Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/Pleh.A@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload
Detection files published 05 Apr 2001 03:00:00
Description created 05 Apr 2001 03:00:00
Description updated 05 Apr 2001 03:00:00
Malware type VIRUS
Alias
Spreading mechanism EMAIL
Summary None

VBS/Pleh.A@mm

Spreading

n/a

Payload Details

When VBS/Pleh is executed, it will create a folder in the Windows directory called Look Here and puts a file into the newly created folder called Youmustread.txt containing the text:



Hello!It so pity that i cant look at your face now,and do you know why,because your machine was infected by Lynx[RAtm].Worm.Regards from Od. The virus will then copy itself to the System directory as Kernel.vbs and to the Windows directory as help.vbs. Next, VBS/Pleh.A@mm will set the Registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\help

to point to the Help.vbs file in the Windows directory. Then it will try to delete a folder below the Windows folder consisting of graphical characters and it deletes the logos.sys file in the System directory. With a chance of 1/120, VBS/Pleh.A@mm overwrites the C:Autoexec.bat with code that tries to format the hard disk on the next boot-up. Due to errors on the author's side the actual text written reads:



@cls@Please wait it can take only few minuts@format C: resulting in an error message on the next boot-up. Further, the virus will go over all drives overwriting files with the following extensions

.mp3 .pwd .exe .mp2 .doc .avi .mpeg .htm causing massive loss of data.

Finally the virus sends itself using Microsoft Outlook to the first 80 addresses in the address book.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:10