McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

So far, 31 August 2001, only very few VBS/Cuerpo@MM samples were encountered at customer sites.Some of the VBS/Cuerpo@MM created files are already being detected heuristically as VBS/Generic@MM using current v4140 engine & dat-4156.

The uploaded sample was received as an HTML e-mail, empty subject line , empty body content. The malicious VBScript code is embedded inside.The code points to a an HTML file on a certain website.

The virus writes/modifies several files to the harddisk.
c:\windows\winstart.bat
c:\recycled\rndmein.vbs (Note: don't exclude this directory from scanning)
c:\windows\clockavi.vbs
c:\windows\winstart.bat
c:\windows\system\mlojyopuq.vbs (may vary due to poly code)
c:\windows\system\sn.vbs
c:\windows\system\blank.htm
c:\autoexec.bat

A registry modification may result in an Internet Explorer Start page change.

The mass-mailing (vbs) file attachment name varies.

Symptoms

-Presence or modified files:
c:\windows\winstart.bat
c:\recycled\rndmein.vbs (Note: don't exclude this directory from scanning)
c:\windows\clockavi.vbs
c:\windows\winstart.bat
c:\windows\system\mlojyopuq.vbs (may vary due to poly code)
c:\windows\system\sn.vbs
c:\windows\system\blank.htm
c:\autoexec.bat

-Registry changes , check for
HKLM\Software\Microsoft\Windows\Currentversion\Run\
rndmein = c:\\recycled\\rndmein.vbs

-Changes to IE start page

-Unexplained e-mails

Method of Infection

Removal

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

So far, 31 August 2001, only very few VBS/Cuerpo@MM samples were encountered at customer sites.Some of the VBS/Cuerpo@MM created files are already being detected heuristically as VBS/Generic@MM using current v4140 engine & dat-4156.

The uploaded sample was received as an HTML e-mail, empty subject line , empty body content. The malicious VBScript code is embedded inside.The code points to a an HTML file on a certain website.

The virus writes/modifies several files to the harddisk.
c:\windows\winstart.bat
c:\recycled\rndmein.vbs (Note: don't exclude this directory from scanning)
c:\windows\clockavi.vbs
c:\windows\winstart.bat
c:\windows\system\mlojyopuq.vbs (may vary due to poly code)
c:\windows\system\sn.vbs
c:\windows\system\blank.htm
c:\autoexec.bat

A registry modification may result in an Internet Explorer Start page change.

The mass-mailing (vbs) file attachment name varies.

Symptoms

Symptoms -

-Presence or modified files:
c:\windows\winstart.bat
c:\recycled\rndmein.vbs (Note: don't exclude this directory from scanning)
c:\windows\clockavi.vbs
c:\windows\winstart.bat
c:\windows\system\mlojyopuq.vbs (may vary due to poly code)
c:\windows\system\sn.vbs
c:\windows\system\blank.htm
c:\autoexec.bat

-Registry changes , check for
HKLM\Software\Microsoft\Windows\Currentversion\Run\
rndmein = c:\\recycled\\rndmein.vbs

-Changes to IE start page

-Unexplained e-mails

Method of Infection

Method of Infection -

Removal -

Removal -

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants -

N/A