Parent class: VirWare
Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:- file viruses
- boot sector viruses
- macro viruses
- script viruses
Class: Virus
Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.Read more
Platform: MSWord
Microsoft Word (MS Word) is a popular word processor and part of Microsoft Office. Microsoft Word files have a .doc or .docx extension.Description
Technical Details
This macro-virus contains one macro that has different auto-names in infected documents ("Document_Open") and in the global macros area (NORMAL.DOT - "Document_Close"). As a result, the virus activates upon document opening and closing. It infects the global macros area upon infected document opening, and spreads to other documents upon closing.
While infecting, the virus also disables the Word macro virus protection (Virus Warning), as well as disables the Word menus: "Tools/Macro", "Tools/Customize...", "View/Toolbars", "View/Status Bar".
The virus has a comment line that is used by the virus to separate infected and uninfected documents. This text appears as follows:
Jack-In-The-Box
The virus has worm ability and spreads its copy via IRC channels. To do this, the virus-worm looks for the mIRC client installed in a system, and creates a new SCRIPT.INI file there. The virus looks for the mIRC client in only one directory, C:MIRC, and fails to infect the mIRC in the case when it is installed in any other directory. While infecting the mIRC client, the virus also disables its security warning messages. To spread itself via IRC channels, the virus sends the infected document C:WINDOWSSTORY.DOC that is created by the virus when it infects a system. The virus simply saves the current (infected) document there.
The virus' script file contains a set of mIRC commands (about 4.5Kb of mIRC instructions) that perform many functions, including spreading via channels, displaying messages, sending spam messages and hiding itself.
The virus sends its copy (the STORY.DOC document) in three instances:
instance 1. Upon receiving any file from any person via IRC, the virus script immediately sends back the infected STORY.DOC file.
instance 2. The virus uses the mIRC's notify list. The notification list in the mIRC client contains a list of nicks, and in the case that any of these nicks appears on the net, the current client is informed of this (receives notification). In the case that an affected mIRC client is notified about such a person, the virus performs the following: removes this nick from the notification list; ignores all messages from this nick; and in 5 seconds, sends a message, which in turn is followed 15 seconds later by a copy of the virus (infected Word document - C:WINDOWSSTORY.DOC). The message that is sent to the nick appears as follows:
Hey, I can't talk right now but I wanted to send you this file. It has a funny story you should read, and also has macros inside that protect you from a lot of viruses. Just open the document, enable the macros, and if you are infected it will get rid of the virus
instance 3. Upon receiving the "Invite" command from any nick, the virus script, within 10 seconds, joins this channel and then sends the message to this person followed by the same infected STORY.DOC file:
Thanks for the invite I'm a little busy so I can't talk much now. I thought you might want to look at this file I got. It has a funny story and also has macros in it which get rid of any macro viruses. Just enable the macros when the prompt comes up and it will scan for any viruses and clean them.
The virus also seems to inform its author about its activity. Upon connecting to the mIRC server, the virus adds a "SimpleSmn" nick to the notification list - the affected mIRC will be notified if such a nick appears in the IRC net. The infected mIRC client then detects when a person with a "SimpleSmn" nick appears in the IRC net. In this case, the virus informs this person with the message "I'm on irc.", so the virus informs its author about infected computers online.
Upon a "Notice" command from the "Simplicity" nick, the virus then opens the C: drive on the infected computer as a file server (with full access), so the virus has Backdoor ability.
Upon connecting to IRC server, the virus hides its script and restores it upon disconnecting: upon connecting, it copies SCRIPT.INI from the C:MIRC directory to the C:WINDOWSSCRIPT1.INI file, reloads it into the mIRC client, and then erases the C:MIRCSCRIPT.INI contents. Upon disconnecting, the virus copies the C:WINDOWSSCRIPT1.INI back to C:MIRCSCRIPT.INI and erases the C:WINDOWSSCRIPT1.INI file.
In case the affected client enters a channel that has "help" or "nohack" sub-strings in the channel name, the virus script immediately exits this channel.
The virus disables any messages from any user on a channel, if s/he sends a message that has any of the following strings:
script worm virus infect Jack Box macro Story.doc
If an infected client enters a custom IRC command "/BY" (added by script), the virus displays the text:
Mirc Worm Jack-In-The-Box By SimpleSimon
If the texts are "Hi", "!", "Hey", or "Hello", the virus opens one of the anti-viruses and other Internet addresses that have a mail server with open public relay ability:
mirc.com, georgecarlin.com, carrottop.com, anvdesign.net, symantec.com, drsolomon.com, www.bocklabs.wisc.edu, ebay.com
and looks for the SendMail system allowed on there. If it is available, the virus, using this e-mail server, sends spam messages with the following fields:
mail from: Addr1@Addr2.com rcpt to: Addr3 to: Addr3 from: Addr1@Addr2.com Subject: RndText Message body: Jack-In-The-Box Has Popped Up Again!
where Addr1 and Addr2 are randomly generated text strings up to eight letters of size, RndText is randomly generated text up to 50 symbols of the length, and Addr3 is randomly selected from the list:
evrt@avp.com samples@datafellows.com virus_research@nai.com tech_support@nai.com
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com