VBS/Fireburn.A is a VB script worm, spreading through Outlook and mIRC.
When the VB script is run, it saves a copy of itself in [windows
directory]\rundll32.vbs and alters the registry so that this program
is run on the startup.
The registry keys which it adds/modifies are:
It attempts to discover whether the windows program directory is
'C:\Programme' or not. If it is, the e-mail payload will be
composed in German. Otherwise, it will be composed in English.
A filename is chosen randomly from a list of x-rated filenames.
Then the script looks for the mIRC Internet Relay Chat client in
either c:\MIRC or [program files folder]\mirc. If mIRC is found, the
script overwrites the script.ini file with a new one which does the
- when a connection is made to an IRC server, the rundll32.vbs file
that was copied to the windows directory is moved into the windows
system directory and renamed to the random filename chosen earlier;
- when the connection to the IRC server is broken, the file is copied
back into the windows directory with a name rundll32.vbs;
- when anyone joins a channel, the file from the windows system
directory is sent to them;
- if anyone writes the word "sex" to a channel, the file is sent to
them from the windows system directory;
- anyone saying "virus", "worm" or "script" is ignored;
- additional automatic text responses are made to separate other
Then the script creates one e-mail which is e-mailed (as a BCC) to
each contact in the user's Outlook address book. The e-mail will
contain the worm, which is attached with the filename previously
The subject line of the e-mail is either:
Moin, alles klar?
Hi, how are you?
The body of the e-mail contains the text:
Hi, wie geht's dir?
Guck dir mal das Photo im Anhang an, ist echt geil ;)
bye, bis dann..
Hi, look at that nice Pic attached !
Watching it is a must ;)
The e-mail is deleted from sent items so that the victim is unaware
of the e-mail that was sent.
The e-mail payload is run each time when the worm is executed.
Then the worm checks if the date is the 20th June and if it is,
the worm displays a messagebox with the text:
'I'm proud to say that you are infected by FireburN !'
and the title
When the messagebox is closed, the registry is updated to disable both
the keyboard and the mouse on the next reboot:
F-Secure has received a handful of reports of this virus being in the
wild during last days of May, 2000. However, the virus is not expected
to go far.
[Analysis: Alex Shipp, Paul Fletcher, MessageLabs]