McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• VBS.Solved (NAV)

• VBS/Cuartel-A (Sophos)

Characteristics

This is a file overwriting, VBScript, virus that attempts to send 1000 email messages. When run, it displays a message box reading, "File Error . Windows cant not be open the file"

It copies to the WINDOWS directory itself as Nav.exe (74 spaces) .vbs
And creates a registry key value to run the script at system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\Norton AntiVirus=%WinDir%\NAV.exe (74 spaces) .vbs

It deletes the registry keys:

HKEY_CLASSES_ROOT\.xls
HKEY_CLASSES_ROOT\.doc
HKEY_CLASSES_ROOT\.mdb

The default StartPage in Internet Explorer gets altered, as does the ProxyServer information (This will result in an inability to use Internet Explorer until the settings are corrected).

Files using the extensions: .BTR, .JPG, .MDB, .PAB,.PST, .WAB, or .XLS are overwritten with the virus code.

Before the script exits, it attempts to use Microsoft Outlook to mail 1000 email messages to 2 addresses in Argentina with the following information:

Subject: Recordatorio
Body: Pezzani,pedazo de inuti,todavia no solucionaste nada . La guerra continua sin cuartel.Toma la iniciativa Charly.

Attachment: c:\windows\explorer.exe

Symptoms

- Inability to access the Internet using Internet Explorer due to proxy information being altered
- Overwritten files
- Many messages in email queue

Method of Infection

Running this script causes .BTR, .JPG, .MDB, .PAB,.PST, .WAB, and .XLS files to be overwritten with the virus code. Overwritten files are not retrievable and must be restored from backup.

Removal

Use specified engine and DAT files for detection and removal. Delete any file which contains this detection.

Overwritten/deleted files must be restored from backup or reinstalled. Alternatively system restore can be used to restore deleted files.

AVERT recommends to users that they not trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Variants

Variants

• VBS/Vanina.B

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• VBS.Solved (NAV)

• VBS/Cuartel-A (Sophos)

Characteristics

Characteristics -

This is a file overwriting, VBScript, virus that attempts to send 1000 email messages. When run, it displays a message box reading, "File Error . Windows cant not be open the file"

It copies to the WINDOWS directory itself as Nav.exe (74 spaces) .vbs
And creates a registry key value to run the script at system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\Norton AntiVirus=%WinDir%\NAV.exe (74 spaces) .vbs

It deletes the registry keys:

HKEY_CLASSES_ROOT\.xls
HKEY_CLASSES_ROOT\.doc
HKEY_CLASSES_ROOT\.mdb

The default StartPage in Internet Explorer gets altered, as does the ProxyServer information (This will result in an inability to use Internet Explorer until the settings are corrected).

Files using the extensions: .BTR, .JPG, .MDB, .PAB,.PST, .WAB, or .XLS are overwritten with the virus code.

Before the script exits, it attempts to use Microsoft Outlook to mail 1000 email messages to 2 addresses in Argentina with the following information:

Subject: Recordatorio
Body: Pezzani,pedazo de inuti,todavia no solucionaste nada . La guerra continua sin cuartel.Toma la iniciativa Charly.

Attachment: c:\windows\explorer.exe

Symptoms

Symptoms -

- Inability to access the Internet using Internet Explorer due to proxy information being altered
- Overwritten files
- Many messages in email queue

Method of Infection

Method of Infection -

Running this script causes .BTR, .JPG, .MDB, .PAB,.PST, .WAB, and .XLS files to be overwritten with the virus code. Overwritten files are not retrievable and must be restored from backup.

Removal -

Removal -

Use specified engine and DAT files for detection and removal. Delete any file which contains this detection.

Overwritten/deleted files must be restored from backup or reinstalled. Alternatively system restore can be used to restore deleted files.

AVERT recommends to users that they not trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Variants

Variants -

• VBS/Vanina.B