Fireburn
Summary
VBS/Fireburn.A is a VB script worm, spreading through Outlook and mIRC.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
When the VB script is run, it saves a copy of itself in [windows directory]\rundll32.vbs and alters the registry so that this program is run on the startup.
The registry keys which it adds/modifies are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSrundll32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner
It attempts to discover whether the windows program directory is 'C:\Programme' or not. If it is, the email payload will be composed in German. Otherwise, it will be composed in English.
A filename is chosen randomly from a list of x-rated filenames.
Then the script looks for the mIRC Internet Relay Chat client in either c:\MIRC or [program files folder]\mirc. If mIRC is found, the script overwrites the script.ini file with a new one which does the following:
- when a connection is made to an IRC server, the rundll32.vbs file that was copied to the windows directory is moved into the windows system directory and renamed to the random filename chosen earlier;
- when the connection to the IRC server is broken, the file is copied back into the windows directory with a name rundll32.vbs;
- when anyone joins a channel, the file from the windows system directory is sent to them;
- if anyone writes the word "sex" to a channel, the file is sent to them from the windows system directory;
- anyone saying "virus", "worm" or "script" is ignored;
- additional automatic text responses are made to separate other phrases.
Then the script creates one email which is emailed (as a BCC) to each contact in the user's Outlook address book. The email will contain the worm, which is attached with the filename previously chosen.
The subject line of the email is either:
Moin, alles klar?.
or
Hi, how are you?
The body of the email contains the text:
Hi, wie geht's dir? Guck dir mal das Photo im Anhang an, ist echt geil ;) bye, bis dann..
or
Hi, look at that nice Pic attached ! Watching it is a must ;) cu later...
The email is deleted from sent items so that the victim is unaware of the email that was sent.
The email payload is run each time when the worm is executed.
Then the worm checks if the date is the 20th June and if it is, the worm displays a messagebox with the text:
'I'm proud to say that you are infected by FireburN !'
and the title
'FireburN'
When the messagebox is closed, the registry is updated to disable both the keyboard and the mouse on the next reboot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Shut_Up HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Shut_Up2
F-Secure has received a handful of reports of this virus being in the wild during last days of May, 2000. However, the virus is not expected to go far.