Email-Worm.JS.Sigbug

Class Email-Worm
Platform JS
Description

Technical Details

This malicious program is an HTML email worm. It sends itself to all email addresses in the address book. On 31st May, the worm will disable the graphical user interface on Win9x systems. It is 1,889 bytes in size. It is written in JavaScript.

Installation

When installing, the worm copies itself to the victim machine under the following name:

C:Recycledstacey.htm

Payload

The worm substitutes itself for the message signature in messages sent via Outlook Express by installing the following keys:

  1. Permits the use of signatures from external files:
    [HKCUIdentities%ID_ïîëüçîâàòåëÿ%SoftwareMicrosoftOutlook Express5.0]
    “Signature Flags” = “3”
  2. Configures Outlook Express to use a default signature defined as “00000000″:
    [HKCUIdentities%ID_ïîëüçîâàòåëÿ%SoftwareMicrosoftOutlook Express5.0signatures]
    “Default Signature” = “00000000”
  3. Installs a system registry which makes it possible for signature “00000000” to be loaded from the worm file:
    [HKCUIdentities%ID_ïîëüçîâàòåëÿ%SoftwareMicrosoftOutlook Express5.0signatures0000000]
    “name” = “Signature #1”
    “type” = “2”
    “text” = “”
    “file” = “C:RECYCLEDSTACEY.HTM”

    The worm uses MS Outlook to send email to all address from the address book.

    Message subject: “Check This Out!”

    The message body contains text from the following file: C:Recycledstacey.htm

    The worm then installs a key which indicates that messages have been mailed:

    [HKCUSoftwareJS.Stacey]
    "Mailed" = "Yup!"

    Each time an infected message is opened, or Outlook Express is launched, the worm will check the current system date. On 31st May each year, it will disable the graphical user interface on Win9x systems.

    Removal instructions

    If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

    1. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
    2. Delete the following registry keys:

      [HKCUIdentities%ID_ïîëüçîâàòåëÿ%SoftwareMicrosoftOutlook Express5.0]
      “Signature Flags” = “3”

      [HKCUIdentities%ID_ïîëüçîâàòåëÿ%SoftwareMicrosoftOutlook Express5.0signatures]
      “Default Signature” = “00000000”

      [HKCUIdentities%ID_ïîëüçîâàòåëÿ%SoftwareMicrosoftOutlook Express5.0signatures 00000000]
      “name” = “Signature #1”
      “type” = “2”
      “text” = “”
      “file” = “C:RECYCLEDSTACEY.HTM”

      [HKCUSoftwareJS.Stacey]

    3. Delete the following file:
      C:Recycledstacey.htm
    4. Modify the configuration of automatic signature insertion in Outlook Express.
    5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).