|  | ||||||||||||||||||||||||||||||||
Name: VBS/COD
Aliases: Crayon of Doom,LIST.VBS,PORNLIST.DOC,COD Variants: Type: Visual Basic Script Status: not known to be in the wild in Canada Threat: low The following has been derived from information provided by Network Associates. Virus Characteristics This is an Internet worm written in VBScript and embedded within a Word document. This worm may arrive by MAPI email or on IRC chat from infected users. The file name is "PORNLIST.DOC". This worm requires Windows Scripting Host in order to run its code. This worm may arrive by email in this format: Subject = "Hey whats up, Important!" Body = "Hey I attatched a list for you to this e-mail take a look at it and tell me what you think." Attachments = "c:\pornlist.doc" The attached file is a Word document containing an embedded script named "LIST.VBS". Inside the document is this text:
Please view my nude picture and e-mail me back if you think that I am good enough to pose for my webpage.
The icon above the suggestion to "double click" is that of a .GIF file however the embedded object is not a picture! It is a .VBS file. If the object is activated by double-clicking and WSH is installed, it will run it's distribution routines writing files to the system and sending itself to all users in all address books by MAPI email. It will also search for installations of mIRC in "C:\MIRC" and Pirch98 in "C:\PIRCH98" and if found, will modify the scripts of these client applications to distribute itself when joining IRC channels. This worm copies itself to the local hard drive as these file names: [temp]\list.vbs WINDOWS\cod.cod WINDOWS\list.vbs WINDOWS\winsck.vbs WINDOWS\SYSTEM\explorer.vbs WINDOWS\SYSTEM\list.vbs This worm then searches all mapped drives and copies PORNLIST.DOC and LIST.VBS to the root directory. This worm runs a MAPI email routine but first does a registry check for the value of this key: HKCU\Software\Microsoft\Windows\CurrentVersion Sent? = [value] If the value is null, it runs the email routine then sets the value to "1". The email routine sends a MAPI email message in the format mentioned above. It also sends a separate email in this format:
Subject = "I am screwed" Body = "I am infected with the crayon of doom virus!" Attachments = "c:\pornlist.doc" This worm modifies the registry and configuration files WIN.INI and SYSTEM.INI to load itself at Windows startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ScanRegistry = WINDOWS\list.vbs HKLM\Software\Microsoft\Windows\CurrentVersion\ Run = WINDOWS\SYSTEM\list.vbs HKLM\Software\Microsoft\Windows\CurrentVersion\ RunServices = [temp]\list.vbs The WIN.INI is modified as follows: [windows] run = WINDOWS\winsck.vbs The SYSTEM.INI is modified as follows: [boot] shell = Explorer.exe explorer.vbs This worm checks for the installation of MIRC in C:\MIRC and PIRCH98 in C:\PIRCH98. If found, it will modify the script to distribute the file "C:\PORNLIST.DOC" to IRC channels when joining them. It also modifies the SCRIPT.INI for MIRC to allow receipt of these file types: *.exe,*.com,*.bat,*.dll,*.ini,*.vbs. This worm also has a self check routine which verifies that all written files are not removed - if any are missing, they are recreated. The registry is also checked and verified that no keys have been removed. Additional Details This worm contains this single comment line in the source of the code which is not displayed:
< - Virus Information Index - >
| | |||||||||||||||||||||||||
