F-Secure Virus Descriptions : VBSWG.Q@mm
At February 16th, a variant of VBS/VBSWG was spreading within messages
that have the following content:
Subject: Info Reformasi
Body: Maklumat Terkini...
Attachment: r4mac.vbs
When the attached file is executed, the worm will mail itself to the
each recipient in every address book. After mass mailing the following
key is added to the registry:
HKEY_CURRENT_USER\software\Reformasi\mailed
This variant also replicates using mIRC and Pirch IRC clients. It replaces
the "script.ini" from mIRC and "events.ini" from Pirch installation
directories, causing that the worm will send itself to the IRC user
that joins the channel where an infected user is.
VBSWG.Q also goes trough all local and network drivers from the
system, and replaces every file with either ".vbs" or ".vbe" extension
with itself. It also attempts to locate mIRC and Pirch installations
from these drives.
This variant activates its payload at September 7th, when it launches
a web browser and connects to Malaysian web site.
Information about the original VBS/Onthefly.A (also known as
I-Worm.Lee.o and VBS/VBSWG) is available at:
http://www.F-Secure.com/v-descs/onthefly.shtml
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure; February 2001]
|
