Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/Fireburn@mm

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload
Detection files published 30 May 2000 03:00:00
Description created 30 May 2000 03:00:00
Description updated 26 Nov 2002 04:13:00
Malware type WORM
Alias
Spreading mechanism EMAIL
IRC
Summary None

VBS/Fireburn@mm

Spreading

The attachment is an infected VBScript chosen randomly between eight file names which suggest content of a pornogrphic character.

When an infected file is opened on a computer which supports WSH it will try to send itself in an email with all entries in MS Outlook's address book in the BCC field.

It performs a check to see whether the program directory is 'C:\Programme', if it is, it assumes that this user is using German as his/her language and will compose an email message in German, otherwise the email will be composed in English (for subject, body and attachment, see above).

The German version of the email is:

Subject: Moin, alles klar?

Body:
Hi, wie get's dir?
Guch dir mal da Photo im Anhang an, ist echt geil ;)
Bye, bis dann..After the email it sent it will be deleted from the Sent folder, so that the user should not be suspicious.

If mIRC is installed in either 'C:\mirc' or 'C:\[progdir]\mirc' the worm will create a script.ini file to send itself to any user who joins the same channel, or even mentions the word "sex" in the same channel as the user on IRC. It also uses the well know IRCworm trick of auto-ignoring other users who mention the words "script", "virus", and "worm".

The virus will place a copy of itself in the Windows folder with the filename rundll32.vbs. It also modifies two entries in the Registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run\Msrundll32 ,"rundll32.vbs"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\RegistredOwner, "FireburN"
 

Payload Details

If the date is 20 June it will display the following message box:

(Image not available)


When the 'OK' button is pressed, the Registry will be modified to disable mouse and keyboard upon starting Windows.

Analysis

n/a

Removal

The two Registry keys inserted by the worm, have to be deleted manually. The Visual Basic Script viruses rely on the association between .VBS files and Windows Scripting Host to execute.


Last Updated: 12 Nov 2015 11:06:10