VBS/RTF-Senecs

Please follow the instructions for disinfecting macro viruses.

Please read the instructions for removing worms.

VBS/RTF-Senecs arrives in an email message with the following characteristics:

Subject: Scene from last weekend
Message: Please do not forward
Attachment: scenes.zip

The attached ZIP file contains an RTF document scenes.wri. If the document is opened, two icons are displayed for two embedded objects. Both icons appear to be icons of an image file but the actual embedded object is an executable detected by Sophos Anti-Virus as Troj/Senecs using the IDE file for VBS/RTF-Senecs.

If the embedded executable is opened (run), it drops and runs a VBS file which attempts to send scenes.zip to all contacts from the Microsoft Outlook address book. Troj/Senecs also drops two additional Trojans, Troj/Optix-03-C and Troj/WebDL-E. Both Trojans are detected using the IDE file for VBS/RTF-Senecs.

Troj/Optix-03-C is a backdoor Trojan that will run in the background as a server process, allowing a remote user (using a client program) to gain access and control over the machine. When first run, it creates the sub-directory <Windows>\OleFiles\, moves itself there and creates the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Startup = <Windows>\OleFiles\<Trojan name>.

This ensures that the server process is run automatically each time the machine is restarted.

Troj/WebDL-E attempts to download and run a program from a tripod.com website. The downloaded program is the Troj/Sub7-21-I backdoor Trojan. Troj/WebDL-E will also attempt to send a success notification message to an ICQ account. After running, the Trojan removes itself from the system.