VBS.Pila@mm

Symantec Security Response - VBS.Pila@mm

This virus is coded in Visual Basic Script (VBS). To distribute itself, it attempts to modify mIRC scripts, copy itself to drives across the local network, and send itself using Microsoft Outlook.

Also Known As: VBS.Pilantra, VBS/Rols.dr@mm, VBS/Pulga.A@mm, VBS.Karmahotel, VBS/Estufa.Worm

Type: Zoo Virus

technical details

If it is executed, VBS.Pila@mm does the following:

It creates the file Platônico.txt, adds text that is hard-coded in the virus to the file, and then opens the file using Notepad. The text describes in Portuguese how a lover was jilted and would exact revenge, calling the other lover a "cursed flea."

It next checks if the file C:\File0004.chk exists. If it does not, then the virus copies itself to the Windows folder as Explorer.dll.vbs.

It attempts to modify the [boot] of the System.ini file so that it loads when you start Windows.

This script will then create a copy of itself in as \Windows\Platônico.txt <76 spaces> .shs

NOTE: The use of many spaces between a double extension is used by virus writers to make you think that an executable file is really a harmless text file.

Next, it attempts to perform a mass mailing of the Platônico.txt <76 spaces> .shs file using Microsoft Outlook. The email has the following characteristics:

Subject: This will be one of the following, chosen at random:

Texto imperdível!
Texto muito engraçado!
O melhor texto que li nos últimos tempos...

Message:
................................................
Olá!!"
Não posso falar muito sobre o texto porque se não perde a graça, é uma história de amor platônico... Achei muito engraçado vale a pena!!"
.... .... . ..... ..... .... . ... .....
..... .... .... . . .... ..... ....

The script then writes its "marker" file by creating C:\File0004.chk. The file consists of one line:

Estufa co.

This script then attempts to connect to mapped drives across a network and write itself as the file named Pulga.txt.shs

It also tries to modify the Script.ini file that is used by the mIRC chat clients to distribute itself when you join Internet Relay Chat channels. The mIRC script is modified to connect to the IRC channel irc.libnet.com.br and send a notification alert that the victim has become infected.

This script also drops two VBS files:

• C:\File0001.chk.vbs This file will scan the local drive and create a listing of subfolders on the system.
• C:\file0002.chk.vbs. This file will scan the local drive and create a listing of files found on the system.

These listings are then made available to a hacker using mIRC.

removal instructions

• 
  1. Run LiveUpdate to make sure that you have the most recent virus definitions.
  2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
  3. Run a full system scan.
  4. Delete all files that are detected as IRC.Pila.