Email-Worm.VBS.Lucky

Class Email-Worm
Platform VBS
Description

Technical Details

This is a family of Internet worm that spread via e-mail by sending infected messages from infected computers. While spreading, the worms use MS Outlook and send themselves to all addresses that are stored in the MS Outlook Address Book. As a result, an infected computer sends as many messages to as
many addresses are maintained in the MS Outlook contacts list.

There are two worm variants known. Both have bugs in their code and are not able to spread, but these bugs can be easily fixed by a hacker.

The worms are written in the scripting language “Visual Basic Script” (VBS), and they work only on computers on which the Windows Scripting Host (WSH) is installed. In Windwos 98 and Windows 2000, WHS is installed
by default. To spread, the worms access MS Outlook and use its functions and address lists. This is available in Outlook 98/2000 only, so the worms are able to spread only when one of these MS Oulook versions is installed.

Spreading

The worm arrives to a computer as an e-mail message with an attached VBS file that is the worm itself. The message in the original worm version contains:

The Subject: Prinz Charles Are Die
Message body: The newest Message for Cool User’s.
Lucky2000
Attached file name: COOL_NOTEPAD_DEMO.TXT.vbs

Depending on system settings, real extension of an attached file (“.vbs”) may not be shown. In this case, the filename of the attached file is displayed as “COOL_NOTEPAD_DEMO.TXT”.

Upon being activated by a user (by double clicking on the attached file), the worm dispalys the following message:

eXposed
eXposed is being installed

Then it creates a shortcut on the desktop to a PIF-file that exits Windows. The worm sets a shortcut icon to a non-existing file, so the shortcut has a standard icon – a windows flag with white background. After this, the worm displays the following message:

CLICK THE BLUE BOTTLE ICON ON THE DESKTOP OR YOUR HARD DRIVE WILL BE LOST!
eXposed IS A VIRUS IT WILL DAMAGE YOUR COMPUTER

Then the worm begins speading – it opens MS Outlook, gets access to the Address Book, gets all addresses from there and sends messages with its attached copy to all of them. The message subject, body and attached file name are the same as above.

The worm also installs itself into the system. It creates its copy in the Windows directory with the “Prinz_Charles_Are_Die.TXT.vbs” name:

This file is then registered in the Windows auto-run section in the system registry:

HKLMSoftwareMicrosoftWindowsCurrentVersionRunPrinz_Charles_Are_Die = Prinz_Charles.Are.Die.TXT.vbs

As a result the worm is re-activated each time Windows boots up.

Other variants

The worm itself is a text script program, and it is spread in text source form. The worm’s code may be easily modified by hackers, and as a result, there are many variants of the worm that may have appeared. Usually only minor changes are
made.

I-Worm.Lucky.b

This worm variant is very close to the first one. Upon being activated, it displays other messages:

Price
Price are here

and:

CLICK THE BLUE BOTTLE ICON ON THE DESKTOP AND YOU WIN ONE MILLION DOLLAR !!!

The infected message contains:

The Subject: Won_a_Price
Message body: One Million Dollar for you.
Lucky2000
Attached file name: Won_a_Price.TXT.vbs