Content

W32/Tetris.worm

Type
Virus
SubType
mIRC Worm
Discovery Date
10/25/2000
Length
69,632
Minimum DAT
4103 (11/02/2000)
Updated DAT
4103 (11/02/2000)
Minimum Engine
5.1.00
Description Added
11/28/2000
Description Modified
03/19/2001 1:48 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is an Internet worm which travels via IRC channels. Infected users send the worm to others when joining chat channels, unintentionally, and by design of the worm. The file will arrive as "Tetris.exe".

When run, a working "Tetris" game is displayed, "Created By Wallys Games", "Version 1.1", with "Easy, Medium, and Hard" difficulty levels. If the mIRC client is found in one of these location the worm proceeds with the infection, otherwise it just acts like a Tetris game:

C:\Mirc
C:\Program Files\mirc
D:\mirc
D:\Program Files\mirc

The Visual Basic 6 runtime files are required for this worm to function.

Symptoms

Presence of the following files:

C:\TETRIS.EXE
C:\BACKUP.VBS
c:\WINDOWS\SYSTEM.EXE
c:\WINDOWS\SCRIPT.BAK

Method of Infection

If this mIRC worm is executed, it will perform the following tasks:

- Renames the "SCRIPT.INI" file to "C:\WINDOWS\SCRIPT.BAK"
- Copies itself to "C:\WINDOWS\SYSTEM.EXE"
- Drops a file named "C:\BACKUP.VBS"
- Creates the following registry key value to run the "C:\BACKUP.VBS" file at startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\SysFile="C:\Backup.vbs"

- If the Windows Scripting Host is installed, the "C:\BACKUP.VBS" will launch at system startup causing "C:\WINDOWS\SYSTEM.EXE" to get copied to "C:\TETRIS.EXE", and "C:\WINDOWS\SCRIPT.BAK" to get copied to the "SCRIPT.INI" file in your mIRC directory

Connecting to a chat room on IRC will distribute the worm to others via the mIRC chat client. Close IRC clients prior to removal of this Internet worm.

Removal

Use specified engine and DAT files for detection and removal. Delete any file which contains this detection. Correct registry entries manually.

AVERT recommends the following course of action for prevention:

IRC File Distribution Prevention Method
Always use caution if receiving files from others on IRC channels. Although a percentage of files are safe, sharing of files is the common breeding ground for virus spreading and distribution. Use these common usage rules to minimize the risk of receiving or spreading a virus-

* Only accept files from people that you know and trust. Never accept files from people you don't know and never accept files without knowing their full purpose.

* Files of executable extension such as .BAT, .EXE, .COM, .HLP, .DLL should never be accepted from others as they have the most potential to cause problems or be infected.

* Scripts should not be accepted from others you do not know. Automation is another factor in the distribution of viruses and trojans.

* Files which support macros should not be accepted, or if they are accepted, make sure to have macro virus protection enabled. If you are unable to verify if macro virus protection is enabled, use alternate viewers such as QuickView or Wordpad as they do not support macros. Office97 applications have viewers available from Microsoft such as Word97 Viewer. Using alternate viewers will minimize the risk of spreading macro virus infections.

* Use Antivirus software to scan all files received on IRC channels. This is not a sure-fire way of detecting all viruses however known viruses can be prevented from running if vigilant scanning techniques are used.

* Some IRC software applications such as mIRC support security settings or options to disable certain functions such as send or get and commands such as /run and /dll. AVERT recommends setting these options if applicable. If your application supports changing options on DCC settings, choose to prompt or ignore requests for file send or receive transactions.

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • IRC-Worm.Tetris
  • IRC/Tetris.worm
  • IRC/Wally.worm
  • TROJ_WALLY_TRIS
  • VBS_WALLY_TRIS
  • W32.Tetris.Worm
  • W32/Tetris.worm.gen
  • W32/Wally.worm

Characteristics

Characteristics -

This is an Internet worm which travels via IRC channels. Infected users send the worm to others when joining chat channels, unintentionally, and by design of the worm. The file will arrive as "Tetris.exe".

When run, a working "Tetris" game is displayed, "Created By Wallys Games", "Version 1.1", with "Easy, Medium, and Hard" difficulty levels. If the mIRC client is found in one of these location the worm proceeds with the infection, otherwise it just acts like a Tetris game:

C:\Mirc
C:\Program Files\mirc
D:\mirc
D:\Program Files\mirc

The Visual Basic 6 runtime files are required for this worm to function.

Symptoms

Symptoms -

Presence of the following files:

C:\TETRIS.EXE
C:\BACKUP.VBS
c:\WINDOWS\SYSTEM.EXE
c:\WINDOWS\SCRIPT.BAK

Method of Infection

Method of Infection -

If this mIRC worm is executed, it will perform the following tasks:

- Renames the "SCRIPT.INI" file to "C:\WINDOWS\SCRIPT.BAK"
- Copies itself to "C:\WINDOWS\SYSTEM.EXE"
- Drops a file named "C:\BACKUP.VBS"
- Creates the following registry key value to run the "C:\BACKUP.VBS" file at startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\SysFile="C:\Backup.vbs"

- If the Windows Scripting Host is installed, the "C:\BACKUP.VBS" will launch at system startup causing "C:\WINDOWS\SYSTEM.EXE" to get copied to "C:\TETRIS.EXE", and "C:\WINDOWS\SCRIPT.BAK" to get copied to the "SCRIPT.INI" file in your mIRC directory

Connecting to a chat room on IRC will distribute the worm to others via the mIRC chat client. Close IRC clients prior to removal of this Internet worm.

Removal -

Removal -

Use specified engine and DAT files for detection and removal. Delete any file which contains this detection. Correct registry entries manually.

AVERT recommends the following course of action for prevention:

IRC File Distribution Prevention Method
Always use caution if receiving files from others on IRC channels. Although a percentage of files are safe, sharing of files is the common breeding ground for virus spreading and distribution. Use these common usage rules to minimize the risk of receiving or spreading a virus-

* Only accept files from people that you know and trust. Never accept files from people you don't know and never accept files without knowing their full purpose.

* Files of executable extension such as .BAT, .EXE, .COM, .HLP, .DLL should never be accepted from others as they have the most potential to cause problems or be infected.

* Scripts should not be accepted from others you do not know. Automation is another factor in the distribution of viruses and trojans.

* Files which support macros should not be accepted, or if they are accepted, make sure to have macro virus protection enabled. If you are unable to verify if macro virus protection is enabled, use alternate viewers such as QuickView or Wordpad as they do not support macros. Office97 applications have viewers available from Microsoft such as Word97 Viewer. Using alternate viewers will minimize the risk of spreading macro virus infections.

* Use Antivirus software to scan all files received on IRC channels. This is not a sure-fire way of detecting all viruses however known viruses can be prevented from running if vigilant scanning techniques are used.

* Some IRC software applications such as mIRC support security settings or options to disable certain functions such as send or get and commands such as /run and /dll. AVERT recommends setting these options if applicable. If your application supports changing options on DCC settings, choose to prompt or ignore requests for file send or receive transactions.

Variants

Variants -

    N/A