Content

VBS/Sludge.worm

Type
Virus
SubType
P2P Worm
Discovery Date
02/03/2003
Length
1,731 bytes
Minimum DAT
4246 (02/05/2003)
Updated DAT
4295 (09/24/2003)
Minimum Engine
5.1.00
Description Added
02/03/2003
Description Modified
02/03/2003 12:51 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat is proactively detected as "New Script" when using the 4100-4245 DAT files with macro and script heuristics enabled.

This is a VBScript peer-to-peer file sharing worm that intends to spread via the KaZaa, Kazaa Lite, Bearshare, Edonkey2000, and Morpheus applications. Due to an oversight in the code by the virus author, the worm requires Kazaa Lite in order to propagate. When run, the script copies itself using the following file names:

  • 10 naked teens.jpg.vbs
  • 15yteenf**k.jpg.vbs
  • Ad-Aware6.tar.vbs
  • Anton - Schwul oder was.mp3.vbs
  • Bin Laden's Home.doc.vbs
  • Bush is crazy(and stupid).doc.vbs
  • Eminem - I am your father.mp3.vbs
  • How To Rip DVDs.txt.vbs
  • illegalsex.jpg.vbs
  • Kamasutra2003.doc.vbs
  • kievgirl.jpg.vbs
  • Young russian teens.jpg.vbs
To the following folder, if present:
  • %Program Files%\kazaa lite\my shared folder
The worm also intends to copy itself to the following folders (this action fails):
  • %Program Files%\bearshare\shared
  • %Program Files%\edonkey2000\incoming
  • %Program Files%\kazaa\my shared folder
  • %Program Files%\morpheus\my shared folder
The worm copies itself to the %Temp% directory as _uninst12.vbs and creates a registry run key to load itself at system startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Runfaststart" = "%Temp%\_uninst12.vbs"
On March 3rd, a message box is displayed:

Symptoms

Presence of the aforementioned files and registry key.

Method of Infection

This worm spread via the Kazaa lite peer-to-peer file sharing application.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This threat is proactively detected as "New Script" when using the 4100-4245 DAT files with macro and script heuristics enabled.

This is a VBScript peer-to-peer file sharing worm that intends to spread via the KaZaa, Kazaa Lite, Bearshare, Edonkey2000, and Morpheus applications. Due to an oversight in the code by the virus author, the worm requires Kazaa Lite in order to propagate. When run, the script copies itself using the following file names:

  • 10 naked teens.jpg.vbs
  • 15yteenf**k.jpg.vbs
  • Ad-Aware6.tar.vbs
  • Anton - Schwul oder was.mp3.vbs
  • Bin Laden's Home.doc.vbs
  • Bush is crazy(and stupid).doc.vbs
  • Eminem - I am your father.mp3.vbs
  • How To Rip DVDs.txt.vbs
  • illegalsex.jpg.vbs
  • Kamasutra2003.doc.vbs
  • kievgirl.jpg.vbs
  • Young russian teens.jpg.vbs
To the following folder, if present:
  • %Program Files%\kazaa lite\my shared folder
The worm also intends to copy itself to the following folders (this action fails):
  • %Program Files%\bearshare\shared
  • %Program Files%\edonkey2000\incoming
  • %Program Files%\kazaa\my shared folder
  • %Program Files%\morpheus\my shared folder
The worm copies itself to the %Temp% directory as _uninst12.vbs and creates a registry run key to load itself at system startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Runfaststart" = "%Temp%\_uninst12.vbs"
On March 3rd, a message box is displayed:

Symptoms

Symptoms -

Presence of the aforementioned files and registry key.

Method of Infection

Method of Infection -

This worm spread via the Kazaa lite peer-to-peer file sharing application.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A