Threat Description

VBSWG.Q@mm

Details

Aliases: VBSWG.Q@mm
Category: Malware
Type: Worm
Platform: VBS

Summary


At February 16th, a variant of VBS/VBSWG was spreading within messages that have the following content:

  Subject:    Info Reformasi     Body:       Maklumat Terkini...     Attachment: r4mac.vbs   


Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details


When the attached file is executed, the worm will mail itself to the each recipient in every address book. After mass mailing the following key is added to the registry:

  HKEY_CURRENT_USER\software\Reformasi\mailed   

This variant also replicates using mIRC and Pirch IRC clients. It replaces the "script.ini" from mIRC and "events.ini" from Pirch installation directories, causing that the worm will send itself to the IRC user that joins the channel where an infected user is.

VBSWG.Q also goes trough all local and network drivers from the system, and replaces every file with either ".vbs" or ".vbe" extension with itself. It also attempts to locate mIRC and Pirch installations from these drives.

This variant activates its payload at September 7th, when it launches a web browser and connects to Malaysian web site.

Information about the original VBS/Onthefly.A (also known as I-Worm.Lee.o and VBS/VBSWG) is available at: https://www.F-Secure.com/v-descs/onthefly.shtml





Technical Details:Katrin Tocheva and Sami Rautiainen, F-Secure; February 2001


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More