high
Summary
Summary
Action- More Information
| Included in our products from | August 2002 (3.60) |
|---|---|
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing worms.
More Information
VBS/Chick-F arrives as a compressed HTML file (CHM). When the file is opened the worm displays the text "Enable activeX To See Korea Japan results".
If the user enables the ActiveX script the worm will search drives C:, D: and E: looking for a mIRC installation. If the mIRC executable is located, the worm will copy itself into C:\<Windows>\koreajapan.chm. VBS/Chick-F creates a mIRC script file script.ini in the mIRC directory. The script attempts to forward a copy of the worm to users that join the same IRC channel.
Script.ini is detected by Sophos Anti-Virus as mIRC/Simp-Fam.
Finally VBS/Chick-F sends an email to the first entry in the user's Outlook address book.
The email will have the following characteristics:
Subject line: RE: Korea Japan Results
Message text: Take a look at these results ...
Regards,
<Current user>
Attached file:<name of the worm file that is currently running>
The following registry entry will be set to the value of "1" when the emailing routine has been executed:
HKLM\Software\Microsoft\Windows\CurrentVersion\chm
This value acts as a marker and will prevent the emailing code from executing next time the worm is activated.
|
