Kaspersky Threats

Class

Platform

Description

Technical Details

This macro-virus contains one macro that has different auto-names in
infected documents (“Document_Open”) and in the global macros area (NORMAL.DOT
– “Document_Close”). As a result, the virus activates upon document opening
and closing. It infects the global macros area upon infected document
opening, and spreads to other documents upon closing.

While infecting, the virus also disables the Word macro virus protection (Virus
Warning), as well as disables the Word menus: “Tools/Macro”,
“Tools/Customize…”, “View/Toolbars”, “View/Status Bar”.

The virus has a comment line that is used by the virus to separate
infected and uninfected documents. This text appears as follows:



Jack-In-The-Box

The virus has worm ability and spreads its copy via IRC channels. To do
this, the virus-worm looks for the mIRC client installed in a system, and creates a new
SCRIPT.INI file there. The virus looks for the mIRC client in only one
directory, C:MIRC, and fails to infect the mIRC in the case when it is installed in any
other directory. While infecting the mIRC client, the virus also disables its
security warning messages. To spread itself via IRC channels, the virus
sends the infected document C:WINDOWSSTORY.DOC that is created by the virus
when it infects a system. The virus simply saves the current (infected) document there.

The virus’ script file contains a set of mIRC commands (about 4.5Kb of mIRC
instructions) that perform many functions, including spreading via
channels, displaying messages, sending spam messages and hiding itself.

The virus sends its copy (the STORY.DOC document) in three instances:

instance 1. Upon receiving any file from any person via IRC, the virus script
immediately sends back the infected STORY.DOC file.

instance 2. The virus uses the mIRC’s notify list. The notification list in the mIRC
client contains a list of nicks, and in the case that any of these nicks appears on the
net, the current client is informed of this (receives notification). In
the case that an affected mIRC client is notified about such a person, the virus performs the following: removes
this nick from the notification list; ignores all messages from this nick; and in 5
seconds, sends a message, which in turn is followed 15 seconds later by a copy of the
virus (infected Word document – C:WINDOWSSTORY.DOC). The message that is
sent to the nick appears as follows:



Hey, I can’t talk right now but I wanted to send you this file.  It has a

funny story you should read, and also has macros inside that protect you

from a lot of viruses. Just open the document, enable the macros, and if

you are infected it will get rid of the virus

instance 3. Upon receiving the “Invite” command from any nick, the virus script, within
10 seconds, joins this channel and then sends the message to this person
followed by the same infected STORY.DOC file:



Thanks for the invite

I’m a little busy so I can’t talk much now. I thought you might want to

look at this file I got. It has a funny story and also has macros in it

which get rid of any macro viruses. Just enable the macros when the

prompt comes up and it will scan for any viruses and clean them.

The virus also seems to inform its author about its activity. Upon connecting
to the mIRC server, the virus adds a “SimpleSmn” nick to the notification list – the
affected mIRC will be notified if such a nick appears in the IRC net. The
infected mIRC client then detects when a person with a “SimpleSmn” nick appears
in the IRC net. In this case, the virus informs this person with the message
“I’m on irc.”, so the virus informs its author about infected computers
online.

Upon a “Notice” command from the “Simplicity” nick, the virus then opens the C:
drive on the infected computer as a file server (with full access), so the
virus has Backdoor ability.

Upon connecting to IRC server, the virus hides its script and restores it upon
disconnecting: upon connecting, it copies SCRIPT.INI from the C:MIRC directory to the
C:WINDOWSSCRIPT1.INI file, reloads it into the mIRC client, and then
erases the C:MIRCSCRIPT.INI contents. Upon disconnecting, the virus copies the
C:WINDOWSSCRIPT1.INI back to C:MIRCSCRIPT.INI and erases the
C:WINDOWSSCRIPT1.INI file.

In case the affected client enters a channel that has “help” or “nohack”
sub-strings in the channel name, the virus script immediately exits this channel.

The virus disables any messages from any user on a channel, if s/he
sends a message that has any of the following strings:



script  worm  virus  infect  Jack Box  macro  Story.doc

If an infected client enters a custom IRC command “/BY” (added by script),
the virus displays the text:



Mirc Worm Jack-In-The-Box

By SimpleSimon

If the texts are “Hi”, “!”, “Hey”, or “Hello”, the virus opens one of the anti-viruses
and other Internet addresses that have a mail server with open public relay ability:



mirc.com, georgecarlin.com, carrottop.com, anvdesign.net, symantec.com,

drsolomon.com, www.bocklabs.wisc.edu, ebay.com

and looks for the SendMail system allowed on there. If it is available, the
virus, using this e-mail server, sends spam messages with the following fields:



mail from: Addr1@Addr2.com

rcpt to: Addr3

to: Addr3

from: Addr1@Addr2.com

Subject: RndText

Message body: Jack-In-The-Box Has Popped Up Again!

