Classification

Category: Malware

Type: Worm

Aliases: Anjulie, I-Worm.SSIWG2, VBS/Angel@mm, VBS.Rewind@mm

Summary


VBS/Anjulie.A@mm is a worm written in Visual Basic Script that drop a CIH virus variant.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details



Variant:VBS/Anjulie.A@mm

VBS/Anjulie.A@mm is email worm (mass mailer) which propagates using Outlook application. The message looks as follow:

Subject: Read the true history on Angelina Julie

 Body:

 Your life

 Your work

 Your lovers

 Attachment: [the name of the attached script file] 

Originally the worm has been distributed in a file called AngelinaJulie.txt.vbs but it might be different.

The worm tries to hide part of its code using a simple encryption. It also contains the following commented line which it never show:

'By AlevirusSCS VxBrasil :).

VBS/Anjulie worm drops two files in Windows Temporary directory. One of them is T4umhf5.vbs which is the script worm. The other file is Ale32.exe and it is infected with a CIH virus variant. More information about CIH you can find here:

Europe: https://www.europe.f-secure.com/v-descs/cih.shtml

USA: https://www.f-secure.com/v-descs/cih.shtml

F-Secure Anti-Virus detects Angel worm with the current updates:

https://www.f-secure.com/download-purchase/updates.shtml