Advice - VBS/VBSWG.aq@MM
06 June 2002, 02:45 PM
#1
Scooby Senior
Thread Starter
Seeing a few samples of this in the UK, it uses a double extension so hopefully it should be blocked by most corporates. The file to look out for is ShakiraPics.jpg.vbs which could be quite tempting.
http://vil.nai.com/vil/content/v_99506.htm
http://vil.nai.com/vil/content/v_99506.htm
06 June 2002, 02:57 PM
#2
Moderator
iTrader: (5)
Join Date: Nov 2001
Location: Not all those who wander are lost
Posts: 17,863
Received 0 Likes
on
0 Posts
Name: VBS/VBSWG-AQ
Type: Visual Basic Script worm
Date: 5 June 2002
A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated into the
July 2002 (3.59) release of Sophos Anti-Virus.
Sophos has received several reports of this worm from the wild.
Description:
VBS/VBSWG-AQ is an email worm. The worm spreads using an email
with the following characteristics:
Subject line: Shakira's Pics
Message text:
Hi :
i have sent the photos via attachment
have funn...
Attached file: ShakiraPics.jpg.vbs
When the attachment is run it will copy itself into the Windows
folder and add the registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Registry
to ensure that the worm is run each time Windows is started. It
will then attempt to email itself to all addresses listed in the
Microsoft Outlook address book. If the worm detects that mIRC is
installed it will create the file script.ini in the mIRC folder.
This file is detected by Sophos Anti-Virus as mIRC/Simp-Fam.
VBS/VBSWG-AQ will also create the registry entries
HKCU\Software\ShakiraPics\mailed
and
HKCU\Software\ShakiraPics\mirqued
after it has attempted to spread by email and IRC.
The worm will then search all local and network drives for files
with VBE or VBS extensions and overwrite them with a copy of
itself.
Finally the worm will display the message
"You have been infected by the ShakiraPics Worm".
Download the IDE file from
http://www.sophos.com/downloads/ide/vbswg-aq.ide
Read the analysis at
http://www.sophos.com/virusinfo/analyses/vbsvbswgaq.html
Download a ZIP file containing all the IDE files available for
the current version of Sophos Anti-Virus from
http://www.sophos.com/downloads/ide/ides.zip
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
Type: Visual Basic Script worm
Date: 5 June 2002
A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated into the
July 2002 (3.59) release of Sophos Anti-Virus.
Sophos has received several reports of this worm from the wild.
Description:
VBS/VBSWG-AQ is an email worm. The worm spreads using an email
with the following characteristics:
Subject line: Shakira's Pics
Message text:
Hi :
i have sent the photos via attachment
have funn...
Attached file: ShakiraPics.jpg.vbs
When the attachment is run it will copy itself into the Windows
folder and add the registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Registry
to ensure that the worm is run each time Windows is started. It
will then attempt to email itself to all addresses listed in the
Microsoft Outlook address book. If the worm detects that mIRC is
installed it will create the file script.ini in the mIRC folder.
This file is detected by Sophos Anti-Virus as mIRC/Simp-Fam.
VBS/VBSWG-AQ will also create the registry entries
HKCU\Software\ShakiraPics\mailed
and
HKCU\Software\ShakiraPics\mirqued
after it has attempted to spread by email and IRC.
The worm will then search all local and network drives for files
with VBE or VBS extensions and overwrite them with a copy of
itself.
Finally the worm will display the message
"You have been infected by the ShakiraPics Worm".
Download the IDE file from
http://www.sophos.com/downloads/ide/vbswg-aq.ide
Read the analysis at
http://www.sophos.com/virusinfo/analyses/vbsvbswgaq.html
Download a ZIP file containing all the IDE files available for
the current version of Sophos Anti-Virus from
http://www.sophos.com/downloads/ide/ides.zip
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
06 June 2002, 03:36 PM
#3
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
Thanks to groupshield allready been notified...
Incident Information:-
Originator: xxxxx xxxx <xxxxx_xxxxx@xxxxx.co.uk>
Recipients: "'xxxxx@xxxxxx-xx.com'" <xxxxxx@xxxxxx-xx.com>
Subject: Shakira's Pictures
Date/Time: 06/06/2002 12:48:20 PM
WARNING: The file attachment ShakiraPics.jpg.vbs was infected with the VBS/VBSWG.gen@MM virus and was not successfully cleaned.
Incident Information:-
Originator: xxxxx xxxx <xxxxx_xxxxx@xxxxx.co.uk>
Recipients: "'xxxxx@xxxxxx-xx.com'" <xxxxxx@xxxxxx-xx.com>
Subject: Shakira's Pictures
Date/Time: 06/06/2002 12:48:20 PM
WARNING: The file attachment ShakiraPics.jpg.vbs was infected with the VBS/VBSWG.gen@MM virus and was not successfully cleaned.
Thread
Thread Starter
Forum
Replies
Last Post
Sam Witwicky
Engine Management and ECU Remapping
17
13 November 2015 10:49 AM
Phil3822
General Technical
0
30 September 2015 06:29 PM