Content

VBS/Postcard@MM

Type
Virus
SubType
VBScript worm
Discovery Date
03/18/2001
Length
12,907
Minimum DAT
4130 (03/21/2001)
Updated DAT
4130 (03/21/2001)
Minimum Engine
5.1.00
Description Added
03/19/2001
Description Modified
09/03/2002 1:38 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This virus creates files which which do not display a visible extension in Windows, even if Windows is configured to show all files and to display extensions. Additionally, users should configure VirusScan to Scan All Files or add {?? to the extension list used for scanning.

This virus uses an exploitable method of using CSLID values for extensions of files created. By doing this, the extensions are hidden and not visible. This is a function of Windows itself.

This is a polymorphic VBScript worm that mails itself to all Microsoft Outlook address book recipients. It infects .ASP, .HTM, .HTML, and .SHTML files in the WINDOWS, WINDOWS\SYSTEM, and WINDOWS\TEMP directories by adding its infectious script code to the end of these files. In addition the script attempts to copy itself to the root level of mapped drives.

Symptoms

- ActiveX warning message displayed:
Some software (ActiveX controls) on this page might be
unsafe. It is recommeneded that you not run it. Do you
want to allow it to run?

- HaPPy NeW Millenium message displayed which reads,
Happy new year (2001).
Best wishes from:
your dear ...

- Presence of the files mentioned in this description
- System freeze whenever the time is 4:32, 4:37 or 4:48 (am or pm) on a Monday, or 4:40-45am or 2:40-45pm on a Thursday.

Method of Infection

When the script is first run, users may see an ActiveX warning message: This virus uses an exploitable method of using CSLID values for extensions of files created. By doing this, the extensions are hidden and not visible. This is a function of Windows itself.

Some software (ActiveX controls) on this page might be
unsafe. It is recommeneded that you not run it. Do you
want to allow it to run?

If this script is allowed to run, the virus proceeds with the infection. Users may see a the following message:

HaPPy NeW Millenium

Happy new year (2001).

Best wishes from:

your dear ...

The script changes the default start page in Internet Explorer to: C:\WINDOWS\TEMP\millenium.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}. Internet Explorer's secruity settings are set to allow unsafe scripts to execute. The worm copies itself to the following files:

C:\WINDOWS\SYSTEM\postcard.tif.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
C:\WINDOWS\2001.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
C:\WINDOWS\SYSTEM\dragonball.GT(dan kokoro hikareteku).{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
C:\WINDOWS\TEMP\millenium.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
C:\WINDOWS\TEMP\post-card.tif.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}

The file C:\WINDOWS\SYSTEM\[db.GT].wsf is created which contains instructions for the worm to send itself to all recipients in the Microsoft Outlook Address book. Depending on the time of day, the worm will send an email to everyone in the Outlook address book with one of the following Subjects:

Happy new Millenium (read the postcard (attached file))
Postcard for you is waiting (in attachment)
Happy 2001 (for more action check attached file)
Stroke of luck? in 2001? (happy 2001 -read attachment)
Goodies You have got a postcard (attached file)
Someone sent you a postcard (in attachment)

Attachment: C:\WINDOWS\TEMP\post-card.tif.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}

The Windows registered owner is changed to "Lord YuP - [C]apsule [C]orp" and the registered organization is changed to "DragonBall GT"

The virus looks for network drives and copies itself to the root level of all mapped drives: mapped drive:\docs.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}. It infects all .ASP, .HTM, .HTML, and .SHTML files in the WINDOWS, WINDOWS\SYSTEM, and WINDOWS\TEMP directories by adding its infectious script code to the end of these files

Additional payload instructions are contained in the file, C:\WINDOWS\SYSTEM\payl0ad.vbe. This file is executed if the time is 4:32, 4:37 or 4:48 (am or pm) on a Monday, or 4:40-45am or 2:40-45pm on a Thursday. Once executed, this script causes WordPad to run and temporarily disables all keyboard and mouse control.

