The following has been derived from information provided by Network Associates.

Virus Characteristics

VBS/Pica.a is an Internet worm which sends itself via MAPI email and to IRC channels by modifying the mIRC configuration file. The worm cannot run if Windows Scripting Host or Visual Studio applications are not installed on the machine. The file which the worm arrives in is named "DS9.vbs". This is believed to be a reference to the "Deep Space Nine" television series. This worm attempts to forward itself via MAPI email (Outlook) with the following details:

Subject = "Hi check This..."
Body = "Hello..your Game is Over..By Q from Lee"
Attachment = "Ds9.vbs"

If the attachment is run, the script will modify the registry to load the worm at Windows startup by adding the following key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lee

It is safe to delete this key if found.

After the worm has executed its mass mailing routine, which sends a copy of the worm to all recipients in the available address books, it will modify the registry to include this tag:

"HKCU\software\Ds9\mailed" = "1"

VBS/Pica.a will then attempt to forward itself via IRC by modifying the SCRIPT.INI of existing mIRC installations to send the "DS9.vbs" file to users who log onto IRC channels.

The following tag will then be added to the registry:

"HKCU\software\Ds9\Mirqued" = "1"


Variants

VBS/Pica.b uses PICARD.VBS as an attachment but does not run. VBS/Pica.c uses OSTERHASE.VBS as an attachment and also does not run.