McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Home Page.

• HomePage.

• I-Worm.Homepage (AVP)

• VBS.VBSWG2.D@mm (NAV)

• VBS.VBSWG2.Y@mm (NAV)

• VBS/VBSWG-X (Sophos)

• VBS_HomePage.A (Trend)

• VBSWG.X (CA, Panda)

• VBSWG.X@MM (F-Secure)

Characteristics

VBS/SST.gen@MM is a generic detection aimed to catch many variants that are generated by the VBSWG (VBScript Worm Generation) kit.

This virus is in the same family as VBS/VBSWG.gen@MM.

----- On May 15, 2001 a new variant was discovered -----

This variant is sometimes referred to as "VBS.VBSWG2.Y@mm". This variant is detected using the current Dats, and is also detected with older DATs, starting with the 4123 DAT released on 2/21/2001.

It may arrive in an email message containing the following information:

Subject: NUEVAS MEDIDAS DEL EJECUTIVO (NEW EXECUTIVE MEASURES)
Body:

Lo que nos faltaba:
Batlle se desnuda para combatir la aftosa !!
Tenés que verlo, es impresionante!

Attachment: Batlle_Desnudo.JPG.vbs

----- End variant -----

----- On May 9, 2001 a new variant was discovered -----

This variant is sometimes referred to as "VBS/VBSWG.X@MM" or "Homepage". This variant is detected using the current Dats, 4136, as "VBS/SST.gen@MM", and is also detected with older DATs, starting with the 4123 DAT released on 2/21/2001.

It may arrive in an email message containing the following information:
Subject: Homepage
Body: Hi! You've got to see this page! It's really cool ;O)
File Attachment: homepage.HTML.vbs

Attachment: homepage.HTML.vbs

It may open the default browser to one of 4 different pornographic websites.

----- End variant -----

Symptoms

- Presence of homepage.HTML.vbs
- Presence of Batlle_Desnudo.JPG.vbs

Method of Infection

This script arrives as an e-mail attachment. Opening the attachment infects your machine. Once infected, it tries to e-mail itself to all recipients found in the Microsoft Outlook address book.

Note that when Outlook Express and Outlook98/2000 are both installed (and with wsh support enabled) , if the user receives and launches an infected .vbs file attachment while in Outlook Express, the virus might still spread by sending itself silently to all addresses using Outlook98/2000. So the virus might spread without the user actually having Outlook98/2000 open.

Removal

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Home Page.

• HomePage.

• I-Worm.Homepage (AVP)

• VBS.VBSWG2.D@mm (NAV)

• VBS.VBSWG2.Y@mm (NAV)

• VBS/VBSWG-X (Sophos)

• VBS_HomePage.A (Trend)

• VBSWG.X (CA, Panda)

• VBSWG.X@MM (F-Secure)

Characteristics

Characteristics -

VBS/SST.gen@MM is a generic detection aimed to catch many variants that are generated by the VBSWG (VBScript Worm Generation) kit.

This virus is in the same family as VBS/VBSWG.gen@MM.

----- On May 15, 2001 a new variant was discovered -----

This variant is sometimes referred to as "VBS.VBSWG2.Y@mm". This variant is detected using the current Dats, and is also detected with older DATs, starting with the 4123 DAT released on 2/21/2001.

It may arrive in an email message containing the following information:

Subject: NUEVAS MEDIDAS DEL EJECUTIVO (NEW EXECUTIVE MEASURES)
Body:

Lo que nos faltaba:
Batlle se desnuda para combatir la aftosa !!
Tenés que verlo, es impresionante!

Attachment: Batlle_Desnudo.JPG.vbs

----- End variant -----

----- On May 9, 2001 a new variant was discovered -----

This variant is sometimes referred to as "VBS/VBSWG.X@MM" or "Homepage". This variant is detected using the current Dats, 4136, as "VBS/SST.gen@MM", and is also detected with older DATs, starting with the 4123 DAT released on 2/21/2001.

It may arrive in an email message containing the following information:
Subject: Homepage
Body: Hi! You've got to see this page! It's really cool ;O)
File Attachment: homepage.HTML.vbs

Attachment: homepage.HTML.vbs

It may open the default browser to one of 4 different pornographic websites.

----- End variant -----

Symptoms

Symptoms -

- Presence of homepage.HTML.vbs
- Presence of Batlle_Desnudo.JPG.vbs

Method of Infection

Method of Infection -

This script arrives as an e-mail attachment. Opening the attachment infects your machine. Once infected, it tries to e-mail itself to all recipients found in the Microsoft Outlook address book.

Note that when Outlook Express and Outlook98/2000 are both installed (and with wsh support enabled) , if the user receives and launches an infected .vbs file attachment while in Outlook Express, the virus might still spread by sending itself silently to all addresses using Outlook98/2000. So the virus might spread without the user actually having Outlook98/2000 open.

Removal -

Removal -

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants -

N/A