high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 2 March 2005 09:23:39 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ccApp
"<Windows system folder>\gsw332.exe.vbs"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
AVPCC
"<Windows folder>\Christina_Aquilera.jpg.vbs"
and delete them if they exist.
Close the registry editor.
More Information
VBS/Speery-A is a worm for the Windows platform.
VBS/Speery-A drops two helper files named underground.ico and wini.ico. These files contain the functionality to spread the worm via email and through all available drives and subfolders. The worm overwrites all files with the VBS or VBE file extensions with copies of itself.
If VBS/Speery-A finds the folder C:\mirc, then it creates a file named script.ini which causes the Internet Relay Chat (IRC) application mIRC to send a copy of the worm to joining users on the IRC network. VBS/Speery-A is a worm for the Windows platform.
When first run, the worm displays a message box containing the following:
I-Worm.Maxpeery
by Spidey [SECTOR-S]
Indonesia
URL : <author's website>
The worm copies itself to the Windows folder as Christina_Aquilera.jpg.vbs and to the Windows system folder as gsw332.exe.vbs. In order to run each time a user logs on, the following registry entries are created:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ccApp
"<Windows system folder>\gsw332.exe.vbs"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
AVPCC
"<Windows folder>\Christina_Aquilera.jpg.vbs"
The worm may also alter the following registry entry:
HKCU\Software\Microsoft\Windows Script Host\Settings
Timeout
If the folder C:\program files\winrar exists, the worm attempts to create the following files using the winrar application:
Christina_aquilera.rar
gsw332.rar
VBS/Speery-A drops two helper files named underground.ico and wini.ico. These files contain the functionality to spread the worm via email and through all available drives and subfolders. The worm overwrites all files with the VBS or VBE file extensions with copies of itself.
Email sent by VBS/Speery-A has the following properties:
Subject line:
Tolong dong...
Attached file:
VBS/Speery-A's current filename
gsw332.rar
Christina_Aquilera.rar
Message text:
Kenapa dari dulu hidupku seperti ini ?, kenapa ga ada perubahan yang berarti ? Tolong dong cariin aku kerjaan
If the attached file is one of the files created by the Winrar application, then the following also appears in the message text:
Password attachmentnya = sectors
If VBS/Speery-A finds the folder C:\mirc, then it creates a file named script.ini which causes the Internet Relay Chat (IRC) application mIRC to send a copy of the worm to joining users on the IRC network. Sophos's anti-virus products detect the script.ini file created by VBS/Speery-A as mIRC/Simp-Fam.
|
