On March 5th, 2001, F-Secure received several report about this worm. Due
to efforts made by F-Secure Corporation and its Italian partner
Symbolic S.p.A, the web page that contains the main part of the worm
has been disabled in a few hours. On that way spreading of the worm
has been stopped.
This worm arrives in a message that has the following content:
Subject: Vierika is here
The attachment contains a small script, that lowers Internet Explorer
security zone settings and also changes the start page to an Italian
site. This page contains a script code, which is the main part of the
Next time when Internet Explorer is started, the browser will connect
to the infected page. Since security zone settings are lowered by the
first part of the worm ("Vierika.JPG.vbs"), the second part
("Vindex.html") is able to execute directly from the web site.
This part will first drop a file "c:\Vierika.JPG.vbs" that is the
first part of the worm, and spread it using Microsoft Outlook to to
each recipient in every address book.
The page that contains the second (mass mailing) part of the worm
looks as follows:
THE MATRIX IS CONTROL
To restore the Internet Explorer start page setting, change or remove
the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
Also the Internet security zone setting should be restored from
"Tools/Internet Options/Security" dialog at least to "Medium" level.
This variant arrives in a message that have the same content with
VBS/Vierika.A@mm. However, the worm is modified slightly and it uses a
web page located at Geocities server. The web page is modified as
now you are free
MATRIX IS CONTROL
After mass mailing, VBS/Vierika.B replaces "C:\Vierika.JPG.vbs" with a
file that contains only the following word:
F-Secure Anti-Virus has a heuristic that detects this worm. This
detection is included in updates released before March 5th, 2001.
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure; March 2001]