Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/Tune.A/B@mm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published
Description created 15 Oct 2000 03:00:00
Description updated 15 Jan 2002 03:31:00
Malware type WORM
Alias
Spreading mechanism EMAIL
IRC
NETWORK
Summary None

VBS/Tune.A/B@mm

Spreading

VBS/Tune.A@mm.Worm is a Visual Basic Script Worm using MS Outlook, shared network drives, and IRC to propagate itself.

It modifies the following Registry keys to ensure that it is run when the computer is booted (lines are wrapped for readability):


HKCU\Software\Microsoft\Windows\CurrentVersion
\Run\ScanRegistry, C:\[WindowsFolder]\TUNE.VBS
HKCU\Software\Microsoft\Windows\CurrentVersion
\Run\TaskMonitor, C:\[SystemFolder]\TUNE.VBS

It further inserts the following Registry key when the mass mailing routine is run the first time:



HKCU\Software\Microsoft\Windows\CurrentVersion\Sent?, "1" VBS/Tune uses MS Outlook to send itself to all entries in all address lists. Before it spreads itself by MS Outlook it checks a Registry key to see if it already has mass mailed itself from this machine. The mass mail routine is executed only once at each infected machine.


Infected files TUNE.VBS will be dropped to the local Windows folder, System folder, Temporary folder and the worm will check all fixed or network drives from A to Z and copy TUNE.VBS to the root folder of all drives found.

If mIRC or pirch are installed to default folders (c:\mirc and c:\pirch98) it will overwrite their .ini files, script.ini and events.ini respectively. Events.ini will be modified to send the message "Hi there" and dcc the file c:\windows\tune.vbs to everyone joining a channel which the affected user is on. Script.ini will be modified to dcc the same file (c:\windows\tune.vbs). Note that these .ini files will be overwritten only if these IRC client applications are installed to their default folder.

Payload Details

n/a

Analysis

n/a

Removal

The Visual Basic Script viruses rely on the association between .VBS files and Windows Scripting Host to execute.


Last Updated: 12 Nov 2015 11:06:14