McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Monopoly

• Monopoly.worm

Characteristics

This VB-Script worm distributes itself as an email attachment. The `To' and 'CC' field of the email are always blank and the email subject always appears as:

Bill Gates joke

The email body contains the attachment `MONOPOLY.VBS', and the line

Bill Gates is guilty of monopoly. Here is the proof. :-)

When the recipient opens (runs) this script attachment on a system, which supports the Windows Scripting host ( installed by default in Windows98 and Windows2000 ) and the VisualBasic Script version was updated to Version 5.x (f.i. when Internet Explorer 5 is installed), the encrypted worm will drop four files into the %temp% directory like:

c:\temp\MONOPOLY.VBS (complete worm)
c:\temp\MONOPOLY.VBE (mail routines, stored encrypted)
c:\temp\MONOPOLY.WSH (shortcut file)
c:\temp\MONOPOLY.JPG (picture)

Then a message box will be displayed like:

"Bill Gates is guilty of monopoly. Here is the proof."

and the JPG picture will be displayed. Now the main distribution method stored in 'MONOPOLY.VBE' is called:

Like the W97M/Melissa routine it only attempts to distribute the first time it runs on a system by setting the registry key:

\HKLM\Software\Outlook.Monopoly

If MS Outlook98 or MS Outlook2000 are running, the worm will search all address entries in all Outlook address books ( Global, Personal, Contacts etc.) to create a list of recipients, which will be BCC-ed (thus not visible in the TO or CC field) on the generated message having the worm VBS file 'MONOPOLY.VBS' attached.

Afterwards Windows system information is collected:
-RegisteredOwner,RegisteredOrganization
-DVD_Region
-Default "Phone Location"
-Windows version number
-IE start page

and together with all address entries and belonging email addresses sent as another email to:
monopoly@mixmail.com
monpooly@telebot.com
mooponly@ciudad.com.ar
mloponoy@usa.net
y

Symptoms

Method of Infection

Removal

-

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Monopoly

• Monopoly.worm

Characteristics

Characteristics -

This VB-Script worm distributes itself as an email attachment. The `To' and 'CC' field of the email are always blank and the email subject always appears as:

Bill Gates joke

The email body contains the attachment `MONOPOLY.VBS', and the line

Bill Gates is guilty of monopoly. Here is the proof. :-)

When the recipient opens (runs) this script attachment on a system, which supports the Windows Scripting host ( installed by default in Windows98 and Windows2000 ) and the VisualBasic Script version was updated to Version 5.x (f.i. when Internet Explorer 5 is installed), the encrypted worm will drop four files into the %temp% directory like:

c:\temp\MONOPOLY.VBS (complete worm)
c:\temp\MONOPOLY.VBE (mail routines, stored encrypted)
c:\temp\MONOPOLY.WSH (shortcut file)
c:\temp\MONOPOLY.JPG (picture)

Then a message box will be displayed like:

"Bill Gates is guilty of monopoly. Here is the proof."

and the JPG picture will be displayed. Now the main distribution method stored in 'MONOPOLY.VBE' is called:

Like the W97M/Melissa routine it only attempts to distribute the first time it runs on a system by setting the registry key:

\HKLM\Software\Outlook.Monopoly

If MS Outlook98 or MS Outlook2000 are running, the worm will search all address entries in all Outlook address books ( Global, Personal, Contacts etc.) to create a list of recipients, which will be BCC-ed (thus not visible in the TO or CC field) on the generated message having the worm VBS file 'MONOPOLY.VBS' attached.

Afterwards Windows system information is collected:
-RegisteredOwner,RegisteredOrganization
-DVD_Region
-Default "Phone Location"
-Windows version number
-IE start page

and together with all address entries and belonging email addresses sent as another email to:
monopoly@mixmail.com
monpooly@telebot.com
mooponly@ciudad.com.ar
mloponoy@usa.net
y

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

-

Variants

Variants -

N/A