VBS/Ediboy-A

Please follow the instructions for disinfecting macro viruses.

Please contact technical support.

VBS/Ediboy-A is a visual basic script worm for the Windows platform.

VBS/Ediboy-A arrives as an email attachment with a double extension. The final extension will be VBS. The subject line of the email will read "RE: UR SEXY" and the body of the email will read "...Your Pic, damn ur fuckn hot..."

VBS/Ediboy-A will scan through an infected computer's drives, overwriting files with polymorphic copies of itself.

VBS/Ediboy-A may display the following error messages

System Error
MSKernal Invlid Error Number 4X00009976436

Decoder Error
Windows Jpg Decoder is unable to view this picture.

...
I~WILL~SURVIVE....

VBS/Ediboy-A will copy itself to the Windows system folder as SYS32DLL.VBS. In order to run automatically each time a user logs in, VBS/Ediboy-A will set the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sys32DLL
C:\WINDOWS\System32\Sys32DLL.vbs

VBS/Ediboy-A will attempt to disable the registry editor and interfere with the normal operation of Microsoft Windows by setting the following registry entries

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDrives
67108863

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Disabled
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoClose
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoAdminPage
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network
NoFileSharingControl
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoVirtMemPage
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoFileSysPage
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1