New Virus Type

Shiminay

Our head of IS sent this round the company - you guys might like to see it (or maybe it's old news to you!).

+++++

From: http://vil.nai.com/villib/dispVirus.asp?virus_k=98724

Virus Name Wscript/Jer.worm

Aliases
JER.HTM
VBS.1ON1MAIL
VBS.Jer
VBS_Jer

Description Added
7/6/00

Virus Information

Discovery Date: 6/26/00
Origin: Web page
Length: Variable
Type: Trojan
SubType: VbScript
Minimum Dat: 4086
DAT Release Date: 7/12/00


Virus Characteristics
This is a Visual Basic Script worm, originally posted within an web page encoded in HTML and VBScript. This worm attempts to distribute itself vai IRC channels and also MAPI email. This trojan also contains a registry modification routine which modifies policy settings, changing the appearance of the Desktop among other setting changes.

There have been a few variants created after the initial release of this script. It was reportedly sent as a link to several users in a chat session who reportedly visited the page where the script was hosted.

In the original web page, it was titled "THE 40 WAYS WOMEN FAIL IN BED" and contained text as well as the Internet worm scripting. Users who viewed the web with low Internet security settings were highest at risk.

The script when run writes a file to the local system and modifies the registry to load this file at Windows startup. The first version of the script wrote "ewell.htm" while another variant wrote "1on1mail.htm". The registry location is:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The registry is also modified with these changes (original values are '0'):

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoClose = 1
NoDesktop = 1
NoFind = 1

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Network
NoNetSetup = 1

HKLM\Software\Microsoft\Windows\CurrentVersion
Version = VBS.Brian_Ewell
RegisteredOwner = Did you just get this job?
RegisteredOrganization = Symantec® 2000

After modifying the registry, this worm modifies the local script files MIRC.INI or SCRIPT.INI in a method to distribute itself when joining IRC channels.

After this process, it attempts to send a message using MAPI email in this format:

Subject = "Brian Ewell Resume"
Body = "I would really like to get a new job. Please check out my resume."
"Enjoy :-)"
"Brian Ewell"
Attachments = "Ewell.htm"


Symptoms
Creation of an HTM file in the Windows\system(32) folder, modifications to the registry after viewing a web page and allowing scripts to run. Changes to the Windows Desktop settings or disappearance of all icons from the desktop. IRC Channel distribution via a modified SCRIPT.INI or MIRC.INI script. MAPI email propagation.

When logging on to IRC channels, the client may log onto the channel "virus" and send this message:

"Another user infected by Brian Ewell -- Sarc"

Method Of Infection
This worm uses VBScript and Windows Scripting Host in order to run its code. Users are suggested to set their Internet settings to "prompt" or "disable" scripting and ActiveX.

+++++

---

All the best,

Dav
@B^)
My page of stuff

sam

this sort of thing has been around for some time, "trojan" html files that used activex to modify files on the target system,
goes to show how **** "ActiveX" is