VBS/Chick-C

Discussion in 'malware problems & news' started by FanJ, Apr 16, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: VBS/Chick-C
    Aliases: I-Worm.Brit.c, VBS.Chick.C@mm
    Type: Visual Basic Script worm
    Date: 16 April 2002

    At the time of writing Sophos has received no reports from users
    affected by this worm. However, we have issued this advisory
    following enquiries to our support department from customers.

    Description:

    VBS/Chick-C is a Visual Basic Script worm very similar to
    VBS/Britney-A.

    VBS/Chick-C spreads via both Microsoft Outlook and IRC networks.

    The worm copies itself to SHAKIRA.CHM in the Windows folder and
    then emails itself to the first address in the Outlook address
    list.

    The email will have the following characteristics:

    Subject line:
    Nuevo video de SHAKIRA!

    Message text:
    Hola
    He visto el nuevo video de Shakira
    y me he enamorado de ella.
    Esta hermosa mujer es hermosa, es impactante
    me ha hecho suspirar y quiero que
    igual que yo compartas esta emocion.
    Disfrutalo.
    <Username>

    Attached file:
    SHAKIRA.CHM

    The worm requires ActiveX to be enabled for the VBScript to run
    and so it prompts the user to enable ActiveX with the message
    "Permite Active X para ver el nuevo video de SHAKIRA".

    VBS/Chick-A searches drives C:, D: and E: for the presence of a
    file called MIRC.INI. If it finds a file of this name then the
    worm creates a SCRIPT.INI file which will then attempt to send
    copies of the files to other IRC users.

    SCRIPT.INI will be detected by Sophos Anti-Virus as
    mIRC/Simp-Fam.


    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/vbschickc.html
     
Loading...
Thread Status:
Not open for further replies.