VBS/Mcon-G is a worm which spreads via network shares and IRC channels.
When first run the worm copies itself as ttfload.vbs to all folders whose name contains the text string "startup" (without regard for case) and to the Windows fonts folder.
The worm then launches ttfload.vbs from the Windows fonts folder, displays a message box with the text "ERROR", "INVALID FILE FORMAT" and finally deletes itself.
VBS/Mcon-G is a worm which spreads via network shares and IRC channels.
When first run the worm copies itself as ttfload.vbs to all folders whose name contains the text string "startup" (without regard for case) and to the Windows fonts folder.
The worm also creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ttfload
"wscript.exe <Windows>\Fonts\ttfload.vbs"
HKCU\Software\Microsoft\Windows Scripting Host\Settings
Timeout
0
HKCU\Software\Microsoft\Windows Script Host\Settings
Timeout
0
The worm then launches <Windows>\fonts\ttfload.vbs, displays a message box with the text "ERROR", "INVALID FILE FORMAT" and finally deletes itself.
When the worm is run as <Windows>\fonts\sndload.vbs it replaces the mIRC initialization file Script.ini and tries to spread to shared drives on the local network and at randomly chosen IP addresses.
The worm searches all visible drives (both fixed and removable) for folders matching "download", "downloads" and for folders with names contain the text "my", "share", "startup", "upload", "download". The worm copies itself to these folders using filenames taken from the Windows Recent folder with VBS or <SPACES>VBS appended, where <SPACES> is a random number of spaces.
The worm avoids using the filenames mscfg.exe, ashield.pif, netstat.pif, network.vbs, mscfg.vbs, winsock.vbs, a24.vbs and samples.vbs or names which it has already used.
Any folders named "chode", "foreskin" or "dickhair" will be deleted.
The worm will then loop repeatedly generating random IP addresses based upon a selection of subnet masks. The worm pings these random addresses and if it receives a reply it tries to copy itself to the Windows startup folder on any shared drives.
The worm uses a similar strategy to spread via IRC channels.
The file Script.ini is dropped to any folders named "mirc" on local and network drives, replacing any existing copy of this file. The new version of Script.ini runs automatically each time a mIRC session is started and tries to send the worm to randomly generated IP addresses every 30 seconds.
The worm may also change the default start page for Microsoft Internet Explorer by setting the following registry entry:
HKLM\Software\Microsoft\Internet Explorer\Main\
Start
"http://www.zonelabs.com/"