Home > Threat descriptions >

VBSWG.Q@mm

Classification

Category: Malware

Type: Worm

Aliases: VBSWG.Q@mm

Summary


At February 16th, a variant of VBS/VBSWG was spreading within messages that have the following content:

Subject:

Info Reformasi

 Body: Maklumat Terkini...

 Attachment: r4mac.vbs
 

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


When the attached file is executed, the worm will mail itself to the each recipient in every address book. After mass mailing the following key is added to the registry:

HKEY_CURRENT_USER\software\Reformasi\mailed
 

This variant also replicates using mIRC and Pirch IRC clients. It replaces the "script.ini" from mIRC and "events.ini" from Pirch installation directories, causing that the worm will send itself to the IRC user that joins the channel where an infected user is.

VBSWG.Q also goes trough all local and network drivers from the system, and replaces every file with either ".vbs" or ".vbe" extension with itself. It also attempts to locate mIRC and Pirch installations from these drives.

This variant activates its payload at September 7th, when it launches a web browser and connects to Malaysian web site.

Information about the original VBS/Onthefly.A (also known as I-Worm.Lee.o and VBS/VBSWG) is available at: https://www.F-Secure.com/v-descs/onthefly.shtml