file with a VBS extension using the default option of Notepad.exe will display the file C:\Windows\Microsoft.txt:

    HKLM\Software\Classes\VBSfile\Shell\Edit\Command =
    C:\Windows\notepad.exe %C:\Windows\Microsoft.txt

    Microsoft.txt contains nothing but a nonsense of dots and dashes and is created by VBS/Corica-A.

    The worm sets the Internet Explorer start page to http://www.latingua.com and modifies the Windows Desktop wallpaper so that a large red, white and blue banner displaying the message "Costa Rica, es un pais libre y democratico." appears in the centre of the screen and the message "Viva Costa Rica!" scrolls along the bottom of the screen in red text.

    VBS/Corica-A copies itself to C:\Windows\Microsoft.vbs and creates a shortcut in the current folder, called Microsoft.Lnk, to run this VBS file.

    VBS/Corica-A attempts to email itself to all contacts in the Outlook address book. The email will have one of the following two sets of characteristics:

    Subject: Hi
    Message body: Please open the attachment is very important.
    Attached file: Microsoft.vbs


    Subject: Hola
    Message body: Aqui te mando un anexo muy importante que lo abras.
    Attached file: Microsoft.vbs

    VBS/Corica-A also sets the following registry entry:

    HKCU\AutoSetup\Land = "Costa Rica"

    More information about VBS/Corica-A can be found at
Thread Status:
Not open for further replies.