Content
VBS/Sucop
- Type
- Virus
- SubType
- VbScript
- Discovery Date
- 10/28/2002
- Length
- 1,834 bytes
- Minimum DAT
- 4232 (11/06/2002)
- Updated DAT
- 4232 (11/06/2002)
- Minimum Engine
- 5.1.00
- Description Added
- 10/30/2002
- Description Modified
- 12/03/2002 11:37 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
This threat is a Low risk and Profiled in the following Tech Live article Wicked Code Emerges for Halloween. AVERT has yet to receive a field sample of this threat.
This VBScript virus attempts to prepend .VBS files on the local system. When run, it displays two message boxes:
The virus attempts to overwrite all VBS files on the root of the C:\ drive.
It also attempts to download an image from the author's site, and save this image to the Start Up folder (C:\WINDOWS\Start Menu\Startup\7baby.jpg)
Symptoms
The virus copies itself to the following locations:
- C:\WINDOWS\Desktop\7baby.vbs
- C:\WINDOWS\Start Menu\Programs\Startup\7baby.vbs
- C:\WINDOWS\Temp\7baby.vbs
Method of Infection
This virus prepends .VBS files on the root of the C: drive.
When the virus is executed it will display the name of the VBS file it finds on the root of C: in a message box. It will then display its own code in a message box. This code is prepended to the file. The text below is part of its code.![['VBS.WhyMe by HocusPocus in notepad]](http://vil.nai.com/images/99770c.gif)
The above is shown for each VBS file found on the root of C: During testing, files infected by the virus gave script errors after execution, thus leaving them unexecutable.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- VBS.Pocus (Symantec)
- VBS.WhyMe
- VBS/WhyHoPo (CentralCommand)
Characteristics
Characteristics -
This threat is a Low risk and Profiled in the following Tech Live article Wicked Code Emerges for Halloween. AVERT has yet to receive a field sample of this threat.
This VBScript virus attempts to prepend .VBS files on the local system. When run, it displays two message boxes:
The virus attempts to overwrite all VBS files on the root of the C:\ drive.
It also attempts to download an image from the author's site, and save this image to the Start Up folder (C:\WINDOWS\Start Menu\Startup\7baby.jpg)
Symptoms
Symptoms -
The virus copies itself to the following locations:
- C:\WINDOWS\Desktop\7baby.vbs
- C:\WINDOWS\Start Menu\Programs\Startup\7baby.vbs
- C:\WINDOWS\Temp\7baby.vbs
Method of Infection
Method of Infection -
This virus prepends .VBS files on the root of the C: drive.
When the virus is executed it will display the name of the VBS file it finds on the root of C: in a message box. It will then display its own code in a message box. This code is prepended to the file. The text below is part of its code. The above is shown for each VBS file found on the root of C: During testing, files infected by the virus gave script errors after execution, thus leaving them unexecutable.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
