Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/Fool.A-C

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload
Detection files published 07 May 2000 03:00:00
Description created 07 May 2000 03:00:00
Description updated 07 May 2000 03:00:00
Malware type WORM
Alias
Spreading mechanism IRC
Summary None

VBS/Fool.A-C

Spreading

VBS/Fool copies itself into Windows' Startup folder as "RunDLL.vbs", drops "MyPicture.bmp.vbs" in "C:\Windows\System", "C:\My Documents" and "C:\" and modifies Registry to run "MyPicture.bmp.vbs" each time Windows is loaded.

It also overwrites all files with .vbs exstension in "C:\", "C:\My Documents", "C:\Windows" and "C:\Windows\Samples\wsh" with its own viral code.

VBS/Fool will further overwrite "C:\mirc\script.ini" and "C:\mirc\mirc.ini" with code to "DCC" send MyPicture.bmp.vbs to other systems. It will only succed with this if mIRC is installed in "c:\mirc".

VBS/Fool drops three other files too, "short.src", "fix.txt" and "lcoder.hex".

Payload Details

VBS/Fool have one payload. If an infected file is executed at 31 December it will show the following message box.

(Image not available)

It will also change the "RegisteredOwner", "RegisteredOrganization" and "Productname" Registry keys in HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\

Finally it will overwrite "C:\Autoexec.bat" to show a message telling the user that her/his computer is not Y2K compliant.

Analysis

n/a

Removal

To remove VBS/Fool delete all infected VBS files, particularly the "C:\Windows\System\MyPicture.bmp.vbs" and "C:\Windows\Start Menu\Programs\Startup\RunDLL.VBS" which automaticly will be executed each time Windows is loaded. The Visual Basic Script viruses rely on the association between .VBS files and Windows Scripting Host to execute. To remove this association - follow this link to see how.


Last Updated: 12 Nov 2015 11:06:11