Removal

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Postcard worm (CA)
  • VBS.Postcard@MM (NAV)

Characteristics

Characteristics -

This virus creates files which which do not display a visible extension in Windows, even if Windows is configured to show all files and to display extensions. Additionally, users should configure VirusScan to Scan All Files or add {?? to the extension list used for scanning.

This virus uses an exploitable method of using CSLID values for extensions of files created. By doing this, the extensions are hidden and not visible. This is a function of Windows itself.

This is a polymorphic VBScript worm that mails itself to all Microsoft Outlook address book recipients. It infects .ASP, .HTM, .HTML, and .SHTML files in the WINDOWS, WINDOWS\SYSTEM, and WINDOWS\TEMP directories by adding its infectious script code to the end of these files. In addition the script attempts to copy itself to the root level of mapped drives.

Symptoms

Symptoms -

- ActiveX warning message displayed:
Some software (ActiveX controls) on this page might be
unsafe. It is recommeneded that you not run it. Do you
want to allow it to run?

- HaPPy NeW Millenium message displayed which reads,
Happy new year (2001).
Best wishes from:
your dear ...

- Presence of the files mentioned in this description
- System freeze whenever the time is 4:32, 4:37 or 4:48 (am or pm) on a Monday, or 4:40-45am or 2:40-45pm on a Thursday.

Method of Infection

Method of Infection -

When the script is first run, users may see an ActiveX warning message: This virus uses an exploitable method of using CSLID values for extensions of files created. By doing this, the extensions are hidden and not visible. This is a function of Windows itself.

Some software (ActiveX controls) on this page might be
unsafe. It is recommeneded that you not run it. Do you
want to allow it to run?

If this script is allowed to run, the virus proceeds with the infection. Users may see a the following message:

HaPPy NeW Millenium

Happy new year (2001).

Best wishes from:

your dear ...

The script changes the default start page in Internet Explorer to: C:\WINDOWS\TEMP\millenium.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}. Internet Explorer's secruity settings are set to allow unsafe scripts to execute. The worm copies itself to the following files:

C:\WINDOWS\SYSTEM\postcard.tif.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
C:\WINDOWS\2001.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
C:\WINDOWS\SYSTEM\dragonball.GT(dan kokoro hikareteku).{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
C:\WINDOWS\TEMP\millenium.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
C:\WINDOWS\TEMP\post-card.tif.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}

The file C:\WINDOWS\SYSTEM\[db.GT].wsf is created which contains instructions for the worm to send itself to all recipients in the Microsoft Outlook Address book. Depending on the time of day, the worm will send an email to everyone in the Outlook address book with one of the following Subjects:

Happy new Millenium (read the postcard (attached file))
Postcard for you is waiting (in attachment)
Happy 2001 (for more action check attached file)
Stroke of luck? in 2001? (happy 2001 -read attachment)
Goodies You have got a postcard (attached file)
Someone sent you a postcard (in attachment)

Attachment: C:\WINDOWS\TEMP\post-card.tif.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}

The Windows registered owner is changed to "Lord YuP - [C]apsule [C]orp" and the registered organization is changed to "DragonBall GT"

The virus looks for network drives and copies itself to the root level of all mapped drives: mapped drive:\docs.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}. It infects all .ASP, .HTM, .HTML, and .SHTML files in the WINDOWS, WINDOWS\SYSTEM, and WINDOWS\TEMP directories by adding its infectious script code to the end of these files

Additional payload instructions are contained in the file, C:\WINDOWS\SYSTEM\payl0ad.vbe. This file is executed if the time is 4:32, 4:37 or 4:48 (am or pm) on a Monday, or 4:40-45am or 2:40-45pm on a Thursday. Once executed, this script causes WordPad to run and temporarily disables all keyboard and mouse control.

Removal -

Removal -

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants -

    N/A