Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/VBSWG.K@mm.Worm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 13 Feb 2001 03:00:00
Description created 22 Feb 2001 03:00:00
Description updated 22 Feb 2001 03:00:00
Malware type WORM
Alias
Spreading mechanism EMAIL
IRC
Summary None

VBS/VBSWG.K@mm.Worm

Spreading

The worm uses MS Outlook to spread itself. If the user opens the attachment, the worm will send itself to all addresses in all address books in Outlook. The mass mail routine will normally be executed only once. To keep track on that the worm will create a registry key HKCU\software\mailed and set this to 1 the first time its mass mail routine is executed. This indicates that the mass mail routine has already been executed, and if a new infected file is executed at the same machine the mass mail routine will not be executed again.

If mIRC is installed to either c:\mirc or c:\mirc32 the worm will create a script.ini file to auto send the infected file Neue Tarife.txt.vbs to all channels that the infected user joins. It will also check if pIRCH is installed to either c:\pirch or c:\pirch32, and if it is, the worm drops an events.ini file that do the same as script.ini

These actions are also performed only once as the worm creates a Registry key if one of these folders is found and a script file is dropped. The two Registry keys used to check this are respectively:

 
HKCU\software\Mirqued
HKCU\software\pirched

Payload Details

n/a

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11