[virusinfo] VBS/Speery-A
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Wed, 02 Mar 2005 09:07:46 -0800
From; Sophos Alert System:
Name: VBS/Speery-A
Type: Visual Basic Script worm
Date: 2 March 2005
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the April 2005 (3.92) release of Sophos Anti-Virus.
Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Information about VBS/Speery-A can be found at:
http://www.sophos.com/virusinfo/analyses/vbsspeerya.html
VBS/Speery-A is a worm for the Windows platform.
When first run, the worm displays a message box containing the following:
I-Worm.Maxpeery
by Spidey [SECTOR-S]
Indonesia
URL : <author's website>
The worm copies itself to the Windows folder as Christina_Aquilera.jpg.vbs and
to the Windows system folder as gsw332.exe.vbs. In order to run each time a
user logs on, the following registry entries are created:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ccApp
"<Windows system folder>\gsw332.exe.vbs"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
AVPCC
"<Windows folder>\Christina_Aquilera.jpg.vbs"
The worm may also alter the following registry entry:
HKCU\Software\Microsoft\Windows Script Host\Settings
Timeout
If the folder C:\program files\winrar exists, the worm attempts to create the
following files using the winrar application:
Christina_aquilera.rar
gsw332.rar
VBS/Speery-A drops two helper files named underground.ico and wini.ico. These
files contain the functionality to spread the worm via email and through all
available drives and subfolders. The worm overwrites all files with the VBS or
VBE file extensions with copies of itself.
Email sent by VBS/Speery-A has the following properties:
Subject line:
Tolong dong...
Attached file:
VBS/Speery-A's current filename
gsw332.rar
Christina_Aquilera.rar
Message text:
Kenapa dari dulu hidupku seperti ini ?, kenapa ga ada perubahan yang berarti ?
Tolong dong cariin aku kerjaan
If the attached file is one of the files created by the Winrar application,
then the following also appears in the message text:
Password attachmentnya = sectors
If VBS/Speery-A finds the folder C:\mirc, then it creates a file named
script.ini which causes the Internet Relay Chat (IRC) application mIRC to send
a copy of the worm to joining users on the IRC network. Sophos's anti-virus
products detect the script.ini file created by VBS/Speery-A as mIRC/Simp-Fam.
This IDE file also includes detection for:
Troj/SecondT-AO
http://www.sophos.com/virusinfo/analyses/trojsecondtao.html
Troj/Bancban-BP
http://www.sophos.com/virusinfo/analyses/trojbancbanbp.html
Troj/Goldun-N
http://www.sophos.com/virusinfo/analyses/trojgoldunn.html
Troj/Bdoor-ER
http://www.sophos.com/virusinfo/analyses/trojbdoorer.html
W32/Rbot-WT
http://www.sophos.com/virusinfo/analyses/w32rbotwt.html
W32/Agobot-QN
http://www.sophos.com/virusinfo/analyses/w32agobotqn.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/speery-a.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] VBS/Speery-A
