VBS/Corica-A

Please follow the instructions for disinfecting macro viruses.

Please read the instructions for removing worms.

VBS/Corica-A is a VBScript worm that sets the following registry entry so that any attempt to edit a file with a VBS extension using the default option of Notepad.exe will display the file C:\Windows\Microsoft.txt:

HKLM\Software\Classes\VBSfile\Shell\Edit\Command =
C:\Windows\notepad.exe %C:\Windows\Microsoft.txt

Microsoft.txt contains nothing but the message "Silver Surfer" in Morse code and is created by VBS/Corica-A.

The worm sets the Internet Explorer start page to http://www.latingua.com and modifies the Windows Desktop wallpaper so that a large red, white and blue banner displaying the message "Costa Rica, es un pais libre y democratico." appears in the centre of the screen and the message "Viva Costa Rica!" scrolls along the bottom of the screen in red text.

VBS/Corica-A copies itself to C:\Windows\Microsoft.vbs and creates a shortcut in the current folder, called Microsoft.Lnk, to run this VBS file.

VBS/Corica-A attempts to email itself to all contacts in the Outlook address book. The email will have one of the following two sets of characteristics:

Subject: Hi
Message body: Please open the attachment is very important.
Attached file: Microsoft.vbs

or

Subject: Hola
Message body: Aqui te mando un anexo muy importante que lo abras.
Attached file: Microsoft.vbs

VBS/Corica-A also sets the following registry entry:

HKCU\AutoSetup\Land = "Costa Rica"