New Virus --> VBS/Britney-A

javacool · Feb 28, 2002

Check out the details at silicon.com here:
http://www.silicon.com/public/door?REQUNIQ=1014930316&6004REQEVENT=&REQINT1=51686

javacool · Feb 28, 2002

Quote from the article:

Worm Warning: Britney pics carry a nasty surprise

A virus named after teen pop sensation Britney Spears has been discovered by anti-virus experts.

The worm, called VBS/Britney-A spreads via both Microsoft Outlook and Internet Relay Chat (IRC) networks and it emails itself to all addresses in the Outlook address list.

The virus arrives with a subject line "RE: Britney Pics" and has the following body text: "Take a look at these pics..." The worm requires ActiveX to be enabled for the VBS script to run so it tries to get the user to enable it with a message: "Enable ActiveX To See Britny Pictures".
Virus experts say despite the appealing nature of its purported contents, it's unlikely to cause any serious damage to corporate networks.

Sophos anti-virus said: "The worm looks at different directories on C:, D:, and E: for a file called MIRC.INI. If it is found, the worm drops a file called SCRIPT.INI which will help it spread via IRC. It also drops a copy of itself in the Windows directory as the file BRITNEY.CHM."

Graham Cluley, technical specialist at Sophos said Britney is not a serious outbreak: "We haven't seen it in the wild yet, but obviously a virus named Britney will attract a degree of attention so we are going to alert our customers."
Click to expand...

javacool · Feb 28, 2002

In other recent news, virus researchers indicate it MAY ACTUALLY be a BAD idea to open e-mails claiming "open me - free pictures if you enable a very unsafe part of your operating system".

javacool · Feb 28, 2002

Sophos virus article:

(from here: http://www.sophos.com/virusinfo/articles/britney.html

Britney fears: virus could drive you crazy, warns Sophos

Sophos, a world leader in corporate anti-virus protection, is today warning users about a new worm that can spread by clicking on an attachment pretending to be photographs of teen pop princess Britney Spears.

VBS/Britney-A arrives in the victim's inbox with the subject line "RE:Britney Pics", body text "Take a look at these pics..." and attachment "BRITNEY.CHM." When executed, the file displays a message similar to "Enable ActiveX To See Britny Pictures" (sic) before infecting the hard drive and sending itself to all addresses in the Outlook address book. The worm also attempts to distribute itself via Internet Relay Chat.

"Britney has joined the ranks of glamorous, highly attractive people to have viruses written about them," said Graham Cluley, senior technology consultant at Sophos Anti-Virus. "Previous stars to receive this treatment include Anna Kournikova and Jennifer Lopez."

"Britney is a very popular celebrity and many computer users - from teenyboppers to fascinated fathers - would be interested in seeing photos of her," Cluley continued. "Users should remember basic safe computing rules and not be coaxed into opening any unsolicited email attachments."

As yet, Sophos has only received one report of this worm in the wild, but in view of Britney's fame, the company is nonetheless encouraging users to be vigilant.
Click to expand...

javacool · Feb 28, 2002

Sophos virus bulletin:

VBS/Britney-A
Aliases
VBS/Breetnee, VBS/BritneyPic@MM, worm/BritneyPic

Type
Visual Basic Script worm

Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2002 (3.56) release of Sophos Anti-Virus.

At the time of writing Sophos has received just one report of this worm from the wild.

Description
VBS/Britney-A is a mass-mailing worm which spreads via both Microsoft Outlook and IRC networks. The worm copies itself to BRITNEY.CHM in the Windows folder and then emails itself to all addresses in the Outlook address list. The emails will have the following characteristics:

Subject Line: RE: Britney Pics
Body Text: Take a look at these pics ...
Attachment: BRITNEY.CHM

http://www.sophos.com/images/viruses/britney-a-2_450.gif

The worm requires ActiveX to be enabled for the VBS to run and so it prompts the user to enable ActiveX with the message "Enable ActiveX To See Britny Pictures".

http://www.sophos.com/images/viruses/britney-a-1_450.gif

VBS/Britney-A searches the C:, D: and E: drives for the presence of a file called MIRC.INI. If it finds a file of this name then the worm creates a SCRIPT.INI file which will then attempt to send copies of the files to other IRC users.

