The following has been derived from information provided by NAI and Sophos.

Virus Characteristics

VBS/Cuerpo-A is a polymorphic email-aware worm which uses Microsoft Outlook to replicate. The worm arrives in an email message either with a blank subject or with a random subject taken from the subject of messages already in Outlook folders.


Payload

When the attached file is opened the worm creates several randomly named VBS and HTML files in the Windows System directory. The worm changes the registry key HKCU\Software\Microsoft\Internet Explorer\Start Page so that it points to a dropped HTML file called BLANK.HTM. The file contains a reference to "www.freedonation.com".

The worm searches for email addresses using two methods. First it looks through Outlook's contacts and other folders. It then searches all local and network drives for files with extensions .TXT, .NA2, .WAB, .MBX, .DBX and .DAT. If a file with that extension is found, it is read and any string that appears to be an email address is extracted by the worm.

The worm also attempts to copy itself into C:\Recycled\rndmein.vbs and changes the Registry keys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rndmein

and

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sn

so that it runs on Windows startup.

The worm originated from an HTML page on a website. If the website is accessed with Internet Explorer the following warning message is displayed:

"Some software (ActiveX controls) on this page might be unsafe. It is recommended that you do not run it. Do you want to allow it to run?".

If the user chooses "Yes" then the page creates a file Winstart.bat in the Windows directory which will run on Windows startup and drop a worm file called rndmein.vbs.


Preventative Measures

Block all files with the VBS extension at the SMTP Gateway. Disable the windows scripting host.


Fixes Available

Network Associates: 4157 due 09/05/2001
Sophos: cuerpo-a.ide
Symantec: Certifed definitions dated 0830