Virus.VBS.Hard

Class Virus
Platform VBS
Description

Technical Details

This is an Internet-worm written in Visual Basic Script language (VBS). It
spreads using MS Outlook Express.

This worm spreads via e-mail by sending infected messages from infected
computers. While spreading, the worm uses MS Outlook Express and sends itself
to all addresses stored in the Windows Address Book. As a result, an infected
computer sends as many messages to as many addresses kept in the Windows
Address Book.

It works only on computers on which the Windows Scripting Host (WSH) is
installed. In Windows 98 and Windows 2000, WHS is installed by default.

The worm arrives to a computer as an e-mail message with the attached file
“www.symantec.com.vbs” that is the worm itself.

The infected message in the original worm version contains:

Subject = “FW: Symantec Anti-Virus Warning”
Body =
—– Original Message —–
From: [warning@symantec.com]
To: [supervisor@av.net]; [security@softtools.com];
[mark_fyston@storess.net]; [directorcut@ufp.com];
[pjeterov@goldenhit.org>; [kim_di_yung@freeland.ch];
[james.heart@macrosoft.com]
Subject: FW: Symantec Anti-Virus Warning


Hello,

There is a new worm on the Net.
This worm is very fast-spreading and very dangerous!

Symantec has first noticed it on April 04, 2001.

The attached file is a description of the worm and how it replicates
itself.

With regards,
F. Jones
Symantec senior developer

Upon activation, the worm creates a fake Symantec virus information page about
the non-existing virus “VBS.AmericanHistoryX_II@mm” and displays it. Then it
creates several files that are used later for spreading.

The first file is named “c:www.symantec_send.vbs” containing Visual Basic Script that
instructs MS Outlook Express to send infected messages to all of the addresses in the
Windows Address Book.

The second file “c:message.vbs” contains Visual Basic Script that on November
24th, displays the following message:

Some shocking news
Don’t look surprised!
It is only a warning about your stupidity
Take care!

Both of these files are registered by the worm in the system registry in the autorun section. Thusly,
these scripts gain control upon each Windows startup.

The worm also registers a fake-virus information page as the start page of Internet
Explorer.

To avoid duplicate spreading from the same machine, the worm creates “HKLMSOFTWAREMicrosoftWABOE Done” in the system registry key and sets its value to
“Hardhead_SatanikChild”. In this way, it does not spread from the same machine twice.