Threat Description



Category: Malware
Type: Worm
Platform: VBS
Aliases: Vierika


VBS/Vierika is a mass mailer (worm) written in Visual Basic Script.

This worm consists of two different script parts, one that arrives in an Outlook message as an attachment and another that is available on a web site.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details


On March 5th, 2001, F-Secure received several report about this worm. Due to efforts made by F-Secure Corporation and its Italian partner Symbolic S.p.A, the web page that contains the main part of the worm has been disabled in a few hours. On that way spreading of the worm has been stopped.

This worm arrives in a message that has the following content:

Subject:    Vierika is here     Body:       Vierika.jpg     Attachment: Vierika.JPG.vbs   

The attachment contains a small script, that lowers Internet Explorer security zone settings and also changes the start page to an Italian site. This page contains a script code, which is the main part of the worm.

Next time when Internet Explorer is started, the browser will connect to the infected page. Since security zone settings are lowered by the first part of the worm ("Vierika.JPG.vbs"), the second part ("Vindex.html") is able to execute directly from the web site.

This part will first drop a file "c:\Vierika.JPG.vbs" that is the first part of the worm, and spread it using Microsoft Outlook to to each recipient in every address book.

The page that contains the second (mass mailing) part of the worm looks as follows:


To restore the Internet Explorer start page setting, change or remove the following registry key:

  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page  

Also the Internet security zone setting should be restored from "Tools/Internet Options/Security" dialog at least to "Medium" level.


This variant arrives in a message that have the same content with VBS/Vierika.A@mm. However, the worm is modified slightly and it uses a web page located at Geocities server. The web page is modified as well:

now you are free     MATRIX IS CONTROL 	  

After mass mailing, VBS/Vierika.B replaces "C:\Vierika.JPG.vbs" with a file that contains only the following word:


F-Secure Anti-Virus has a heuristic that detects this worm. This detection is included in updates released before March 5th, 2001.

Description Details: Katrin Tocheva and Sami Rautiainen, F-Secure; March 2001


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More