Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: VBS

Visual Basic Scripting Edition (VBScript) is a scripting language interpreted by Windows Script Host. VBScript is widely used to create scripts on Microsoft Windows operating systems.


Technical Details

This is a worm written in Visual Basic Script language (VBS). This worm spreads via e-mail and IRC (Internet Relay Chat) channels.

Being executed the worm script displays the message:

Does your name add up to 666?
This handy little tool will tell you what your name adds up to in ASCII
characters (without including spaces and without converting numbers to
ASCII). It is just for fun, it does not mean you are going to go to hell
if you get a 666. You should probably read the bible if you are concerned
about that.

Then it asks user for names and counting sum of ASCII codes of characters in entered text:

Does your name add up to 666?
Enter your name. Also try names from your family and friends. And if you
want something interesting try BILL GATES 3 (Bill's real name is Bill
Gates the third) and HOLY BIBLE. Press Cancel or Ok without entering any
name to exit.

When empty text is entered the worm proceed to its spreading routine. At first this routine creates zipped archive with itself inside. To create archive the worm uses "pkzip" utility stored inside worms body in text-based-encrypted format and decripts it before executing. Then the worm places created archive in Windows directory with name "666TEST.ZIP".

Another file that the worm creates is "REGSVR.VBS" in the Windows system folder. The worm modifies system registry to execute this script every Windows startup.

Being executed this script enumerates all disk drives on the computer and checks following folders on them:


If inside checking folder or its subfolders where is MIRC or PIRCH (popular IRC clients) executable files, the worm creates script for found IRC client that sends 666TEST.ZIP file with worm inside to every joined to IRC channel.

It also checks system date and on fifth of every month changes desktop wallpaper with tiled cartoon picture of sad face.

At last the worm attepts to spread via e-mail using MS Outlook itn the same way as "Melissa" macro-virus do. The message infected with worm contains attached "666TEST.ZIP" archive with worm script inside. The message subject is "666 test", and body is "> Does your name add up to 666 in ASCII characters? Are you going to go to hell?".

The worm doesn't spreads from one computer twice. To prevent duplicate spreading it creates key in system registry:


Read more

Find out the statistics of the vulnerabilities spreading in your region on

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.