McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

AVERT has not received any field samples of this threat. It is a worm generated using a virus construction kit called "Bwg" ("Batch worm generator").

This threat is detected as VBS/Generic@MM since the release of the 4141 DATs (May 2001).

The virus arrives as an email attachment, b.bat, and it will send an email, using Outlook, to all recipients in the address book in the following format:

Subject: aaa
Body: bbb

When the attachment is double-clicked, the virus drops several copies of itself - C:\a.bat, C:\b.bat, C:\pro\a.jpg.bat and %Windir%\b.arv.bat. Then it drops a VBS script, c:\dkhcz.vbs that contains the code to massmail the virus.

It checks to see if mIRC or pIRCch is installed. If they are, it edits mIRC's script.ini to send C:\pro\a.jpg.bat. b.arv.bat is dropped into the windows directory and Pirch's events.ini is modified to send this file.

It can infect %windir%\startm~1\progra~1\autost~1\*.bat and drop %windir%\Start Menu\Programs\StartUp\bjits.bat. Also, it can copy itself to %windir%\Desktop\*.ifk and rename %windir%\Desktop\*.ifk to *.bat.

The virus also overwrites MIRC.INI and EVENTS.INI files to propagate through mIRC and pIRCh, respectively. The file sent through mIRC has the name "a.jpg.bat" and through pIRCh - "b.arv.bat".

The most interesting thing about this virus is that it is an attack on the EICAR test file. Bat/Bwg.a@MM starts with the EICAR string, which when the worm is run, generates a "File not found" error but the execution goes on. Many AV products misdetected this virus as EICAR test file when it first appeared.

Symptoms

Presence of C:\a.bat, C:\b.bat, C:\pro\a.jpg.bat, %Windir%\b.arv.bat.

Method of Infection

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

AVERT has not received any field samples of this threat. It is a worm generated using a virus construction kit called "Bwg" ("Batch worm generator").

This threat is detected as VBS/Generic@MM since the release of the 4141 DATs (May 2001).

The virus arrives as an email attachment, b.bat, and it will send an email, using Outlook, to all recipients in the address book in the following format:

Subject: aaa
Body: bbb

When the attachment is double-clicked, the virus drops several copies of itself - C:\a.bat, C:\b.bat, C:\pro\a.jpg.bat and %Windir%\b.arv.bat. Then it drops a VBS script, c:\dkhcz.vbs that contains the code to massmail the virus.

It checks to see if mIRC or pIRCch is installed. If they are, it edits mIRC's script.ini to send C:\pro\a.jpg.bat. b.arv.bat is dropped into the windows directory and Pirch's events.ini is modified to send this file.

It can infect %windir%\startm~1\progra~1\autost~1\*.bat and drop %windir%\Start Menu\Programs\StartUp\bjits.bat. Also, it can copy itself to %windir%\Desktop\*.ifk and rename %windir%\Desktop\*.ifk to *.bat.

The virus also overwrites MIRC.INI and EVENTS.INI files to propagate through mIRC and pIRCh, respectively. The file sent through mIRC has the name "a.jpg.bat" and through pIRCh - "b.arv.bat".

The most interesting thing about this virus is that it is an attack on the EICAR test file. Bat/Bwg.a@MM starts with the EICAR string, which when the worm is run, generates a "File not found" error but the execution goes on. Many AV products misdetected this virus as EICAR test file when it first appeared.

Symptoms

Symptoms -

Presence of C:\a.bat, C:\b.bat, C:\pro\a.jpg.bat, %Windir%\b.arv.bat.

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A