Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/VBSWG.AQ@mm

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload Displays message
Detection files published 28 May 2002 03:00:00
Description created 06 Jun 2002 07:46:00
Description updated 06 Jun 2002 09:10:00
Malware type WORM
Alias
Spreading mechanism EMAIL
IRC
NETWORK
Summary None

VBS/VBSWG.AQ@mm

Spreading

The worm is a standard massmailer.

When run, it copies itself to the Windows directory, and adds a registry entry to ensure that it is run from startup:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = wscript.exe & lt;WindowsDir& gt;\ShakiraPics.jpg.vbs %

It will now call up Outlook and send itself to all users in the Outlook address book; after this it will look for a mIRC installation, and create a file in the MIRC directory that will direct the IRC client to send the worm on to other users on IRC. This file is generically detected by NVC as "mIRC/Gen_VBS".

It also sets the registry keys
HKCU\software\ShakiraPics\mailed
and
HKCU\software\ShakiraPics\Mirqued
so as to avoid spreading twice over mail and IRC, respectively.

After this is will traverse local and remote drives it has access to and overwrite all *.VBS and *.VBE files with itself.

Payload Details

The worm displays a message after infecting:

"You have been infected by the ShakiraPics worm".

(Image not available)

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11