VBS.Cian.C@mm( VBS.Cian.C@mm (X97M), VBS.Cian.C@mm (W97M), I-Worm.Thery.b )
SYMPTOMS: -The files \"Winstart.vbs\", \"Wininst32.vbs\", \"Winnt32.vbs\" and \"Winnet32.vbs\" are in system folder (C:\\Windows\\System or C:\\Winnt\\System32).-The files \"Netlnk32.vbs\" and \"Conversation.vbe\" are in windows folder (C:\\Windows or C:\\Winnt). -The registry key \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Winstart\" has the value \"Wscript.exe TECHNICAL DESCRIPTION: The virus copies itself in system folder (C:\\Windows\\System or C:\\Winnt\\System32) as \"Winstart.vbs\", \"Wininst32.vbs\", \"Winnt32.vbs\" and \"Winnet32.vbs\" and in windows folder (C:\\Windows or C:\\Winnt) as \"Netlnk32.vbs\" and \"Conversation.vbe\".It creates the registry key \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Winstart\" with the value \"Wscript.exe It overwrites the file \"personal.xls\" in startup folder of Excel (for instance this path can be \"C:\\Windows\\Application Data\\Microsoft\\Excel\\Startup\") in order to infect xls-files when they are opened. It creates a temporary file \"Evade.gif\" (but not a real picture) in system folder (C:\\Windows\\System or C:\\Winnt\\System32) with malicious code to infect xls-files. It overwrites the file \"normal.dot\" in template folder of Word (for instance this path can be \"C:\\Windows\\Application Data\\Microsoft\\ Templates\") in order to infect word documents at opening. It creates a temporary file \"Evade.jpg\" (but not a real picture) in system folder (C:\\Windows\\System or C:\\Winnt\\System32) with malicious code to infect documents. It copies itself as \"Passwords.vbs\" in the root of every drive of the system, except \"C:\\\". It adds his code to every \".vbs\" or \".vbe\" file, from every folder of every drive. The virus overwrites, as a \".vbs\" file, all the \".mp3\", \".mp2\", \".avi\", \".mpg\", \".mpeg\", \".mpe\", \".mov\", \".pdf\", \".doc\", \".xls\", \".mdb\", \".ppt\" and \".pps\" files, within the folders: \"C:\\Kazaa\\My Shared Folder\" \"C:\\My Downloads\" \"\\Kazaa\\My Shared Folder\" \"\\KaZaA Lite\\My Shared Folder\" \"\\Bearshare\\Shared\" \"\\Edonkey2000\" \"\\Morpheus\\My Shared Folder\" \"\\Grokster\\My Grokster\" \"\\ICQ\\Shared Files\". It overwrites the file \"script.ini\" from the mirc folder, in order to send a copy of itself (\"Conversation.vbe\" from windows folder) through mIRC. The VBA-form of the virus infects all accessed word documents and excel workbooks. It modifies security levels for word and excel. Infected documents spread themselves by e-mail with the subject: -\"Here is that file\" -\"Important file\" -\"The file\" -\"Word file\" -\"The file you wanted\" -\"Here is the file\" or -the name of the infected document. The body of the e-mail is: \"The file I am sending you is confidential as well as important; so don\'t let anyone else have a copy.\" The attachment is the infected document itself. Infected xls-file spread themselves by e-mail, with the subject: \"Here is that file\" \"Important file\" \"The file\" \"Excel file\" \"The file you wanted\" \"Here is the file\" or the name of the infected xls-file. The body of the e-mail is also: \"The file I am sending you is confidential as well as important; so don\'t let anyone else have a copy.\" The attachment is the infected xls-file. Removal instructions: Automatic removal: let BitDefender disinfect/delete the files found infected.ANALYZED BY: Mihaela StoianBitDefender Virus Researcher |