- It spreads through the Outlook to the first address in address book, as an email with the attachment "caifanes.chm".
- It writes in registry the key
with the value "1".
1. Make sure that you have the latest updates using BitDefender Live!;
2. Make the following changes in the windows registry:
Please make sure to modify only the values that are specified. It is also recommended to backup
the Windows Registry before proceeding with these changes.
a) Select Run... from the Start menu, then type regedit and press Enter;
b) Delete following key:
3. Perform a full scan of your system (selecting, from the Action tab, the option "Prompt
user for action"). Choose to delete all the files infected with VBS.Breetnee.B@mm
Mihaela Stoian BitDefender Virus Researcher
The worm is a vb-script in a html-page embedded in a chm-file.
file is opened, it shows a message box with the
and it opens the html page:
It copies itself in the "Windows" folder (C:\Windows
), with the name "caifanes.chm
". It sends an email to the first contact in address book, through the Outlook.
The email has: Subject:
"RE:Nuevo video de Caifanes" Body: "Caifanes regresa y te muestra su nuevo video musical
< user's name >" Attachment: the virus - a vb-script in a html-page embedded in a chm-file.
In order to send the infected email just once, it creates the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\chm"
with the value "1"
It also spreads itself through the mIRC. It searches the mIRC folder: It searches first the hard disk ( drives C:, D:, E: ) in order to find "mirc.ini"
and second, it searches in registry the key HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ChatFile\DefaultIcon\
in order to find the location of the file "mirc.exe"
If it finds the mIRC folder, it creates there a file, "script.ini"
, which sends the chm-file through mIRC.