Class Email-Worm
Platform VBS

Technical Details

This is a family of Internet worms that spreads via e-mail by sending infected messages from infected computers. While spreading, the worms use MS Outlook, and send themselves to addresses that are stored in the MS Outlook Address Book.

The worms are written in the scripting language “Visual Basic Script” (VBS), and they work only on computers on which the Windows Scripting Host (WSH) has been installed. In Windows 98 and Windows 2000, WHS is installed by default. To spread itself, the worms access MS Outlook, and use its functions and address lists. This is available in Outlook 98/2000 only, so the worms are able to spread only when one of these MS Outlook versions is installed.

The worm arrives to a computer as an e-mail message with an attached VBS file that is the worm itself. The message in the original worm version contains:

The Subject: New Generation of drivers.

Message body:

Microsoft hasCards, comp published new driver
for all types Video atible with Windows 95/98/NT/2000/XP.
You can read about it in attachment document.
Best wishes,Microsoft.

Attached file name: “driver.doc .vbs”

The file extention (“.vbs”) is separated by lots of spaces and sometimes may not
be displayed.

Depending on the system settings, a real attached-file extension (“.vbs”) may not be shown. In this case, the attached-file filename is displayed as “DRIVER.DOC”.

Upon being activated by a user (by double clicking on the attached file), the worm creates its exact copy in the WINDOWS directory with the “driver.doc .vbs” name.

The worm checks whether the file system is NTFS, and if it isn’t, it exits. If the file system is NTFS, the worm creates a ODBC.INI file in the WINDOWS directory, and associates four additional NTFS streams with it.

If the filesystem is NTFS, the worm creates a ODBC.INI file in the WINDOWS directory
and associates four additional NTFS streams with it.

group – adds a user to the system
mail – sends a worm’s copies using Outlook
main – main part of the worm
user – adds a user to the system

Then the worm creates a temporary file (“go.vbs”), which assembles all parts of the worm into one file (“notepad.vbs”), and launches it.

The part of the worm launched from NOTEPAD.VBS sends its copy to the first 50 e-mail addresses in the Outlook address book. After mailing, the worm checks whether the operating system is Windows 2000, and if it is, adds a new user with the name “Lord_Nikon” to system.

Find out the statistics of the threats spreading in your region