VBS.VBSWG.AQ@mm

( N/A )

SYMPTOMS:

-File \"ShakiraPics.jpg.vbs\"
in windows folder (C:\\windows or
C:\\winnt).
-registry key \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Registry\"

has the value \"wscript.exe C:\\Windows\\ShakiraPics.jpg.vbs
%\" or
\"wscript.exe C:\\Winnt\\ShakiraPics.jpg.vbs
%\"
-the size of every VBS file is 7997 bytes.

TECHNICAL DESCRIPTION:

The virus copies itself as \"ShakiraPics.jpg.vbs\"
in windows folder (C:\\windows or
C:\\winnt).
This worm spreads through Outlook, Mirc and also infects VBS and VBE files.
It writes in registry the key:

\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Registry\"
with the value

\"wscript.exe C:\\Windows\\ShakiraPics.jpg.vbs
%\" or
\"wscript.exe C:\\Winnt\\ShakiraPics.jpg.vbs
%\"

in order to launch a virus copy at the system restart.
It sends an email to every contact from the Outlook address book.
The format of an infected e-mail is:
From: of an infected person>
Subject: \"Shakira\'s
Pictures\"
Body:
Hi :
i have sent the photos via attachment
have funn...
Attachment:
\"ShakiraPics.jpg.vbs\"
It also writes the value
\"1\" in the registry
key

\"HKEY_LOCAL_MACHINE\\software\\ShakiraPics\\mailed\"

in order to send infected emails only for the first time.
It spreads through mIRC. It searches the file \"mirc.ini\"
in the folder C:\\mirc or C:\\mirc32.
In case of success it creates (or overwrites) the file script.ini
in order to send itself through mIRC.
It writes the value \"1\"
in the key:

\"HKEY_LOCAL_MACHINE\\software\\ShakiraPics\\mirqued\"

in order to spread through mIRC only once. It
erases all the VBS and VBE
file from all the drives of the disk and puts a copy of itself instead.

While the script is running
it can\'t be deleted, because it continuously recreates the file with the virus
code.

Removal instructions:

1. Make sure that you have the latest updates using
BitDefender Live!;

2. Make the following changes in the windows registry:
Please
make sure to modify only the values that are specified. It is also recommended
to backup the Windows
Registry before proceeding with these changes.

a)Select Run... from the Start menu, then type regedit and press Enter;
b) Delete the following
keys:

\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Registry\"
\"HKEY_LOCAL_MACHINE\\software\\ShakiraPics\\mailed\"
\"HKEY_LOCAL_MACHINE\\software\\ShakiraPics\\mirqued\"

3. Perform
a full scan of your system (selecting, from the Action tab, the option \"Prompt
user for action\"). Choose to delete all the files infected with VBS.VBSWG.AQ@mm.

ANALYZED BY:

Mihaela Stoian
BitDefender Virus Researcher