Content

VBS/Numgame@MM

Type
Virus
SubType
Worm
Discovery Date
02/14/2002
Length
21,194 (HTML)
12,972 (VBScript)
Minimum DAT
4187 (02/20/2002)
Updated DAT
5345 (07/23/2008)
Minimum Engine
5.1.00
Description Added
02/14/2002
Description Modified
02/20/2002 7:11 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat is detected as New Script with the 4140 DATs (or newer) when scanning with program heuristics enabled. Exact detection was included in the 4187 DATs, released on Feb 20. Avert has not received any field samples of this threat.

This mass-mailing worm makes reference to Valentines Day and poses as a number guessing game. It arrives in an email message containing the following information:

Subject: Are you (recipients name) my valentine?
Body: Hi (recipients name) my valentine, remember me? I ain't seen you in ages! Anyway, check-out and play the attached guess-the-number-game to guess who I am. See you soon, bye-bye!

Attachment: GuessGame.html (21,194 bytes)
or Attachment: GuessGame.vbe (12,972 bytes)

When the attachment is opened, a message box is displayed.

After OK is clicked, an Internet Explorer warning Windows appears. If the user clicks YES, the script is allowed to execute and the virus infects the local system.

The worm creates a file named GuessGame.vbe in the WINDOWS directory and executes it. This file performs the following actions:

  • Displays a number guessing game
  • Emails DESKTOP\GuessGame.html, MYDOCUMENTS\GuessGame.html, TEMP\GuessGame.html, or %SysDir%\GuessGame.vbe to all users found in the Microsoft Outlook Address Book using MAPI messaging
  • Creates 2 registry keys to disable WINDOWS functionality:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
      Winlogon\SFCDisable=0xFFFFFF9D
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Policies\Explorer\NoDesktop=1
  • Attempts to delete files using the following extensions:
      asp
      aspx
      cab
      com
      cpl
      dat
      dll
      doc
      drv
      exe
      hta
      htm
      html
      inf
      ini
      jpg
      mdb
      mp3
      ocx
      ppt
      sys
      txt
      vxd
      xls
    From any of the following folders on local and network drives:
      root
      Desktop
      Inetpub
      MyDocuments
      Program Files
      System
      Temp
      Windows
      Windows\COMMAND
      Windows\INF
      Windows\SYSBCKUP
  • Attempts to overwrite the AUTOEXEC.BAT file on local and network drives with instructions to delete all of the above-mentioned directories and their contents
  • Creates 3 files in the WINDOWS SYSTEM directory:
    • GuessGame.bat (used by the virus to reset the computer date to 04-08-1981)
    • GuessGame.vbs (used by the virus to send keys to the Microsoft Outlook application, to try and alter the security settings)
    • GuessGame.vbe (a copy of itself)
    By the time the number game is displayed, many files have already been deleted from the system.

    • Symptoms

    - Missing files
    - Presense of GuessGame.html, GuessGame.vbe, or GuessGame.vbs
    - System clock set to April, 8, 1981

    Method of Infection

    This script arrives as an email attachment in either .VBE or .HTM form. Openning the attachment and allowing the script to run infects the local system, which is used to send the virus to others.

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Characteristics

    Characteristics -

    This threat is detected as New Script with the 4140 DATs (or newer) when scanning with program heuristics enabled. Exact detection was included in the 4187 DATs, released on Feb 20. Avert has not received any field samples of this threat.

    This mass-mailing worm makes reference to Valentines Day and poses as a number guessing game. It arrives in an email message containing the following information:

    Subject: Are you (recipients name) my valentine?
    Body: Hi (recipients name) my valentine, remember me? I ain't seen you in ages! Anyway, check-out and play the attached guess-the-number-game to guess who I am. See you soon, bye-bye!

    Attachment: GuessGame.html (21,194 bytes)
    or Attachment: GuessGame.vbe (12,972 bytes)

    When the attachment is opened, a message box is displayed.

    After OK is clicked, an Internet Explorer warning Windows appears. If the user clicks YES, the script is allowed to execute and the virus infects the local system.

    The worm creates a file named GuessGame.vbe in the WINDOWS directory and executes it. This file performs the following actions:

  • Displays a number guessing game
  • Emails DESKTOP\GuessGame.html, MYDOCUMENTS\GuessGame.html, TEMP\GuessGame.html, or %SysDir%\GuessGame.vbe to all users found in the Microsoft Outlook Address Book using MAPI messaging
  • Creates 2 registry keys to disable WINDOWS functionality:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
      Winlogon\SFCDisable=0xFFFFFF9D
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Policies\Explorer\NoDesktop=1
  • Attempts to delete files using the following extensions:
      asp
      aspx
      cab
      com
      cpl
      dat
      dll
      doc
      drv
      exe
      hta
      htm
      html
      inf
      ini
      jpg
      mdb
      mp3
      ocx
      ppt
      sys
      txt
      vxd
      xls
    From any of the following folders on local and network drives:
      root
      Desktop
      Inetpub
      MyDocuments
      Program Files
      System
      Temp
      Windows
      Windows\COMMAND
      Windows\INF
      Windows\SYSBCKUP
  • Attempts to overwrite the AUTOEXEC.BAT file on local and network drives with instructions to delete all of the above-mentioned directories and their contents
  • Creates 3 files in the WINDOWS SYSTEM directory:
    • GuessGame.bat (used by the virus to reset the computer date to 04-08-1981)
    • GuessGame.vbs (used by the virus to send keys to the Microsoft Outlook application, to try and alter the security settings)
    • GuessGame.vbe (a copy of itself)
    By the time the number game is displayed, many files have already been deleted from the system.

    • Symptoms

    Symptoms -

    - Missing files
    - Presense of GuessGame.html, GuessGame.vbe, or GuessGame.vbs
    - System clock set to April, 8, 1981

    Method of Infection

    Method of Infection -

    This script arrives as an email attachment in either .VBE or .HTM form. Openning the attachment and allowing the script to run infects the local system, which is used to send the virus to others.

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A