Content

VBS/Braco@MM

Type
Virus
SubType
VbScript
Discovery Date
01/26/2004
Length
3,088 Bytes
Minimum DAT
4318 (01/26/2004)
Updated DAT
4362 (05/19/2004)
Minimum Engine
5.1.00
Description Added
01/26/2004
Description Modified
01/26/2004 3:56 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat is detected as a variant of New Script with macro and script heuristics enabled.  On executing the infected VBScript, the virus will copy itself as

  • [windows directory]\winsck.vbs
  • [windows directory]\patch.vbs
  • [windows SYSTEM directory]\patch.vbs
  • [windows SYSTEM directory]\kernel.vbs
  • [windows SYSTEM directory]\explorer.vbs
  • [TEMP directory]\patch.vbs

**Note, TEMP directory is the directory used to store temporary files.  Path can be found in the TMP environment variable.

The following registry keys will be added:

  • HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\
    Run\ScanRegistry", [windows directory]\patch.vbs
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\Cobra", [windows SYSTEM directory]\patch.vbs
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    RunServices\", [TEMP directory]\patch.vbs

The virus copies multiple files using random characters and digits as filenames with the .vbs extension in the TEMP directory.  Example may be wpr57zt.vbs.

Using CDONTS.Newmail, a rapid notification mail generator used in the Windows environment.  The virus will send an email containing the following information :

  • From = micro_2004@mail.com or micro_2005@mail.com
  • Subject = Securiy Patch from Microsoft Inc.
  • Body = Download 3-15-2-18-1/Kana from Microsoft. It is a Download Link for Security Patch for Cobra Warm.
  • Attachment = Infected script 

The email will be sent to the following addresses:

  • Virus@ca.com
  • virus_research@avertlabs.com
  • vsample@nai.com
  • lafifa@mail.com
  • cobra@mail.com
  • [random name]@hotmail.com
  • [random name]@microsoft.com
  • [random name]@mail.com
  • [random name]@email.com
  • [random name]@yahoo.com
  • [random name]@37.com
  • [random name]@iname.com
  • [random name]@host99.com
  • [random name]@linux.com
  • [random name]@[random name].com

**Note, [random name] are random characters and digits the virus creates. Example may be 6opavln@hotmail.com .

Symptoms

The presence of the above files and registry keys.

Method of Infection

Executing the infected VBScript.

Removal

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This threat is detected as a variant of New Script with macro and script heuristics enabled.  On executing the infected VBScript, the virus will copy itself as

  • [windows directory]\winsck.vbs
  • [windows directory]\patch.vbs
  • [windows SYSTEM directory]\patch.vbs
  • [windows SYSTEM directory]\kernel.vbs
  • [windows SYSTEM directory]\explorer.vbs
  • [TEMP directory]\patch.vbs

**Note, TEMP directory is the directory used to store temporary files.  Path can be found in the TMP environment variable.

The following registry keys will be added:

  • HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\
    Run\ScanRegistry", [windows directory]\patch.vbs
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\Cobra", [windows SYSTEM directory]\patch.vbs
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    RunServices\", [TEMP directory]\patch.vbs

The virus copies multiple files using random characters and digits as filenames with the .vbs extension in the TEMP directory.  Example may be wpr57zt.vbs.

Using CDONTS.Newmail, a rapid notification mail generator used in the Windows environment.  The virus will send an email containing the following information :

  • From = micro_2004@mail.com or micro_2005@mail.com
  • Subject = Securiy Patch from Microsoft Inc.
  • Body = Download 3-15-2-18-1/Kana from Microsoft. It is a Download Link for Security Patch for Cobra Warm.
  • Attachment = Infected script 

The email will be sent to the following addresses:

  • Virus@ca.com
  • virus_research@avertlabs.com
  • vsample@nai.com
  • lafifa@mail.com
  • cobra@mail.com
  • [random name]@hotmail.com
  • [random name]@microsoft.com
  • [random name]@mail.com
  • [random name]@email.com
  • [random name]@yahoo.com
  • [random name]@37.com
  • [random name]@iname.com
  • [random name]@host99.com
  • [random name]@linux.com
  • [random name]@[random name].com

**Note, [random name] are random characters and digits the virus creates. Example may be 6opavln@hotmail.com .

Symptoms

Symptoms -

The presence of the above files and registry keys.

Method of Infection

Method of Infection -

Executing the infected VBScript.

Removal -

Removal -

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants -

    N/A