Name: VBS/Corica-A Type: Visual Basic Script worm Date: 25 September 2002 At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Description VBS/Corica-A is a VBScript worm that sets the following registry entry so that any attempt to be edit a file with a VBS extension using the default option of Notepad.exe will display the file C:\Windows\Microsoft.txt: HKLM\Software\Classes\VBSfile\Shell\Edit\Command = C:\Windows\notepad.exe %C:\Windows\Microsoft.txt Microsoft.txt contains nothing but a nonsense of dots and dashes and is created by VBS/Corica-A. The worm sets the Internet Explorer start page to http://www.latingua.com and modifies the Windows Desktop wallpaper so that a large red, white and blue banner displaying the message "Costa Rica, es un pais libre y democratico." appears in the centre of the screen and the message "Viva Costa Rica!" scrolls along the bottom of the screen in red text. VBS/Corica-A copies itself to C:\Windows\Microsoft.vbs and creates a shortcut in the current folder, called Microsoft.Lnk, to run this VBS file. VBS/Corica-A attempts to email itself to all contacts in the Outlook address book. The email will have one of the following two sets of characteristics: Subject: Hi Message body: Please open the attachment is very important. Attached file: Microsoft.vbs or Subject: Hola Message body: Aqui te mando un anexo muy importante que lo abras. Attached file: Microsoft.vbs VBS/Corica-A also sets the following registry entry: HKCU\AutoSetup\Land = "Costa Rica" More information about VBS/Corica-A can be found at http://www.sophos.com/virusinfo/analyses/vbscoricaa.html