VBS/Nedal-A

Discussion in 'malware problems & news' started by Technodrome, Sep 11, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    VBS/Nedal-A arrives in an email with the following characteristics:

    Subject line: Osama Bin Laden Comes Back!
    Message text:
    Hello People,
    You have received email from Osama Bin Laden.
    Allah is The One Of God. No god in the World Accept Allah!
    All people in the world love peace and not wars.
    America and Israel must be detroy to prevent from wars.

    Your Sincerely,
    Osama Bin Laden
    Al-Qaeda Network

    The email arrives in an HTML format. The HTML has a VBScript component that includes this worm and the above message text.

    If the user accepts ActiveX scripts when reading their email then they will see the above text and a copy of the worm will be created on their system and then executed. The copy of the worm will be C:\Windows\OsamaBinLaden.vbs

    VBS/Nedal-A may drop the following three executables to the Windows folder: osama.exe, laden.exe and alta.exe.

    Osama.exe will be detected as HLLO/Nedal-A by Sophos Anti-Virus.
    This is an overwriting virus that targets all files with EXE extensions.

    Laden.exe is a Trojan dropper detected as Troj/Nedal-A by Sophos Anti-Virus.
    On the 11th of September Laden.exe will display a message box that reads
    "Today is 11 September! Do you remember this date?". Laden.exe will drop the file C:\Laden.bat, detected as Troj/Deltree-O by Sophos Anti-Virus.
    Laden.bat is intended to delete all files in the Windows system folder.
    Laden.exe will also create the following registry entry HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Laden = "Laden.exe".

    Alta.exe is detected as Troj/Shutdown-C by Sophos Anti-Virus.
    This Trojan may display a message box that reads "Prepare to sleep..." and then cause Windows to shutdown. The Trojan creates the registry entry
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AltaWorm = "alta.exe",
    causing the Trojan to be run on Windows start up and hence causing the computer to shutdown on Windows start up.

    VBS/Nedal-A may also drop the batch file C:\OsamaLaden.bat, detected as Troj/NedalBat-A by Sophos Anti-Virus. This batch file Trojan will create many new folders on the infected computer and will attempt to overwrite files that have the extensions TXT, XLS, DOC, EXE, RTF, CAB, COM, AVI, GIF, BMP, JPG, JPEG, TIF and BAT in the My Documents and C:\Windows\Desktop folders.

    VBS/Nedal-A creates the registry entries
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\OsamaBinLaden
    and
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\OsamaLaden.
    These two values will run the worm and the droppped batch file, OsamaLaden.bat, when Windows starts up.

    source: http://www.sophos.com


    Technodrome
     
  2. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    You know, people who make these things and spread then around are scum to begin with, but this kind of crap is sick beyond all belief. I would bet most virus writers even look upon this with scorn.
     
Thread Status:
Not open for further replies.