Classification

Category :

Malware

Type :

Worm

Aliases :

Anjulie, I-Worm.SSIWG2, VBS/Angel@mm, VBS.Rewind@mm

Summary

VBS/Anjulie.A@mm is a worm written in Visual Basic Script that drop a CIH virus variant.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:VBS/Anjulie.A@mm

VBS/Anjulie.A@mm is email worm (mass mailer) which propagates using Outlook application. The message looks as follow:

Subject: Read the true history on Angelina Julie

 Body:

 Your life

 Your work

 Your lovers

 Attachment: [the name of the attached script file] 

Originally the worm has been distributed in a file called AngelinaJulie.txt.vbs but it might be different.

The worm tries to hide part of its code using a simple encryption. It also contains the following commented line which it never show:

'By AlevirusSCS VxBrasil :).

VBS/Anjulie worm drops two files in Windows Temporary directory. One of them is T4umhf5.vbs which is the script worm. The other file is Ale32.exe and it is infected with a CIH virus variant. More information about CIH you can find here:

Europe: https://www.europe.f-secure.com/v-descs/cih.shtml

USA: https://www.f-secure.com/v-descs/cih.shtml

F-Secure Anti-Virus detects Angel worm with the current updates:

https://www.f-secure.com/download-purchase/updates.shtml