*** Virus Alert 2/12/01 *** web site
VBS/Vbswg.J@mm Worm
Name: VBS/Vbswg.J@mm
Aliases: Anna Kournikova, VBS/SST, VBS/VBSWG.J, Onthefly.A,
Lee, Kalamar.A
Type: Internet Worm
Description:
VBS/Vbswg.J@mm is a Visual Basic Script virus that has been
created using a script generator. This mass mailing worm
spreads via Microsoft Outlook and contains the following
information:
Subject: Here you have, ;o)
Message: Hi:
Check This!
Attachment: AnnaKournikova.jpg.vbs
When the attachment is executed, the worm does the following:
1) Creates a registry key:
HKCU\Software\OnTheFly\Worm made with Vbswg 1.50b
2) Creates a copy of the script under the name
AnnaKournikova.jpg.vbs in the Windows Systems directory.
3) If the Registry key HKCU\Software\OnTheFly\mailed is
not set to "1", it mass-mails that file. The mass mailing
is Melissa-style, requires Outlook 98 or above, and sends
to all email recipients in the address book. After the mass
mailing is over, it sets the Registry Key
HKCU\Software\OnTheFly\mailed to "1", which ensures that
the mailing only occurs once.
4) If the date is January 26, the worm will attempt to connect
to the web page http://www.dynabyte.nl.
Detection:
Command AntiVirus version 4.58.3 or higher with definition
files dated 02/12/01 will detect the virus.
Removal:
To remove the VBS/Vbswg.J@mm worm from your system, delete the
HKCU\Software\OnTheFly\ registry keys as well as the
AnnaKournikova.jpg.vbs file.
It will create two files in the Windows System folder, SKA.EXE and
SKA.DLL.
SKA.EXE will be a copy of HAPPY99.EXE. It will make a backup of
WSOCK32.DLL
under the name of WSOCK32.SKA. WSOCK32.DLL is a regular part of Windows
that provides a connnection to the Internet. If it is unable to modify
WSOCK32.DLL, then it will add SKA.EXE to the RunOnce section of the
registry and WSOCK32.DLL will be modified next time the computer starts.
The modified WSOCK32.DLL will attach HAPPY99.EXE to a second copy of
outgoing newsgroup and e-mail messages. This virus will keep a list
of
message recipients in the file LISTE.SKA in the Windows System folder.
In my tests(sending an e-mail to myself:) this virus attached itself
to a
second copy of the e-mail message, with no problems and a barely
noticeable delay. The outgoing message contains the header
X-Spanska: Yes
but this is normally not visible.
This virus does not steal passwords, as some sources have reported.
It
does not contain any payload other than the fireworks display. However,
it
could overload an e-mail server if a lot of copies get passed around.
Also, since it gets passed along a lot, a different virus could attach
to
HAPPY99.EXE somewhere along the way. This virus does not affect Macs,
DOS,
or Windows 3.x.
Some people have asked whether it is always called HAPPY99.EXE. This
virus
doesn't contain any code to change the name. However, it would be simple
for a person to change it to anything they like.
It contains the encrypted text:
"Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."
Is
it a virus, a worm, or a trojan?
Removal
Click Start, then Shut Down, then "Restart Computer in MS-DOS mode",
then
click Yes. At the DOS prompt type: CD \WINDOWS\SYSTEM Delete SKA.EXE
and,
SKA.DLL by typing DEL SKA.EXE DEL SKA.DLL If you get "File not found"
you're not infected. Copy WSOCK32.SKA to WSOCK32.DLL by typing COPY
WSOCK32.SKA WSOCK32.DLL Answer "Yes" if it asks if you want to overwrite
WSOCK32.DLL. Optional Delete WSOCK32.SKA by typing DEL WSOCK32.SKA
Return
to Windows by typing EXIT Optional Click Start, then Run, then type
regedit in the text box, then click OK. Click HKEY_LOCAL_MACHINE, then
Software, then Microsoft, then Windows, then CurrentVersion. Under
RunOnce
check for SKA.EXE and select it if it is there. Press delete and then
click Yes. Close Regedit. Optional Start Notepad and open the file
LISTE.SKA. Warn the people on the list, then delete LISTE.SKA