My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus




- the presence of the
driver.doc                (many spaces)        .vbs
file in the Windows directory;

- the file go.vbs in the system directory;
- the notepad.vbs file in the %windir%\System32\ras\ folder.

Removal instructions:

If you don't have BitDefender installed click here to download an evaluation version.

1. Make sure that you have the latest updates using
BitDefender Live!;

2. Perform
a full scan of your system (selecting, from the Action tab, the option "Prompt
user for action"). Choose to delete all the files infected with VBS.Stream.A

Analyzed By

Costin Ionescu BitDefender Virus Researcher

Technical Description:

This is an Internet Worm, which spreads in WinNT/2000 systems.
The virus comes as a mail sent from the victim with the following format:

Subject: New Generation of drivers.
Microsoft has published new driver for all types Video Cards, compatible with Windows 95/98/NT/2000/XP. You can read about it in attachment document. Best wishes, Microsoft.
Attachment: driver.doc                (many spaces)        .vbs

A picture of the mail received looks like this:

When the user executes the attachment the virus copies itself in the Windows directory under the same name. If it is not executed from an NTFS partition, it quits. Otherwise the virus creates 4 streams of data attached to the file odbc.ini (also in Windows directory).

The streams are named:
-   main
-   mail
-   user
-   group
and they contain other parts of the virus.

File streams are particular to NTFS partitions and a normal view of that file would not show those streams. After this, the virus creates a file go.vbs in the system directory, and executes it after 10 seconds. The second part of the virus (stored in go.vbs ) creates the file %windir%\System32\ras\notepad.vbs where it puts together the streams from odbc.ini.

After another 10 seconds this last file is executed and here the main viral action is. Now the virus send itself using MAPI (Mail API) to the first 50 contacts with the same format as shown above. Next, it creates a user Lord_Nikon and adds that user to the Administrators group.