VBS.Cuerpo.A@mm

SUMMARY

VBS.Cuerpo.A@mm is a mass-mailing Visual Basic Script (VBS) virus/worm. It is polymorphic in structure and sends itself using Microsoft Outlook. It is embedded in an HTML email message. If the HTML file is opened, and allowed to run, it drops a .bat file that causes the worm to spread.

NOTE: Some email systems will convert an HTML message to an attachment. Opening the attachment will have the same result.

Protection

• Virus Definitions (Intelligent Updater) August 30, 2001

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low
• Large Scale E-mailing: Yes
• Modifies Files: Yes

Distribution

• Distribution Level: High
• Subject of Email: Random
• Name of Attachment: Any name plus "(9 Kbytes).vbs"
• Size of Attachment: 9 Kb

TECHNICAL DETAILS

If the HTML message (or attachment) that contains the worm is opened and allowed to run, it performs the following actions:

NOTE: If your system is set to use system defaults, you will be prompted before the script runs.

1. It drops the file C:WindowsWinstart.bat and runs it.
2. Winstart.bat attempts to create a registry import file with a random file name such as "C:Suioacr.reg."
3. Winstart.bat appends text to the C:Autoexec.bat file to run the registry import file.
4. Winstart.bat then copies itself to the Windows folder with a random name such as C:WindowsFkltbie.vbs.
5. It also attempts to copy itself to the following folders:
   • C:WindowsStartm~1ProgramsStartup
   • C:WindowsMenud?1ProgrammesDnarrage
   • C:WindowsMen?In~1ProgramasInicio
   • C:WindowsAlluse~1Menuin~1ProgramasIniciar
   • C:WindowsStartmen?ProgrammeAutostart
   • C:Recycled
6. The VBS script then deletes C:WindowsWinstart.bat.

The VBS script file that is dropped by Winstart.bat does the following:

1. It copies itself as a .vbs file in C:WindowsSystem as a random file name.
2. It drops another .vbs file in C:WindowsSystem that modifies the registry as follows:
   
   • It adds a random name and value to the registry key
     
     HKEY_LOCAL_MACHINESoftwareMicrosoft
     WindowsCurrentVersion
     
   • If the date is after the 5th of the month, it changes the home page of Internet Explorer to
     
     www.freedonation.com
     
   • It adds a random name and value to the registry key
     
     HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
     
     (The randomly named file that it points to will have the .vbs extension)
     
3. It creates the file C:WindowsSystemBlank.html. It contains a link to www.freedonation.com.
4. It modifies the registry key
   
   HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain
   
   so that the home page of Internet Explorer is set to
   
   C:WindowsSystemBlank.html
   
5. It searches the following of Microsoft Outlook folders :
   • Journal
   • Contacts
   • Deleted Items
   • Sent Items
     
     If a message is found which also contains an attachment, the subject line and attachment file name are used to create outbound email messages that actually contain the virus.
     
6. The worm sends email to all contacts in the Outlook address book in HTML format. The virus is embedded in the HTML message.
   
   NOTE: Some email systems will convert an HTML message to an attachment. Opening the attachment will have the same result.
   
   Each contact is sent one message. The email attachment name could be anything, but it will have "(9 Kbytes).vbs" appended to the file name. For example:
   
   mypic.jpg.(9 Kbytes).vbs
   
7. It searches for email address in .txt, .na2, .wab, .mbx, .icq, .uin, and .dat files on all hard drives and network drives. The email addresses are stored in a string and used to create a "form submit" HTML file which has a random name. The HTML file attempts to submit these addresses to a .php file on a user home page at the domain www.mycgiserver.com.
8. The worm overwrites any .htm files found in C:WindowsApplication DataMicrosoftSignatures with copy of itself.
   
   

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

To remove this worm, delete files detected as VBS.Cuerpo.A@mm, remove the line that it added to the Autoexec.bat file, and remove the value that it added to the registry un key.

To remove the worm:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan. Be sure that NAV is configured to scan all files.
3. Delete all files that are detected as VBS.Cuerpo.A@mm.

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
   
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
   
4. In the right pane, look for a value that points to a randomly named file. Select this value and delete it.

To edit the Autoexec.bat file:

1. Click Start, and click Run.
2. Type the following, and then click OK.
   
   edit c:autoexec.bat
   
   The MS-DOS Editor opens.
   
3. Look for a line that refers to
   
   c:suioacr.reg
   
   and delete the line.
4. Click File, click exit, and save the changes when you are prompted.

You can reset your Internet Explorer home page from within the program.