Content

VBS/Varin

Type
Virus
SubType
VbScript
Discovery Date
07/27/2003
Length
14,013 Bytes
Minimum DAT
4290 (08/28/2003)
Updated DAT
4388 (08/25/2004)
Minimum Engine
5.1.00
Description Added
09/19/2003
Description Modified
09/19/2003 6:55 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat is detected as VBS/Varin. On executing the infected VBScript, will modify the following registry keys:

  • HKEY_LOCAL_MACHINE\Activate
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\Invasion, "C:\*.vbs"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\Invas10n, "[windows directory] \*.vbs"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\Invas1oon, "[windows SYSTEM directory]\*.vbs"

 If conditions are satisfied, the virus will attempt to overwrite all .exe, .ext, .dll, .ini, .log and .sys found in the c:\, windows directory and windows SYSTEM directory.  This will only happen if the month is not September.  The file Update.bat will be created in the windows SYSTEM directory. This file is detected as VBS/Varin and will rename all .exe, .ext, .dll, .ini, .log and .sys found in c:\ ,windows SYSTEM directory and windows System32 directory to .vbs extension.

The virus will also create 1000 infected files in the local working directory as InVaS[num]0oOn!!.vbs , where [num] is a number from 0 and 1000.

The following registry keys will be added:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "Win_vader", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion "RegistredOwner",  I-N-V-A-D-E-D
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Management\System Programs "iexplore", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Management\System Programs "wmplayer", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Management\System Programs "wordpad",[executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\IEXPLORE.EXE "(Predeterminado)",[executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\OUTLOOK.EXE "(Predeterminado)", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\Scandisc.exe "(Predeterminado)",[executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\Scandisc.exe "Path", [executed infected file]
  • App Paths\Winword.exe "(Predeterminado)",[executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\winzip.exe "(Predeterminado)", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Control Panel\Cpls "Speech", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "Win_vader",[windows directory]Win_vader\Win_vader.vbs
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page",[windows directory]\hom_e.html
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Mail and News\Mail "Log File (Outlook)", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\IEXPLORE.EXE "Path", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\OUTLOOK.EXE "Path", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\Winword.exe "Path", [executed infected file]

The virus will also create 1000 infected files in the local working directory, c:\ and the windows SYSTEM directory as Winvasion[num].html ,where [num] is a number from 0 and 1000.  VBS/Varin will attempt to infect all  files with .htm, .html and .chm in the windows HELP directory and the windows WEB directory.  It will also attempt to copy one  million files into random directories with the filename InVaDeR[num].vbs where [num] is a number from 0 and 1000000.  May also copy itself as A:\LEEME.TXT.vbs and modify c:\autoexec.bat .

If one million infected copies have been created, the virus will output the following message using sendkeys:

INVADER - INVADER - INVADER - INVADER - INVADER - INVADER - INVADER - INVADER - 
Computadora infectada y saturada... Ha Ha Ha!
La invasi¨®n" & "sigue y
VBS-VIRUS, ¡ãInvader¡ã by Virus Catalog SA
Distribu¨ªdo para el aprendizaje del lenguaje VBS
No nos hacemos responsables por el mal uso que se le pueda dar

VBS/Varin will create the folder Win_vader in the windows directory and copy the infected file Win_vader.vbs to this directory.   The infected file InVaDeR.vbs will be copied to the windows SYSTEM directory and will edit c:\autoexec.bat or c:\autoexec.nt to execute this file.   The virus will then delete regedit.exe .

Symptoms

Method of Infection

Removal

-

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This threat is detected as VBS/Varin. On executing the infected VBScript, will modify the following registry keys:

  • HKEY_LOCAL_MACHINE\Activate
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\Invasion, "C:\*.vbs"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\Invas10n, "[windows directory] \*.vbs"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\Invas1oon, "[windows SYSTEM directory]\*.vbs"

 If conditions are satisfied, the virus will attempt to overwrite all .exe, .ext, .dll, .ini, .log and .sys found in the c:\, windows directory and windows SYSTEM directory.  This will only happen if the month is not September.  The file Update.bat will be created in the windows SYSTEM directory. This file is detected as VBS/Varin and will rename all .exe, .ext, .dll, .ini, .log and .sys found in c:\ ,windows SYSTEM directory and windows System32 directory to .vbs extension.

The virus will also create 1000 infected files in the local working directory as InVaS[num]0oOn!!.vbs , where [num] is a number from 0 and 1000.

The following registry keys will be added:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "Win_vader", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion "RegistredOwner",  I-N-V-A-D-E-D
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Management\System Programs "iexplore", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Management\System Programs "wmplayer", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Management\System Programs "wordpad",[executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\IEXPLORE.EXE "(Predeterminado)",[executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\OUTLOOK.EXE "(Predeterminado)", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\Scandisc.exe "(Predeterminado)",[executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\Scandisc.exe "Path", [executed infected file]
  • App Paths\Winword.exe "(Predeterminado)",[executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\winzip.exe "(Predeterminado)", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Control Panel\Cpls "Speech", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "Win_vader",[windows directory]Win_vader\Win_vader.vbs
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page",[windows directory]\hom_e.html
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Mail and News\Mail "Log File (Outlook)", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\IEXPLORE.EXE "Path", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\OUTLOOK.EXE "Path", [executed infected file]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    App Paths\Winword.exe "Path", [executed infected file]

The virus will also create 1000 infected files in the local working directory, c:\ and the windows SYSTEM directory as Winvasion[num].html ,where [num] is a number from 0 and 1000.  VBS/Varin will attempt to infect all  files with .htm, .html and .chm in the windows HELP directory and the windows WEB directory.  It will also attempt to copy one  million files into random directories with the filename InVaDeR[num].vbs where [num] is a number from 0 and 1000000.  May also copy itself as A:\LEEME.TXT.vbs and modify c:\autoexec.bat .

If one million infected copies have been created, the virus will output the following message using sendkeys:

INVADER - INVADER - INVADER - INVADER - INVADER - INVADER - INVADER - INVADER - 
Computadora infectada y saturada... Ha Ha Ha!
La invasi¨®n" & "sigue y
VBS-VIRUS, ¡ãInvader¡ã by Virus Catalog SA
Distribu¨ªdo para el aprendizaje del lenguaje VBS
No nos hacemos responsables por el mal uso que se le pueda dar

VBS/Varin will create the folder Win_vader in the windows directory and copy the infected file Win_vader.vbs to this directory.   The infected file InVaDeR.vbs will be copied to the windows SYSTEM directory and will edit c:\autoexec.bat or c:\autoexec.nt to execute this file.   The virus will then delete regedit.exe .

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

-

Variants

Variants -

    N/A