Name: VBS/Chick-C Aliases: I-Worm.Brit.c, VBS.Chick.C@mm Type: Visual Basic Script worm Date: 16 April 2002 At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Description: VBS/Chick-C is a Visual Basic Script worm very similar to VBS/Britney-A. VBS/Chick-C spreads via both Microsoft Outlook and IRC networks. The worm copies itself to SHAKIRA.CHM in the Windows folder and then emails itself to the first address in the Outlook address list. The email will have the following characteristics: Subject line: Nuevo video de SHAKIRA! Message text: Hola He visto el nuevo video de Shakira y me he enamorado de ella. Esta hermosa mujer es hermosa, es impactante me ha hecho suspirar y quiero que igual que yo compartas esta emocion. Disfrutalo. <Username> Attached file: SHAKIRA.CHM The worm requires ActiveX to be enabled for the VBScript to run and so it prompts the user to enable ActiveX with the message "Permite Active X para ver el nuevo video de SHAKIRA". VBS/Chick-A searches drives C:, D: and E: for the presence of a file called MIRC.INI. If it finds a file of this name then the worm creates a SCRIPT.INI file which will then attempt to send copies of the files to other IRC users. SCRIPT.INI will be detected by Sophos Anti-Virus as mIRC/Simp-Fam. Read the analysis at http://www.sophos.com/virusinfo/analyses/vbschickc.html