Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/Req.A@mm.Worm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 21 Nov 2000 03:00:00
Description created 21 Nov 2000 03:00:00
Description updated 21 Nov 2000 03:00:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

VBS/Req.A@mm.Worm

Spreading

The worm, when executed, tries to open a particular Registry key in order to obtain the PIN file of a user. This PIN file contains the access codes for the Swiss telebank UBS. If this PIN file is found the worm attempts so send the file to three different e-mail addresses.

If the PIN file is not found, the worm adds itself to an e-mail with characteristics as mentioned above.

The worm also inserts two entries in the Windows hosts file to redirect the site names of UBS and a Swiss antivirus company to other IP addresses. These IP addresses seem not to respond.

If the PIN file has been found, the worm removes these modifications in the hosts file by simply deleting the hosts file - and it eventually deletes itself as well. Thus infected users may never know that their PIN data have been compromised.

Payload Details

n/a

Analysis

n/a

Removal

To clean up the hosts file, open this in an editor and remove the two entries ending with ubs.com and avp.ch. If you for some reason (unlikely) had these entries in the hosts file before infection, you should change the entries, to the correct IP addresses, not remove them.


Last Updated: 12 Nov 2015 11:06:15