Email-Worm.VBS.DragonBall

Class Email-Worm
Platform VBS
Description

Technical Details

This Internet worm spreads via e-mail messages using MS Outlook and IRC, and is written in VBS. The worm doesn’t work correctly, because it contains a few fatal errors.

When the script is run, it creates self-copies in the system directories:

C:WindowsWinsock.vbs
C:WindowsSysdir.vbs
C:WindowsSystemmillioner.vbs
C:WindowsSystemDragonBall.vbs
C:WindowsSystemDragonBall.cab

Also it creates three scripts in IRC directory:

C:mIRCmirc.ini
C:mIRCscript.ini
C:mIRCupdate.ini

The IRC scripts are needed for spreading via the IRC channel. As directories named “C:Windows” and “C:mIRC” hard register in worm’s body, it can’t execute these operations if the operation system and IRC installed in different directories.

After this, the worm changes some keys in the system registry and WIN.INI file. This creates two keys in the registry:

[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
“winsock2.0″=”C:\Windows\winsock.vbs”

[HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices]
“sysup”=”C:\Windows\sysdir.vbs”

and changes the value of the two keys in the WIN.INI file:

[windows]
load=C:WindowsSystemDragonBall.vbs
run=C:WindowsSystemmillioner.vbs

In this way, the worm always will be run when the operation system is started. In addition to this, the worm changes another two keys in the system registry

[HKLMSoftwareMicrosoftWindowsCurrentVersion]
“RegisteredOwner”=”Dragon Ball Z by YuP”

[HKCUSoftwareMicrosoftInternet ExplorerMain]
“Start Page”=”http://bdball.metropoli2000.net/fotos/imagenes/sagas/foto7_40.jpg”

Then the worm activates a spread procedure, opening the MS Outlook address book, and for each address, creating the following message:

Subject: Hello ;]
Body: Hi , check out this game that j sent you (funny game from the net:]).
Attach: dragonball.vbs

The worm contains errors, and this procedure can’t work correctly. So, the worm can’t spreads via e-mail.

In conclusion, the worm displays the following dialogue box:

Dragon Ball Z by YuP
 Thank you,and bye bye DragonWorld!!!
 [ OK ]

When a user closes this box, the worm removes keyboard and mouse functions, and the runs MediaPlayer with a file from the Internet:

http://bdball.metropoli2000.net/mmedia/videos/clips/dballz/gokuhss1.mpg

and changes AUTOEXEC.BAT, inserting the strings:

@ECHO ON
ECHO DraGon Ball [Z] by YuP
ECHO Thank you and bye bye dragon world!!