VBS/Fireburn.A is a VB script worm, spreading through Outlook and mIRC.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
When the VB script is run, it saves a copy of itself in [windows directory]\rundll32.vbs and alters the registry so that this program is run on the startup.
The registry keys which it adds/modifies are:
It attempts to discover whether the windows program directory is 'C:\Programme' or not. If it is, the e-mail payload will be composed in German. Otherwise, it will be composed in English.
A filename is chosen randomly from a list of x-rated filenames.
Then the script looks for the mIRC Internet Relay Chat client in either c:\MIRC or [program files folder]\mirc. If mIRC is found, the script overwrites the script.ini file with a new one which does the following:
- when a connection is made to an IRC server, the rundll32.vbs file that was copied to the windows directory is moved into the windows system directory and renamed to the random filename chosen earlier;
- when the connection to the IRC server is broken, the file is copied back into the windows directory with a name rundll32.vbs;
- when anyone joins a channel, the file from the windows system directory is sent to them;
- if anyone writes the word "sex" to a channel, the file is sent to them from the windows system directory;
- anyone saying "virus", "worm" or "script" is ignored;
- additional automatic text responses are made to separate other phrases.
Then the script creates one e-mail which is e-mailed (as a BCC) to each contact in the user's Outlook address book. The e-mail will contain the worm, which is attached with the filename previously chosen.
The subject line of the e-mail is either:
Moin, alles klar?.
Hi, how are you?
The body of the e-mail contains the text:
Hi, wie geht's dir? Guck dir mal das Photo im Anhang an, ist echt geil ;) bye, bis dann..
Hi, look at that nice Pic attached ! Watching it is a must ;) cu later...
The e-mail is deleted from sent items so that the victim is unaware of the e-mail that was sent.
The e-mail payload is run each time when the worm is executed.
Then the worm checks if the date is the 20th June and if it is, the worm displays a messagebox with the text:
'I'm proud to say that you are infected by FireburN !'
and the title
When the messagebox is closed, the registry is updated to disable both the keyboard and the mouse on the next reboot:
F-Secure has received a handful of reports of this virus being in the wild during last days of May, 2000. However, the virus is not expected to go far.
Technical Details: Alex Shipp, Paul Fletcher, MessageLabs