VBS/Chick-C

Name: VBS/Chick-C
Aliases: I-Worm.Brit.c, VBS.Chick.C@mm
Type: Visual Basic Script worm
Date: 16 April 2002

At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory
following enquiries to our support department from customers.

Description:

VBS/Chick-C is a Visual Basic Script worm very similar to
VBS/Britney-A.

VBS/Chick-C spreads via both Microsoft Outlook and IRC networks.

The worm copies itself to SHAKIRA.CHM in the Windows folder and
then emails itself to the first address in the Outlook address
list.

The email will have the following characteristics:

Subject line:
Nuevo video de SHAKIRA!

Message text:
Hola
He visto el nuevo video de Shakira
y me he enamorado de ella.
Esta hermosa mujer es hermosa, es impactante
me ha hecho suspirar y quiero que
igual que yo compartas esta emocion.
Disfrutalo.
<Username>

Attached file:
SHAKIRA.CHM

The worm requires ActiveX to be enabled for the VBScript to run
and so it prompts the user to enable ActiveX with the message
"Permite Active X para ver el nuevo video de SHAKIRA".

VBS/Chick-A searches drives C:, D: and E: for the presence of a
file called MIRC.INI. If it finds a file of this name then the
worm creates a SCRIPT.INI file which will then attempt to send
copies of the files to other IRC users.

SCRIPT.INI will be detected by Sophos Anti-Virus as
mIRC/Simp-Fam.


Read the analysis at
http://www.sophos.com/virusinfo/analyses/vbschickc.html