Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/Ablank.A@mm

Overview

Threat Risk LOW LOW
Destructivity HIGH HIGH
Payload Formats D: drive
Detection files published 14 Nov 2001 03:00:00
Description created 15 Nov 2001 04:17:00
Description updated 15 Nov 2001 04:17:00
Malware type WORM
Alias I-Worm.Ablank
Spreading mechanism EMAIL
Summary None

VBS/Ablank.A@mm

Spreading

The worm copies itself to the Windows system folder as rundll.vbs, and to the Windows folder as best.vbs. It will also create a new about-blank.htm in the Windows directory and set the Internet Explorer start page to point to this. This has the effect that the worm's emailing routine is run every time that Internet Explorer is run. Emails containing the worm are sent to the 50 first in the Outlook Address book.

It sets the registry key
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\rundll to \rundll.vbs

so that it is loaded from startup.

Payload Details

The payload is triggered if date and hour is identical; e.g. if it's 11.00h on the 11th. It will then insert a line of text into the autoexec.bat file which will cause the D: drive, if any, to be formatted on next boot.


Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11