Email-Worm.VBS.Scrapworm

Class Email-Worm
Platform VBS
Description

Technical Details

This is the Internet worm that was found in the wild in the middle of June 2000. The worm spreads via e-mail by sending infected messages from affected computers. While spreading, the worm uses MS Outlook and sends itself to addresses that are randomly selected from MS Outlook Address Book.

The worm is written in the scripting language “Visual Basic Script” (VBS). It works only on computers on which the Windows Scripting Host (WSH) is installed. In Windows 98 and Windows 2000, WHS is installed by default. To
spread itself, the worm accesses MS Outlook and uses its functions and address lists. That is available in Outlook 98/2000 only, so the worm is able to spread only in case one of these MS Oulook versions is installed.

When run, the worm sends its copies via e-mail, installs itself into the system and copies itself to network drives. The worm also has the ability to spread through mIRC channels.

The worm contains a “copyright” string:

‘MIRC/NETWORK/OUTLOOK/PIRCH.ShellScrapWorm by SimpleSimon / Zulu

Spreading

The worm arrives to a computer as an e-mail message with an attached SHS file that is a scrap package with a worm inside. The message subject may be different, and it is combined from three sets of strings:

“Fw: “, “”
“Life stages”, “Funny”, “Jokes”
” text”, “”

Examples:

Fw: Jokes
Life stages
Funny text

The message body may be empty or one of these is present:

> The male and female stages of life.
> The male and female stages of life. Bye.

The message has the attached file “LIFE_STAGES.TXT.SHS” that contain worm inside.

Depending on system settings, the real extension of the attached file (“.SHS”) may not be shown. In this case, the filename of the attached file is displayed as “LIFE_STAGES.TXT”.

Being activated by a user (by double-clicking on the attached file), the scrap package (SHS-file) activates its content. As soon as the attached file contains the VBS file inside, containing a Visual Basic Script program, this file is executed and the worm’s script gains control.

The worm creates a text file in the temporary directory and displays it using the text editor. The file content is:

– The male stages of life:

Age. Seduction lines.
17 My parents are away for the weekend.
25 My girlfriend is away for the weekend.
35 My fiancee is away for the weekend.
48 My wife is away for the weekend.
66 My second wife is dead.

Age. Favorite sport.
17 Sex.
25 Sex.
35 Sex.
48 Sex.
66 Napping.

Age. Definiton of a successful date.
17 Tongue.
25 Breakfast.
35 She didn’t set back my therapy.
48 I didn’t have to meet her kids.
66 Got home alive.

– The female stages of life:

Age. Favourite fantasy.
17 Tall, dark and hansome.
25 Tall, dark and hansome with money.
35 Tall, dark and hansome with money and a brain.
48 A man with hair.
66 A man.

Age. Ideal date.
17 He offers to pay.
25 He pays.
35 He cooks breakfast next morning.
48 He cooks breakfast next morning for the kids.
66 He can chew his breakfast.

After that, the worm opens MS Outlook, gains access to the Address Book, obtains a hundred random addresses from each address list and sends messages with its attached copy to all of them. The message subject, body and attached file
name are the same as the abovementioned.

The worm also installs itself into the system. It creates its copies in Windows directories with the names:

in Windows directory: LIFE_STAGES.TXT.SHS
in Windows system directory: MSINFO16.TLB
in Recicle bin: MSRCYCLD.DAT

Then the worm creates its copies with random names in root directories of all local hard drives and also in the “Programs” and “My Documents” folders. If a Windows startup folder exists on the network drive, the worm copies itself there.

The worm also drops files:

in the Windows system directory: SCANREG.VBS

– this file worm registers in the system registry in the auto-run section to be executed upon each Windows startup:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesScanReg = “WSCRIPT.EXE SCANREG.VBS”

– the worm creates a copy of this file in the Recycle bin:

RCYCLDBN.DAT

in the Windows directory: DBINDEX.VBS

– this file worm registers in the system registry in the ICQ section to be executed upon each ICQ startup:

HKEY_USERS.DEFAULTSoftwareMirabilisICQAgentAppsICQEnable = “Yes”
HKEY_USERS.DEFAULTSoftwareMirabilisICQAgentAppsICQParameters = “C:RECYCLEDDBINDEX.VBS”
HKEY_USERS.DEFAULTSoftwareMirabilisICQAgentAppsICQPath = “WSCRIPT.EXE”
HKEY_USERS.DEFAULTSoftwareMirabilisICQAgentAppsICQStartup = “C:WINDOWS”

– the worm creates copy of this file in Windows system directory:

VBASET.OLB

As a result, the worm is re-activated each time Windows boots up or ICQ starts.

Spreading to IRC channels

The worm scans local drives and looks for an MIRC.INI file. In case this file is found in a subdirectory, the worm drops a SOUND32B.DLL file there. This file contains mIRC instructions that send a worm copy (LIFE_STAGES.TXT.SHS
file) to all users that join the infected IRC channel. In MIRC.INI, the file worm adds the reference to SOUND32B.DLL into the “rfiles” section.

Other

The worm moves the REGEDIT.EXE program into the Recycle bin with the name RECYCLED.VXD.