high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 14 March 2005 20:49:38 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
VBS/Stargrub-A is a Visual Basic Script email worm and network worm. The email will have the following characteristics:
Subject: Microsoft Critical Update
Dear Windows User
Our Windows watch server has detected that you have not got full protection against viruses and spyware. Open the attachment to recieve the update manager.
Attachment name: SYSFILE.VBS
VBS/Stargrub-A spreads by sending itself as an email attachment to email addresses found in the Outlook address book. The worm will also attempt to copy itself to network drives as "Read This.vbs"
When first run, VBS/Stargrub-A will copy itself to the Windows system folder as SYSFILE.VBS. In order to run automatically each time a user logs on, VBS/Stargrub-A will set the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AdminSoft
<Windows system folder>\sysfile.vbs
VBS/Stargrub-A will add a user named "startbug" to the infected computer.
VBS/Stargrub-A will attempt to modify proxy settings by setting the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
000.000.0.00:0000
VBS/Stargrub-A will periodically switch on and off the current Windows Themes.
VBS/Stargrub-A will attempt to download and run two joke programs. The programs will be downloaded to the Windows folder as CD.EXE and HIDESTART.EXE. CD.EXE will cause the computer's CDROM drive tray to open. HIDESTART.EXE will cause the "Start" button on the Taskbar to disappear.
|
