My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

VBS.Breetnee.B@mm

MEDIUM
VERY LOW
10651 bytes
(N/A)

Symptoms

- It spreads through the Outlook to the first address in address book, as an email with the attachment "caifanes.chm".
- It writes in registry the key
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\chm"
with the value "1".

Removal instructions:

1. Make sure that you have the latest updates using BitDefender Live!;

2. Make the following changes in the windows registry:
Please make sure to modify only the values that are specified. It is also recommended to backup
the Windows Registry before proceeding with these changes.

a) Select Run... from the Start menu, then type regedit and press Enter;
b) Delete following key:
  "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\chm"

3. Perform a full scan of your system (selecting, from the Action tab, the option "Prompt
user for action"). Choose to delete all the files infected with VBS.Breetnee.B@mm

Analyzed By

Mihaela Stoian BitDefender Virus Researcher

Technical Description:

The worm is a vb-script in a html-page embedded in a chm-file.
When "caifanes.chm" file is opened, it shows a message box with the
text:



and it opens the html page:



It copies itself in the "Windows" folder (C:\Windows or C:\Winnt), with the name "caifanes.chm". It sends an email to the first contact in address book, through the Outlook.

The email has:
Subject:

"RE:Nuevo video de Caifanes"

Body:
"Caifanes regresa y te muestra su nuevo video musical
Regards,
< user's name >"

Attachment:
the virus - a vb-script in a html-page embedded in a chm-file.

In order to send the infected email just once, it creates the registry key
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\chm" with the value "1".

It also spreads itself through the mIRC. It searches the mIRC folder: It searches first the hard disk ( drives C:, D:, E: ) in order to find "mirc.ini" and second, it searches in registry the key HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ChatFile\DefaultIcon\,
in order to find the location of the file "mirc.exe".

If it finds the mIRC folder, it creates there a file, "script.ini", which sends the chm-file through mIRC.