VBS/Monopoly is a worm, that uses Microsoft Outlook to mass mail itself. It has been created using Visual Basic Script and it works under Windows Scripting Host (WSH) version 5.0 or later.
Disinfection & Removal
When the script is executed, it first creates three files to Windows temporary directory: "monopoly.jpg", "monopoly.whs" and "monopoly.vbe".
After these files has been created, the worm will show a message box with the following text:
Bill Gates is guilty of monopoly. Here is the proof.
When user selects "Ok" button from the message box, the worm shows a picture of Monopoly game boad with picture of Bill Gates.
Then VBS/Monopoly attempts to mass mail itself to each recipient defined in the Outlook address lists. This message looks like the following:
Subject: Bill Gates joke Body: Bill Gates is guilty of monopoly. Here is the proof. :-) Attachment: MONOPOLY.VBS
Finally it collects the following system information:
- Date and time - Windows registered user name, organization and version number - Computer name - DVD region code - Country and area codes - Internet Explorer language code - Internet Explorer home page - All entries from address books defined in Outlook - All ICQ/UIN files
This information is sent to the following addesses:
email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com
When the worm has been executed, it creates a registry key
and sets the value of it to "True", so the worm will no be executed again in the same machine.
Technical Details: Sami Rautiainen, F-Secure