VBS_LISA.A

Discussion in 'malware problems & news' started by Randy_Bell, Apr 5, 2003.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    VBS_LISA.A is a Visual Basic Script (VBScript) worm that infects files with .VBS and .VBE extensions in all drives. It propagates through Microsoft Outlook, Kazaa, and mIRC. This worm deletes .DOC files and certain critical system files such as WIN.COM and REGEDIT.EXE. In addition, it creates up to 5,000 folders and non-malicious text files, downgrading system performance. Additionally, it hides the desktop icons and formats drive C:\ on machines running Windows 98 or Windows ME.

    Upon execution, this Visual Basic Script (VBScript) worm creates a copy of itself in the Windows folder using a random seven-character file name such as ABCDXYZ.VBS or 1928374.VBS. Then, it creates an autorun entry in the registry to ensure its automatic execution at every Windows startup.

    This worm searches for email addresses in the Microsoft Outlook address book, and sends an HTML–based email message to each of the contacts using the Outlook Mail Application Programming Interface (MAPI). The HTML-based email message has the following characteristics:

    Subject: Click YES and vote against war!

    The email message does not have an attachment as this worm is embedded in the message as a script. When the recipient opens the message, Window displays a warning with the following text:

    Some software (ActiveX controls) on this page might be unsafe. It is recommended that you not run it. Do you want to allow it to run?

    If the recipient clicks No, the following text appears in the message body of the email and the worm terminates its execution:

    For voting against war, please open this message again and click yes!
    It´s very important!
    Thank you!

    Otherwise, if the recipient clicks Yes, the following text appears in the message body and the worm continues to execute its malicious codes:

    Thank you for voting against war. We will now send an EMail for you to Mr. Bush

    If you would like to scan your computer for VBS_LISA.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    VBS_LISA.A is detected and cleaned by Trend Micro pattern file #503 and above.
     
    Randy_Bell, Apr 5, 2003
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...