SCRIPT.INI will be detected by Sophos Anti-Virus as mIRC/Simp-Fam.
Click to expand...

FanJ · Feb 28, 2002

VBS/Britney-A

Name: VBS/Britney-A
Aliases: VBS/Breetnee, VBS/BritneyPic@MM, worm/BritneyPic
Type: Visual Basic Script worm
Date: 28 February 2002

At the time of writing Sophos has received just one report of this worm from the wild.

Description:

VBS/Britney-A is a mass-mailing worm which spreads via both Microsoft Outlook and IRC networks. It copies itself to BRITNEY.CHM in the Windows folder and then emails itself to all addresses in the Outlook address list. The emails will have the following characteristics:

Subject Line: RE: Britney Pics
Body Text: Take a look at these pics ...
Attachment: BRITNEY.CHM

The worm requires ActiveX to be enabled for the VBS to run and so it prompts the user to enable ActiveX with the message "Enable ActiveX To See Britny Pictures".

VBS/Britney-A searches the C:, D: and E: drives for the presence of a file called MIRC.INI. If it finds a file of this name then the worm creates a SCRIPT.INI file which will then attempt to send copies of the files to other IRC users.

SCRIPT.INI will be detected by Sophos Anti-Virus as
mIRC/Simp-Fam.

Read the analysis at
http://www.sophos.com/virusinfo/analyses/vbsbritneya.html

javacool · Feb 28, 2002

Wow...same post, same time.

Scary...

UNICRON · Feb 28, 2002

Well I sure feel educated after reading all that! A simple link may have sufficed but nevertheless, as a "fascinated father" myself, I'm glad to have this advanced warning.

FanJ · Feb 28, 2002

Hey JC,

Yep, same time
I just wanted to delete my posting after I saw yours, but was too late
Thanks for posting Javacool

Technodrome · Feb 28, 2002

My friend got it!!!! He didn't open it (lucky he, ha). What concerns me is the fact that NOD32 doesn’t detect it (He has NOD32 for AV protection).

I told him that Eest will probably have update tomorrow or day after tomorrow... Isn't little late

Technodrome

Paul Wilders · Feb 28, 2002

Hi TD,

What concerns me is the fact that NOD32 doesn't detect it
Click to expand...

Eset/Nod32 does have a copy.

regards.

paul

Checkout · Mar 1, 2002

My system is, and always has been, completely, 100% immune from viruses like the above. What software do I use to gain this protection? None. I simply couldn't give a sh*t about Britney so I'd never get past the subject line.

Jooske · Mar 1, 2002

Hi all,
Excuse my ignorance, as i did not follow the developments of NOD32, which i thought to be about the best AV program, so why would it be supposed to catch worms?
As it's a VBS i'd suppose it will be stopped from running by your worm or vbs blocker/protection as well.
Just a question, not interested in Britney either.

Technodrome · Mar 1, 2002

Hi TD,

Eset/Nod32 does have a copy.

regards.

paul
Click to expand...

Hi Paul

I think it's covered by today’s release. (As I thought)

Technodrome

Log in or Sign up

New Virus --> VBS/Britney-A

javacool BrightFort Moderator

javacool BrightFort Moderator

javacool BrightFort Moderator

javacool BrightFort Moderator

javacool BrightFort Moderator

FanJ Guest

javacool BrightFort Moderator

UNICRON Technical Expert

FanJ Guest

Technodrome Security Expert

Paul Wilders Administrator

Checkout Security Rhinoceros

Jooske Registered Member

Technodrome Security Expert