McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Whitehome (AVP)

• VBS.Whitehome (CA)

• VBS.Whitehome.A@mm (NAV)

• VBS_WHITEHOME.A (Trend)

• WSH/Whitehome-A (Sophos)

Characteristics

This is a mass-mailer and file prepending worm. It attempts to send itself to all users found in the Windows Address Book, and copy itself to remote (mapped) drives. It may be received in an email message. The subject and the message body is chosen at random from the following strings:

"Thanks for helping me!"
"The police are investigating the robbery"
"an application for a job"
"The aspects of an application process pertinent to OSI"
"What a pleasant weather. Why not go out for a walk?"
"These countries have gone / been through too many wars"
"We've fixed on the 17th of April for the wedding"
"The wind failed and the sea returned to calmness."
"the sitting is open!"
"" (blank)

The file README.HTML will be attached to the message. Opening the attachment runs JavaScript code which creates several files in the WINDOWS SYSTEM directory:

Mdm.vbs (A copy of the virus in VBScript form)
user.dll (A copy of the virus in VBScript form)
system.dll (A copy of the virus in JavaScript form)
Readme.html (2 copies of the virus in JavaScript form, back to back)

A copy of the VBScript is also created in the WINDOWS directory as Profile.vbs

The following registry keys are created to load the worm at startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Mdm=C:\WINDOWS\SYSTEM\Mdm.vbs

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Profile=C:\WINDOWS\Profile.vbs

The Autoexec.bat file is overwritten to contain instructions to delete all files on folder on C if the username, computername, or domain name contains any of the following strings:

white home
central intelligence agency
bush
american stock exchang
chief executive

This script itself also attempts to delete all files on C:

If the month plus the day = 75 then the virus is copied to C:\con\con\75.htm and a registry key is created to load the file at startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\75=75.htm

All .htm, .html, .plg, and .asp files on local and remote drives, that are less than 100,000 bytes long, are appended with the virus code. All .vbs files, that are less than 100,000 bytes long, on local and remote drives are overwritten with the virus code.

When the script calls its mailing routine, similar messages are also sent to president@whitehouse.gov, vice.president@whitehouse.gov, first.lady@whitehouse.gov, and mrs.cheney@whitehouse.gov, minus the attachment.

Symptoms

- Presence of Profile.vbs in the WINDOWS directory
- Presence of Mdm.vbs, user.dll, system.dll, and Readme.html in the WINDOWS SYSTEM directory

Method of Infection

This virus overwrittes and appends local and remote files. Once infected, the local system is used to email the virus to all users found in the Windows Address Book.

Removal

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Whitehome (AVP)

• VBS.Whitehome (CA)

• VBS.Whitehome.A@mm (NAV)

• VBS_WHITEHOME.A (Trend)

• WSH/Whitehome-A (Sophos)

Characteristics

Characteristics -

This is a mass-mailer and file prepending worm. It attempts to send itself to all users found in the Windows Address Book, and copy itself to remote (mapped) drives. It may be received in an email message. The subject and the message body is chosen at random from the following strings:

"Thanks for helping me!"
"The police are investigating the robbery"
"an application for a job"
"The aspects of an application process pertinent to OSI"
"What a pleasant weather. Why not go out for a walk?"
"These countries have gone / been through too many wars"
"We've fixed on the 17th of April for the wedding"
"The wind failed and the sea returned to calmness."
"the sitting is open!"
"" (blank)

The file README.HTML will be attached to the message. Opening the attachment runs JavaScript code which creates several files in the WINDOWS SYSTEM directory:

Mdm.vbs (A copy of the virus in VBScript form)
user.dll (A copy of the virus in VBScript form)
system.dll (A copy of the virus in JavaScript form)
Readme.html (2 copies of the virus in JavaScript form, back to back)

A copy of the VBScript is also created in the WINDOWS directory as Profile.vbs

The following registry keys are created to load the worm at startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Mdm=C:\WINDOWS\SYSTEM\Mdm.vbs

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Profile=C:\WINDOWS\Profile.vbs

The Autoexec.bat file is overwritten to contain instructions to delete all files on folder on C if the username, computername, or domain name contains any of the following strings:

white home
central intelligence agency
bush
american stock exchang
chief executive

This script itself also attempts to delete all files on C:

If the month plus the day = 75 then the virus is copied to C:\con\con\75.htm and a registry key is created to load the file at startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\75=75.htm

All .htm, .html, .plg, and .asp files on local and remote drives, that are less than 100,000 bytes long, are appended with the virus code. All .vbs files, that are less than 100,000 bytes long, on local and remote drives are overwritten with the virus code.

When the script calls its mailing routine, similar messages are also sent to president@whitehouse.gov, vice.president@whitehouse.gov, first.lady@whitehouse.gov, and mrs.cheney@whitehouse.gov, minus the attachment.

Symptoms

Symptoms -

- Presence of Profile.vbs in the WINDOWS directory
- Presence of Mdm.vbs, user.dll, system.dll, and Readme.html in the WINDOWS SYSTEM directory

Method of Infection

Method of Infection -

This virus overwrittes and appends local and remote files. Once infected, the local system is used to email the virus to all users found in the Windows Address Book.

Removal -

Removal -

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants -

N/A