|  | ||||||||||||||||||||||||||||||||
Name: VBS_Homepage.a
Aliases: Homepage.A,VBS/VBSWG.X,VBS/VBSWG.X@mm,VBS/SSI.gen@MM, VBS/SSI.gen,SSI,VBSWG Variants: Type: Mass Mailer Platforms: Microsoft Outlook Status: in the wild Threat: medium on watch (V-CON 4) The following has been derived from information provided by Symantec and Trend Micro. Virus Characteristics This Internet worm propagates only via Microsoft Outlook by sending itself as an email attachment to all addresses listed in the infected user's address book. After this, the worm tries to open certain pornographic Web sites using Internet Explorer. The email with the worm has the subject "Homepage" and the attachment "HOMEPAGE.HTML.VBS." VBS_Homepage.a was written with what looks to be the same tool that was used for VBS/SST (AnnaKournikova) called the VBSWG tool (VBS worm generator). Payload This Internet worm requires Windows Scripting Host to be installed in a system to execute. Upon execution, it drops a copy of itself in the Windows directory as "HOMEPAGE.HTML.VBS." It then checks for the following registry entry to see if email has already been sent out to all addresses in the address book: HKCU\Software\An\Mailed If the entry has the value 1, it means the worm has propagated, otherwise, the worm sends itself out as an attachment to all addresses listed in the MS Outlook address book of the infected user and then creates the above registry entry with a value 1. If the infected system does not have MS Outlook, the worm cannot propagate. A sample of the email this worm sends out with itself as an attachment is: Subject: Homepage Message Body: Hi! You've got to see this page! It's really cool ;O) Attachment: HOMEPAGE.HTML.VBS After sending out email, the worm tries to open the following pornographic Web sites with Internet Explorer: hardcore.pornbillboard.net/shannon/1.htm members.nbci.com/_XMCM/prinzje/1.htm www2.sexcropolis.com/amateur/sheila/1.htm sheila.issexy.tv/1.htm Then the worm checks if the email that it sent out exists in the MS Outlook Inbox and Deleted Items folder, by looking for the subject "Homepage." When it finds email with the subject "Homepage" in these folders, the worm deletes the email to prevent detection. Preventative Measures Disable the Windows Scripting Host, block all .vbs attachments and/or block messages with the subject line: "Homepage" Fixes Available Network Associates: 4123 with minimum engine 4.0.70 Symantec: Defs dated May 8, 2001 Trend: Pattern 886 < - Virus Information Index - >
| | |||||||||||||||||||||||||