where Addr1 and Addr2 are randomly generated text strings up to eight
letters of size, RndText is randomly generated text up to 50 symbols of the
length, and Addr3 is randomly selected from the list:



evrt@avp.com

samples@datafellows.com

virus_research@nai.com

tech_support@nai.com

Find out the statistics of the threats spreading in your region

Class	Virus
Platform	MSWord
Description	Technical Details This macro-virus contains one macro that has different auto-names in infected documents (“Document_Open”) and in the global macros area (NORMAL.DOT – “Document_Close”). As a result, the virus activates upon document opening and closing. It infects the global macros area upon infected document opening, and spreads to other documents upon closing. While infecting, the virus also disables the Word macro virus protection (Virus Warning), as well as disables the Word menus: “Tools/Macro”, “Tools/Customize…”, “View/Toolbars”, “View/Status Bar”. The virus has a comment line that is used by the virus to separate infected and uninfected documents. This text appears as follows: Jack-In-The-Box The virus has worm ability and spreads its copy via IRC channels. To do this, the virus-worm looks for the mIRC client installed in a system, and creates a new SCRIPT.INI file there. The virus looks for the mIRC client in only one directory, C:MIRC, and fails to infect the mIRC in the case when it is installed in any other directory. While infecting the mIRC client, the virus also disables its security warning messages. To spread itself via IRC channels, the virus sends the infected document C:WINDOWSSTORY.DOC that is created by the virus when it infects a system. The virus simply saves the current (infected) document there. The virus’ script file contains a set of mIRC commands (about 4.5Kb of mIRC instructions) that perform many functions, including spreading via channels, displaying messages, sending spam messages and hiding itself. The virus sends its copy (the STORY.DOC document) in three instances: instance 1. Upon receiving any file from any person via IRC, the virus script immediately sends back the infected STORY.DOC file. instance 2. The virus uses the mIRC’s notify list. The notification list in the mIRC client contains a list of nicks, and in the case that any of these nicks appears on the net, the current client is informed of this (receives notification). In the case that an affected mIRC client is notified about such a person, the virus performs the following: removes this nick from the notification list; ignores all messages from this nick; and in 5 seconds, sends a message, which in turn is followed 15 seconds later by a copy of the virus (infected Word document – C:WINDOWSSTORY.DOC). The message that is sent to the nick appears as follows: Hey, I can’t talk right now but I wanted to send you this file. It has a funny story you should read, and also has macros inside that protect you from a lot of viruses. Just open the document, enable the macros, and if you are infected it will get rid of the virus instance 3. Upon receiving the “Invite” command from any nick, the virus script, within 10 seconds, joins this channel and then sends the message to this person followed by the same infected STORY.DOC file: Thanks for the invite I’m a little busy so I can’t talk much now. I thought you might want to look at this file I got. It has a funny story and also has macros in it which get rid of any macro viruses. Just enable the macros when the prompt comes up and it will scan for any viruses and clean them. The virus also seems to inform its author about its activity. Upon connecting to the mIRC server, the virus adds a “SimpleSmn” nick to the notification list – the affected mIRC will be notified if such a nick appears in the IRC net. The infected mIRC client then detects when a person with a “SimpleSmn” nick appears in the IRC net. In this case, the virus informs this person with the message “I’m on irc.”, so the virus informs its author about infected computers online. Upon a “Notice” command from the “Simplicity” nick, the virus then opens the C: drive on the infected computer as a file server (with full access), so the virus has Backdoor ability. Upon connecting to IRC server, the virus hides its script and restores it upon disconnecting: upon connecting, it copies SCRIPT.INI from the C:MIRC directory to the C:WINDOWSSCRIPT1.INI file, reloads it into the mIRC client, and then erases the C:MIRCSCRIPT.INI contents. Upon disconnecting, the virus copies the C:WINDOWSSCRIPT1.INI back to C:MIRCSCRIPT.INI and erases the C:WINDOWSSCRIPT1.INI file. In case the affected client enters a channel that has “help” or “nohack” sub-strings in the channel name, the virus script immediately exits this channel. The virus disables any messages from any user on a channel, if s/he sends a message that has any of the following strings: script worm virus infect Jack Box macro Story.doc If an infected client enters a custom IRC command “/BY” (added by script), the virus displays the text: Mirc Worm Jack-In-The-Box By SimpleSimon If the texts are “Hi”, “!”, “Hey”, or “Hello”, the virus opens one of the anti-viruses and other Internet addresses that have a mail server with open public relay ability: mirc.com, georgecarlin.com, carrottop.com, anvdesign.net, symantec.com, drsolomon.com, www.bocklabs.wisc.edu, ebay.com and looks for the SendMail system allowed on there. If it is available, the virus, using this e-mail server, sends spam messages with the following fields: mail from: Addr1@Addr2.com rcpt to: Addr3 to: Addr3 from: Addr1@Addr2.com Subject: RndText Message body: Jack-In-The-Box Has Popped Up Again! where Addr1 and Addr2 are randomly generated text strings up to eight letters of size, RndText is randomly generated text up to 50 symbols of the length, and Addr3 is randomly selected from the list: evrt@avp.com samples@datafellows.com virus_research@nai.com tech_support@nai.com
	Find out the statistics of the threats spreading in your region

Virus.MSWord.Story

Technical Details