McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Mawanella

• VBS.VBSWG.Z (CA)

• VBS.VBSWG2.Z@MM (NAV)

• VBS_VBSWG.Z (Trend)

• VBSWG.Z@MM (F-Secure)

Characteristics

This is an encrypted VBScript worm. It arrives as a .VBS file email attachment. When the attachment is run, it displays a messagebox entitled "VBScript: Mawanella" which reads:

Mawanella is one of the Sri Lanka's Muslim Village.
This brutal incident happened here 2 Muslim Mosques,100 Shops are burnt.
I hate this incident, What about you? I can destroy your computer
I didn't do that because I am a peace-loving citizen.

The worm copies itself to the Windows System directory as a file called "Mawanella.vbs" and e-mails itself to all recipients in the Microsoft Outlook address book with the following information:

Subject: Mawanella
Body: Mawanella is one of the Sri Lanka's Muslim Village
Attachment: Mawanella.vbs

The mailing routine occurs each time an infected .VBS file is executed. As the virus does not configure Windows to load the .VBS file at startup, this mailing routine will only occur once for most people. There is no other payload.

Symptoms

- Presence of a file called "Mawanella.vbs" in the windows system directory
- Mail correspondence stating that you've sent them an attachment when you did not knowingly do so
- Display of the message box:

Method of Infection

This worm arrives as an email attachment named "Mawanella.vbs". Executing the attachment drops a file to the local system and initiates the mass emailing routine.

Removal

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Mawanella

• VBS.VBSWG.Z (CA)

• VBS.VBSWG2.Z@MM (NAV)

• VBS_VBSWG.Z (Trend)

• VBSWG.Z@MM (F-Secure)

Characteristics

Characteristics -

This is an encrypted VBScript worm. It arrives as a .VBS file email attachment. When the attachment is run, it displays a messagebox entitled "VBScript: Mawanella" which reads:

Mawanella is one of the Sri Lanka's Muslim Village.
This brutal incident happened here 2 Muslim Mosques,100 Shops are burnt.
I hate this incident, What about you? I can destroy your computer
I didn't do that because I am a peace-loving citizen.

The worm copies itself to the Windows System directory as a file called "Mawanella.vbs" and e-mails itself to all recipients in the Microsoft Outlook address book with the following information:

Subject: Mawanella
Body: Mawanella is one of the Sri Lanka's Muslim Village
Attachment: Mawanella.vbs

The mailing routine occurs each time an infected .VBS file is executed. As the virus does not configure Windows to load the .VBS file at startup, this mailing routine will only occur once for most people. There is no other payload.

Symptoms

Symptoms -

- Presence of a file called "Mawanella.vbs" in the windows system directory
- Mail correspondence stating that you've sent them an attachment when you did not knowingly do so
- Display of the message box:

Method of Infection

Method of Infection -

This worm arrives as an email attachment named "Mawanella.vbs". Executing the attachment drops a file to the local system and initiates the mass emailing routine.

Removal -

Removal -

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants -

N/A