McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Trojan/Scenes (Panda)

• TrojanDropper.Win32.Small.o3 (AVP)

• VBS/LastScene@MM

• W32/LastScene@MM

• WORM_COUPLE.A (Trend)

Characteristics

The VBScript that carries out the worms mailing routine is detected as VBS/Generic@MM with the 4141 DATs (or newer).

This mass-mailing virus drops a remote access trojan, a downloader trojan, and utilizes a .ZIP and .WRI file to carryout its propagation routine. It arrives in an email message containing the following information:

Subject:	Scene from last weekend.
Body:	Please do not forward!!!
Attachment:	scenes.zip

When the .ZIP file is opened from its current location, a copy is saved to the WINDOWS TEMP directory. The virus requires that the SCENES.ZIP file get saved to this location in order to send itself to others. If the .ZIP is saved elsewhere, the virus will not be sent. Inside SCENES.ZIP exists SCENES.WRI, a Write document, which contains embedded objects. These objects appear as "scenes1.jpg" and "scenes2.jpg".

When the icons are clicked, the embedded objects are written to disk and accessed. "scenes1.jpg" links to Results.exe, a Multidropper trojan comprised of a JPG image, the Downloader-B trojan (detected with the 4121 DATs or newer), the BackDoor-RS trojan, and a .VBS file (the mass-mailer, detected as VBS/Generic@MM with the 4141 DATs or newer). "scenes2.jpg" links to another JPG file. While these images are being displayed the trojan and .VBS files are run. The VBScript file sends the SCENES.ZIP file in the WINDOWS TEMP directory to everyone in the Microsoft Outlook Address book using MAPI. The email messages are deleted after they are sent.

Symptoms

Presence of SCENES.ZIP, SCENES.WRI, and REALUPDT.EXE

Method of Infection

This virus emails itself to others embedded in a .WRI (Write document) inside a .ZIP archive. One must first open the .ZIP file, and then run the embedded objects within the .WRI file.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

• W32/LastScene.b@MM
• W32/LastScene.c@MM

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Trojan/Scenes (Panda)

• TrojanDropper.Win32.Small.o3 (AVP)

• VBS/LastScene@MM

• W32/LastScene@MM

• WORM_COUPLE.A (Trend)

Characteristics

Characteristics -

The VBScript that carries out the worms mailing routine is detected as VBS/Generic@MM with the 4141 DATs (or newer).

This mass-mailing virus drops a remote access trojan, a downloader trojan, and utilizes a .ZIP and .WRI file to carryout its propagation routine. It arrives in an email message containing the following information:

Subject:	Scene from last weekend.
Body:	Please do not forward!!!
Attachment:	scenes.zip

When the .ZIP file is opened from its current location, a copy is saved to the WINDOWS TEMP directory. The virus requires that the SCENES.ZIP file get saved to this location in order to send itself to others. If the .ZIP is saved elsewhere, the virus will not be sent. Inside SCENES.ZIP exists SCENES.WRI, a Write document, which contains embedded objects. These objects appear as "scenes1.jpg" and "scenes2.jpg".

When the icons are clicked, the embedded objects are written to disk and accessed. "scenes1.jpg" links to Results.exe, a Multidropper trojan comprised of a JPG image, the Downloader-B trojan (detected with the 4121 DATs or newer), the BackDoor-RS trojan, and a .VBS file (the mass-mailer, detected as VBS/Generic@MM with the 4141 DATs or newer). "scenes2.jpg" links to another JPG file. While these images are being displayed the trojan and .VBS files are run. The VBScript file sends the SCENES.ZIP file in the WINDOWS TEMP directory to everyone in the Microsoft Outlook Address book using MAPI. The email messages are deleted after they are sent.

Symptoms

Symptoms -

Presence of SCENES.ZIP, SCENES.WRI, and REALUPDT.EXE

Method of Infection

Method of Infection -

This virus emails itself to others embedded in a .WRI (Write document) inside a .ZIP archive. One must first open the .ZIP file, and then run the embedded objects within the .WRI file.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

• W32/LastScene.b@MM
• W32/LastScene.c@MM