VBS/VBSWG-AQ

Discussion in 'malware problems & news' started by FanJ, Jun 5, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: VBS/VBSWG-AQ
    Type: Visual Basic Script worm
    Date: 5 June 2002

    Sophos has received several reports of this worm from the wild.

    Description:

    VBS/VBSWG-AQ is an email worm. The worm spreads using an email
    with the following characteristics:

    Subject line: Shakira's Pics
    Message text:
    Hi :
    i have sent the photos via attachment
    have funn...
    Attached file: ShakiraPics.jpg.vbs

    When the attachment is run it will copy itself into the Windows
    folder and add the registry entry

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Registry

    to ensure that the worm is run each time Windows is started. It
    will then attempt to email itself to all addresses listed in the
    Microsoft Outlook address book. If the worm detects that mIRC is
    installed it will create the file script.ini in the mIRC folder.
    This file is detected by Sophos Anti-Virus as mIRC/Simp-Fam.

    VBS/VBSWG-AQ will also create the registry entries

    HKCU\Software\ShakiraPics\mailed
    and
    HKCU\Software\ShakiraPics\mirqued

    after it has attempted to spread by email and IRC.

    The worm will then search all local and network drives for files
    with VBE or VBS extensions and overwrite them with a copy of
    itself.

    Finally the worm will display the message
    "You have been infected by the ShakiraPics Worm".


    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/vbsvbswgaq.html
     
Thread Status:
Not open for further replies.