Content

VBS/Lisa.A@mm

Type
Virus
SubType
VBScript worm
Discovery Date
04/11/2003
Length
Varies
Minimum DAT
4216 (08/02/2002)
Updated DAT
4216 (08/02/2002)
Minimum Engine
5.1.00
Description Added
04/10/2003
Description Modified
05/23/2003 8:38 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This script virus is detected as VBS/Generic@MM with the 4216 DATs or greater (08/02/2002).

Propagation

The worm arrives in an email message in the following format.

Subject: Click YES and vote against war!
Body:

Upon opening this email, the worm then fills the hard disk with up to 5000 folders names made up of random alphabets. These folders are then filled with a text file containing the string:

I will never stop loving you.

It will then proceed to email itself to everyone in the Microsoft Outlook Address Book.

The virus infects all VB scripts on the harddisk, appending them with its code.

The worm also spreads through the MIRC and Kazaa networks although this was not observed. It drops itself into the download directory for Kazaa as the following filenames:

  • Silvia Saint Gangbang.avi.vbs
  • Britney Spears nude.jpg.vbs
  • Christina Aguilera Nipple.jpg.vbs
  • Lolita.jpg.vbs
  • Madonna - Song.mp3.vbs
  • Jennifer Lopez.mp3.vbs

Destructive Payloads

This worm also deletes all *.DOC files on the hard disk. It also deletes the REGEDIT.EXE and WIN.COM - rendering the victim machine incapable of starting Windows subsequently. In some cases, the worm may delete the data files USER.DAT and SYSTEM.DAT (and their backups after a certain timeframe).

Another payload of this worm is to reformat the C:\ driver by adding the following line into the AUTOEXEC.BAT file (this was not observed in testing):

format C: /q /autotest /u

Symptoms

The following Registry keys are created after the worm has done its mailing:

  • HKEY_CLASSES_ROOT\Lisa
  • HKEY_CLASSES_ROOT\Lisa\Mail "Send" = 1

It also hooks the registry to run itself at startup by modifying the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Upzxqxv" = wscript.exe C:\WINDOWS\UPZXQXV.vbs %

The harddisk will also be filled with hidden folders of the type C:\PPPRRYR. User will also be unable to boot into Windows Operating System.

Method of Infection

The script arrives in an email message and the user is infected upon opening the email.

Removal

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • VBS.Lisa.A@mm (Symantec)
  • VBS/Almisa@MM
  • VBS_Lisa.A (Trend)

Characteristics

Characteristics -

This script virus is detected as VBS/Generic@MM with the 4216 DATs or greater (08/02/2002).

Propagation

The worm arrives in an email message in the following format.

Subject: Click YES and vote against war!
Body:

Upon opening this email, the worm then fills the hard disk with up to 5000 folders names made up of random alphabets. These folders are then filled with a text file containing the string:

I will never stop loving you.

It will then proceed to email itself to everyone in the Microsoft Outlook Address Book.

The virus infects all VB scripts on the harddisk, appending them with its code.

The worm also spreads through the MIRC and Kazaa networks although this was not observed. It drops itself into the download directory for Kazaa as the following filenames:

  • Silvia Saint Gangbang.avi.vbs
  • Britney Spears nude.jpg.vbs
  • Christina Aguilera Nipple.jpg.vbs
  • Lolita.jpg.vbs
  • Madonna - Song.mp3.vbs
  • Jennifer Lopez.mp3.vbs

Destructive Payloads

This worm also deletes all *.DOC files on the hard disk. It also deletes the REGEDIT.EXE and WIN.COM - rendering the victim machine incapable of starting Windows subsequently. In some cases, the worm may delete the data files USER.DAT and SYSTEM.DAT (and their backups after a certain timeframe).

Another payload of this worm is to reformat the C:\ driver by adding the following line into the AUTOEXEC.BAT file (this was not observed in testing):

format C: /q /autotest /u

Symptoms

Symptoms -

The following Registry keys are created after the worm has done its mailing:

  • HKEY_CLASSES_ROOT\Lisa
  • HKEY_CLASSES_ROOT\Lisa\Mail "Send" = 1

It also hooks the registry to run itself at startup by modifying the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Upzxqxv" = wscript.exe C:\WINDOWS\UPZXQXV.vbs %

The harddisk will also be filled with hidden folders of the type C:\PPPRRYR. User will also be unable to boot into Windows Operating System.

Method of Infection

Method of Infection -

The script arrives in an email message and the user is infected upon opening the email.

Removal -

Removal -

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants -

    N/A