VBS/Pedpoly@MM

Content

VBS/Pedpoly@MM

Type: Virus
SubType: VBScript worm
Discovery Date: 03/22/2001
Length: Varies
Minimum DAT: 4131 (03/28/2001)
Updated DAT: 4382 (07/28/2004)
Minimum Engine: 5.1.00
Description Added: 06/11/2001
Description Modified: 06/11/2001 1:47 PM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

This is an encrypted mass-mailing VBScript worm. It may arrive in an email message containing the following information:

Subject: FWD: Help us ALL to END ILLEGAL child porn NOW
Body: Hi, just a quick e-mail. Please read the attached document as soon as you can. Thanks.

Attachment: END ILLEGAL child porn NOW.TXT............vbe

The worm may also arrive in an email message using random subject, body, and attachment strings.

Running the attachment infects the local machine which is then used to propagate the virus by sending itself out to a random number of Microsoft Outlook and Outlook Express address book entries. Additionally, the start page of Internet Explorer may be changed to: http://www.geocities.com/antipedo2001 and the title of the browser window changed to |.,.-*^*-.,.\ FUAHACKEDU@888.NU /.,.-*^*-.,.|

Notepad is run and will display the following text:

In 1977 the Sexual Exploitation of Children Act (18 U.S.C. 2251-2253) was enacted. The law prohibits the use of a minor in the making of pornography, the transport of a child across state lines, the taking of a pornographic picture of a minor, and the production and circulation of materials advertising child pornography. It also prohibits the transfer, sale, purchase, and receipt of minors when the purpose of such transfer, sale, purchase, or receipt is to use the child or youth in the production of child pornography. The transportation, importation, shipment, and receipt of child pornography by any interstate means, including by mail or computer, is also prohibited.

The Child Protection Act of 1984 (18 U.S.C. 2251-2255) defines anyone younger than the age of 18 as a child. Therefore, a sexually explicit photograph of anyone 17 years of age or younger is child pornography.  On November 7, 1986, the U.S. Congress enacted the Child Sexual Abuse and Pornography Act (18 U.S.C. 2251-2256), that banned the production and use of advertisements for child pornography and included a provision for civil remedies of personal injuries suffered by a minor who is a victim. It also raised the minimum sentences for repeat offenders from imprisonment of not less than two years to imprisonment of not less than five years.

On November 18, 1988, the U.S. Congress enacted the Child Protection and Obscenity Enforcement Act (18 U.S.C. 2251-2256) that made it unlawful to use a computer to transmit advertisements for or visual depictions of child pornography and it prohibited the buying, selling, or otherwise obtaining temporary custody or control of children for the purpose of producing child pornography.

On November 29, 1990, the U.S. Congress enacted 18 U.S.C. 2252 making it a federal crime to possess three or more depictions of child pornography that were mailed or shipped in interstate or foreign commerce or that were produced using materials that were mailed or shipped by any means, including by computer.

With the passage of the Telecommunications Act of 1996, (18 U.S.C. 2422) it is a federal crime for anyone using the mail, interstate or foreign commerce, to persuade, induce, or entice any individual younger than the age of 18 to engage in any sexual act for which the person may be criminally prosecuted.

The Child Pornography Prevention Act of 1996 amends the definition of child pornography to include that which actually depicts the sexual conduct of real minor children and that which appears to be a depiction of a minor engaging in sexual conduct. Computer, photographic, and photocopy technology is amazingly competent at creating and altering images that have been "morphed" to look like children even though those photographed may have actually been adults. People who alter pornographic images to look like children can now be prosecuted under the law.

Finally the worm searches local and network drives for all .JPG and .JPEG files that match a specific criteria. A list of these filenames is compiled and emailed to one of several addresses.

Symptoms

- Altered Internet Explorer start page; changed to: http://www.geocities.com/antipedo2001 and the title of the browser window changed to |.,.-*^*-.,.\ FUAHACKEDU@888.NU /.,.-*^*-.,.|
- Display of "Sexual Exploitation of Children Act" document in notepad

Method of Infection

This is an encrypted mass-mailing VBScript worm. It arrives as an email attachment. Once the local machine is infected, it is then used to propagate the virus by sending itself out to a random number of Microsoft Outlook and Outlook Express address book entries.

The following registry run key values are created to load the worm at startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce\1
HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce\2
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FUA

Removal

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

Noped (F-Secure)

VBS.Noped.A (CA)

VBS.Noped.A@mm (NAV)

VBS_Noped.A (Trend)

Characteristics

Characteristics -

This is an encrypted mass-mailing VBScript worm. It may arrive in an email message containing the following information:

Subject: FWD: Help us ALL to END ILLEGAL child porn NOW
Body: Hi, just a quick e-mail. Please read the attached document as soon as you can. Thanks.

Attachment: END ILLEGAL child porn NOW.TXT............vbe

The worm may also arrive in an email message using random subject, body, and attachment strings.

Notepad is run and will display the following text:

Finally the worm searches local and network drives for all .JPG and .JPEG files that match a specific criteria. A list of these filenames is compiled and emailed to one of several addresses.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

The following registry run key values are created to load the worm at startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce\1
HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce\2
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FUA

Removal -

Use current engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Content

VBS/Pedpoly@MM

Type

SubType

Discovery Date

Length

Minimum DAT

Updated DAT

Minimum Engine

Description Added

Description Modified

Risk Assessment

Tab Navigation

Overview

Aliases

Characteristics

Symptoms

Method of Infection

Removal

Variants

Variants

All Information

Overview -

Aliases

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Threat Resources

Footer