Class | Email-Worm |
Platform | VBS |
Description |
Technical DetailsThis is the Internet worm that was found in the wild in the middle of June 2000. The worm spreads via e-mail by sending infected messages from affected computers. While spreading, the worm uses MS Outlook and sends itself to addresses that are randomly selected from MS Outlook Address Book. The worm is written in the scripting language “Visual Basic Script” (VBS). It works only on computers on which the Windows Scripting Host (WSH) is installed. In Windows 98 and Windows 2000, WHS is installed by default. To When run, the worm sends its copies via e-mail, installs itself into the system and copies itself to network drives. The worm also has the ability to spread through mIRC channels. The worm contains a “copyright” string:
SpreadingThe worm arrives to a computer as an e-mail message with an attached SHS file that is a scrap package with a worm inside. The message subject may be different, and it is combined from three sets of strings:
Examples:
The message body may be empty or one of these is present:
The message has the attached file “LIFE_STAGES.TXT.SHS” that contain worm inside. Depending on system settings, the real extension of the attached file (“.SHS”) may not be shown. In this case, the filename of the attached file is displayed as “LIFE_STAGES.TXT”. Being activated by a user (by double-clicking on the attached file), the scrap package (SHS-file) activates its content. As soon as the attached file contains the VBS file inside, containing a Visual Basic Script program, this file is executed and the worm’s script gains control. The worm creates a text file in the temporary directory and displays it using the text editor. The file content is:
After that, the worm opens MS Outlook, gains access to the Address Book, obtains a hundred random addresses from each address list and sends messages with its attached copy to all of them. The message subject, body and attached file The worm also installs itself into the system. It creates its copies in Windows directories with the names:
Then the worm creates its copies with random names in root directories of all local hard drives and also in the “Programs” and “My Documents” folders. If a Windows startup folder exists on the network drive, the worm copies itself there. The worm also drops files:
As a result, the worm is re-activated each time Windows boots up or ICQ starts. Spreading to IRC channelsThe worm scans local drives and looks for an MIRC.INI file. In case this file is found in a subdirectory, the worm drops a SOUND32B.DLL file there. This file contains mIRC instructions that send a worm copy (LIFE_STAGES.TXT.SHS OtherThe worm moves the REGEDIT.EXE program into the Recycle bin with the name RECYCLED.VXD. |