VBS/Dismissed-A

Category	Viruses and Spyware
Type	Virus
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for disinfecting macro viruses.

More Information

Summary
Action
More Information

VBS/Dismissed-A is a virus which was initially found on a page pointed to by the W32/Zacker-C worm.

The virus spreads using network shares and attempts to spread using mIRC.

If the page is loaded using a vulnerable version of Internet Explorer, the JavaScript code on the page drops and runs the file rol.vbs. The dropped VBS file then sets the Internet Explorer home page to point to
http://www.orst.edu/groups/msa/everwonder.swf.

It then attempts to delete a number of anti-virus product-related files and directories.

The virus copies itself to all files with extensions "LNK", "ZIP", "JPG", "JPEG", "MPG", "MPEG", "DOC", "XLS", "MDB", "TXT", "PPT", "PPS", "RAM", "RM", "MP3", "MDB" and "SWF" and adds the extension "VBS" to the filename.

It also searches for files with "HTM", "HTML" and "ASP" extensions and adds a line with code which will attempt to connect to a web page which contains the VBS/Dismissed-B virus every time the infected file is opened.

Finally, the virus displays a message box and attempts to shut down Windows.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

VBS/Dismissed-A

Summary

Action

More Information