- the presence of the
driver.doc (many spaces) .vbs file in the Windows directory;
- the file go.vbs in the system directory;
- the notepad.vbs file in the %windir%\System32\ras\ folder.
If you don't have BitDefender installed click here to download an evaluation version.
1. Make sure that you have the latest updates using
a full scan of your system (selecting, from the Action tab, the option "Prompt
user for action"). Choose to delete all the files infected with VBS.Stream.A
BitDefender Virus Researcher
This is an Internet Worm, which spreads in WinNT/2000 systems.
The virus comes as a mail sent from the victim with the following format: From: Subject: New Generation of drivers. Body:
Microsoft has published new driver for all types Video Cards, compatible with Windows 95/98/NT/2000/XP. You can read about it in attachment document. Best wishes, Microsoft.
Attachment: driver.doc (many spaces) .vbs
A picture of the mail received looks like this:
When the user executes the attachment the virus copies itself in the Windows directory under the same name. If it is not executed from an NTFS partition, it quits. Otherwise the virus creates 4 streams of data attached to the file odbc.ini
(also in Windows directory).
The streams are named:
and they contain other parts of the virus.
File streams are particular to NTFS partitions and a normal view of that file would not show those streams. After this, the virus creates a file go.vbs
in the system directory, and executes it after 10 seconds. The second part of the virus (stored in go.vbs
) creates the file %windir%\System32\ras\notepad.vbs
where it puts together the streams from odbc.ini
After another 10 seconds this last file is executed and here the main viral action is. Now the virus send itself using MAPI (Mail API) to the first 50 contacts with the same format as shown above. Next, it creates a user Lord_Nikon
and adds that user to the Administrators group.