Virus.VBS.Monopoly

Technical Details

Another Melissa-like worm. It spreads through e-mail using MS Outlook
client. The main difference between the two worms is this one is written in Visual Basic
Script instead of MS Office macro-language. Most of its code is
encrypted to make analysis more difficult.

The virus arrives to a computer as an e-mail message with an attached
“MONOPOLY.VBS” file. When this file (containing VBScript) is executed, it
creates an image file “MONOPOLY.JPG” in a temporary folder. It also creates
another two files “MONOPOLY.WSH” and “MONOPOLY.VBE”. The VBE file contains
encrypted VBScript and executes with a WSH file.

When VBE is executing, it displays the message:

Bill Gates is guilty of monopoly. Here is the proof

Then it displays picture from the image file. The picture shows Bill Gates’
face on a Monopoly game board.

The worm’s spreading routine is very close to the routine of “Melissa”
virus. Worm sends itself to every address from the Outlook address book.
The message contains the attached file “MONOPOLY.VBS”.

Subject:

Bill Gates joke

Text:

Bill Gates is guilty of monopoly. Here is the proof. :-)

Warm also sends another message to the following addresses:

monopoly@mixmail.com, monpooly@telebot.com, mooponly@ciudad.com.ar,

mloponoy@usa.net, yloponom@gnwmail.com

In this message, the worm sends a list of names and addresses from an Outlook address
book, ICQ UIN files and information obtained in the Windows registry:

• Registered user name and organization
• Network computer name
• DVD region
• Country and area code
• Language
• Windows version
• Internet Explorer start page

After all this, the worm modifies the system registry:

"HKEY_LOCAL_MACHINESoftwareOUTLOOK.Monopoly" = "True"

In this way, the worm marks a computer and will not send messages from this computer next time.