|  | ||||||||||||||||||||||||||||||||
Name: VBS.Potok@mm
Aliases: VBS.Potok.A,VBS.Stream.A,VBS/Stream,VBS/Vdrive@MM, Stream,Vdrive,Potok Variants: Type: VBScript Worm Platforms: NTFS Status: in the wild Threat: V-CON 2 (low) The following has been derived from information provided by NAI, Panda, and Symantec. Virus Characteristics This is a mass-mailing worm that requires Microsoft Windows NT/2000 in order to propagate. This is the first known VBScript virus to use NTFS streams in order to function. On a Windows 95/98/ME system, running on the FAT or FAT32 file system these streams do not exist meaning the script will not execute. When run, it copies itself to the WINDOWS directory as: driver.doc.vbs The filename has 46 spaces within itself. It then checks to see if the current drive is an NTFS partition. If it is not, the script exits. If the drive is NTFS, then 4 streams are created (mail, main, user, group) on the file %WinDir%\odbc.ini. It also drops notepad.vbs in the Winnt\system32\ras\ directory and the file go.vbs is also created in the Winnt\system32\ directory. The "mail" stream contains VBScript instructions for the worm to send itself to the first 50 recipients found in the Microsoft Outlook Address book with the following information: Subject of email: New Generation of drivers. Name of attachment: driver.doc .vbs The filename has 46 spaces within itself. Size of attachment: 9262 bytes The "main", "user", and "group" streams contain VBScript instructions for the worm to create the user account Lord_Nikon and add that user as an Administrator. The "user" stream attempts to create a new account of Lord_Nikon on the system. The "group" stream attempts to add the new user to the Administrator group. The main stream attempts to access the new account. Payload Sends messages to the first 50 recipients in Outlook Address Book. Attempts to add new administrative account for the virus writer. Preventative Measures Block all files with the VBS extensions at the SMTP gateway where possible. Disable the Windows Scripting Host. Fixes Available Network Associates: 4151 due on August 8th, 2001. Currently detected heuristically as New Script with the 4140 engine. Symantec: Certified defs due August 1st, 2001. Definitions already detect this worm as Bloodhound.VBS.Worm Trend: No information at time of alert < - Virus Information Index - >
| | |||||||||||||||||||||||||
