McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This threat is detected as VBS/Generic@MM. This virus may arrive as an email attachment vcards.vbs and will send email using Outlook to all recipients in address list in the following format:

• Subject: You have received a special VCard!
• Body: Hi! Click the "vcards.vbs" to view your card! One of your friends is giving you a voyeuristic glimpse of their personal images. The images were randomly chosen and are totally uncensored! There is no telling what you will see! Click the "vcards.vbs" file that is attached to this email to see the uncensored images, and send your own images out to the people in your address book!
  + + + + + + + + + + + + + + + + + + + + + + + +
  Message from your friend:
  
  + + + + + + + + + + + + + + + + + + + + + + + +
  If you are not interested? Just delete this email. VCards "Lets get with hot communications"
• Attachments: vcards.vbs, vcrd01.vcrd, vcrd02.vcrd and vcrd03.vcrd

On executing the virus, the following message is displayed:

If the user chooses no, the virus will not proceed. If yes is chosen, the following message is then displayed:



and user can enter a message. If all the attachments were not saved in the same directory, the following message is then displayed:



The virus creates the directory C:\vcache and saves the files vcrd01.vcrd, vcrd02.vcrd and vcrd03.vcrd. It goes on to search the hard drive for three .jpg files and then creates the file imgDisplay.html to display the pictures found.

The virus then checks to see if the registry key
HKEY_CURRENT_USER\software\vcards\mailed" = "1" and if not proceeds to send the email out to all in addresslist in the above format. Once this has finished the virus will then edit the registry key:
HKEY_CURRENT_USER\software\vcards\mailed" "1"

Symptoms

The presence of the following files and directory:

• vcards.vbs, vcrd01.vcrd, vcrd02.vcrd and vcrd03.vcrd
• C:\vcache
• imgDisplay.html

The following key in registry:

HKEY_CURRENT_USER\software\vcards\mailed, 1

Method of Infection

Running vcards.vbs.

Removal

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This threat is detected as VBS/Generic@MM. This virus may arrive as an email attachment vcards.vbs and will send email using Outlook to all recipients in address list in the following format:

• Subject: You have received a special VCard!
• Body: Hi! Click the "vcards.vbs" to view your card! One of your friends is giving you a voyeuristic glimpse of their personal images. The images were randomly chosen and are totally uncensored! There is no telling what you will see! Click the "vcards.vbs" file that is attached to this email to see the uncensored images, and send your own images out to the people in your address book!
  + + + + + + + + + + + + + + + + + + + + + + + +
  Message from your friend:
  
  + + + + + + + + + + + + + + + + + + + + + + + +
  If you are not interested? Just delete this email. VCards "Lets get with hot communications"
• Attachments: vcards.vbs, vcrd01.vcrd, vcrd02.vcrd and vcrd03.vcrd

On executing the virus, the following message is displayed:

If the user chooses no, the virus will not proceed. If yes is chosen, the following message is then displayed:



and user can enter a message. If all the attachments were not saved in the same directory, the following message is then displayed:



The virus creates the directory C:\vcache and saves the files vcrd01.vcrd, vcrd02.vcrd and vcrd03.vcrd. It goes on to search the hard drive for three .jpg files and then creates the file imgDisplay.html to display the pictures found.

The virus then checks to see if the registry key
HKEY_CURRENT_USER\software\vcards\mailed" = "1" and if not proceeds to send the email out to all in addresslist in the above format. Once this has finished the virus will then edit the registry key:
HKEY_CURRENT_USER\software\vcards\mailed" "1"

Symptoms

Symptoms -

The presence of the following files and directory:

• vcards.vbs, vcrd01.vcrd, vcrd02.vcrd and vcrd03.vcrd
• C:\vcache
• imgDisplay.html

The following key in registry:

HKEY_CURRENT_USER\software\vcards\mailed, 1

Method of Infection

Method of Infection -

Running vcards.vbs.

Removal -

Removal -

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants -

N/A