VBS.Merlin.C@mm

SUMMARY

VBS.Merlin.C@mm is a mass-mailing worm written in the Visual Basic Scripting (VBS) language. The worm spreads by emailing itself to all contacts in the Microsoft Outlook address book. It can also spread across network drives and by using an IRC client and Gnotella (a client used on the Gnutella network). Its main payload attempts to create 10,000 randomly named folders in the root of drive C and places a text file into each of these folders.

Protection

• Virus Definitions (Intelligent Updater) August 8, 2001

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: Medium
• Large Scale E-mailing: Sends itself to every one in the Microsoft Outlook Address Book.
• Deletes Files: Attempts to delete system files.
• Modifies Files: Changes the attributes of .exe, .com or .bat files to hidden.

Distribution

• Distribution Level: High

TECHNICAL DETAILS

When executed, this worm does the following:

1. It copies itself into the Windows folder using a randomly generated file name.
2. It drops the file C:WindowsAnarchyCookBook.html and the following files into the folder that contains the worm:
   
   "XXXPasswords.html"
   "Pamela - SexVideo.avi.vbs"
   "Silva Saint - Blowjob.avi.vbs"
   "Britney Spears - Nude.jpg.vbs"
   "Dante - Miss California.mp3.vbs"
   "Silver - Turn the tide.mp3.vbs"
   "Queen - Show must go on.mp3.vbs"
   "R Kelly - Fiesta.mp3.vbs"
   "Inari Vachs - Gangbang.avi.vbs"
   
3. It changes registry keys so that the worm is run whenever you open files that have the following extensions:
   
   .js
   .doc
   .gif
   .jpg
   .hlp
   .bmp
   .avi
   .mpg
   .shs
   .mp3
   
4. It changes registry keys to decrease the security level of the computer.
5. It searches for other computers on the local network, and if any are found, it copies itself to them.
6. It deletes any messages from the Microsoft Outlook inbox that have one of the following subjects:
   
   Fw: Microsoft Security Bulletin.
   Windows XP Betatest
   the requested document
   Fw:Corel Joke
   Fake Pics of Britney Spears
   SARC Virus Warning
   Hi :-)
   
7. It sends itself as an HTML email message to all contacts in your Microsoft Outlook address book, as follows:
   
   Subject: As the subject of the email, it uses one from the previous list. above list.
   Message: You need ActiveX enabled if you want to see this e-mail. Please open this message again and click accept ActiveX. Microsoft
   
8. The worm then modifies the Script.ini file and attempts to spread using mIRC.
9. It modifies the Gnotella.ini file to ignore .htm and .vbs extensions of files for users who connect to the infected computer using Gnotella.
10. It checks the extensions of files on the infected computer and performs the following actions, depending on the extension:
    • If the extension is .htm or .html, the worm overwrites them with the dropped file AnarchyCookBook.html. It also searches the file for the mailto tag. If it finds the mailto tag, it sends email to the address.
    • If the extension is .jpg or .mp3, the worm deletes the file.
    • If the extension is .exe, .com, or .bat, the worm changes the attribute of the file to hidden, overwrites the file, and then adds the .vbs extension to the file name.
    • If the extension is .vbs, .vbe, or .wsh, the worm overwrites the file.
      
11. The worm attempts to create 10,000 randomly named folders in the root of drive C. Each of these folders contains a text file.
12. It attempts to download another .exe file and execute it. The .exe file that it downloads is saved as C:WindowsSystemCih.exe.
13. Three or more days after the infection occurs, the worm:
    • Modifies the Autoexec.bat file to delete the contents of drive C the next time that the computer starts.
    • Attempts to delete C:WindowsUser.dat.
    • Attempts to delete C:WindowsSystem.dat.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan. Make sure that NAV is configured to scan all files.
3. Delete all files that are detected as VBS.Merlin.C@mm.
4. If the worm has run, then you must restore damaged or deleted files from a clean backup or reinstall the missing or damaged software. In some cases, you must reinstall Windows. The numerous changes to the registry can be changed manually from a recent backup, or by reinstalling Windows and any affected programs. Instructions on how to manually restore the registry are in the next section.
5. Reset the attributes of .exe, .com, or .bat files whose attributes were changed to hidden. To do this at a DOS command prompt, type the following command and then press Enter:
   
   attrib -h -s -r <file name> and then press Enter.

How to manually restore the changes that were made to the registry

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys specified. Please see the document How to back up the Windows registry before you proceed.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to and double-click the key
   
   HKEY_LOCAL_MACHINESoftwareCLASSES
   
4. Directly under this key, one at a time, look for each of the following subkeys:
   
   .js
   .doc
   .gif
   .jpg
   .htt
   .bmp
   .avi
   .mpg
   .shs
   .mp3
   
5. For each one that exists, double-click the following value in the right pane:
   
   (default)
   
   The Edit String dialog box opens.
   
6. Look at the text in the Value Data box. If the value has been changed to "Eva", replace it with the correct text as shown in the following list:
   
   NOTE: These are the default values. If you installed software that changed these values, either change the value to the value assigned by that software, or reinstall the software.
   
   Subkey name = Change the value to:
   .js = JSFile
   .doc = WordPad.Document.1
   .gif = giffile
   .jpg = jpegfile
   .htt = HTTfile
   .bmp = Paint.Picture
   .avi = AVIFile
   .mpg = mpegfile
   .shs = ShellScrap
   .mp3 = mp3file
   
7. Navigate to the key
   
   HKEY_LOCAL_MACHINESoftwareCLASSESVBSFile
   
8. In the right pane, delete the value
   
   Editflags
   
9. Navigate to the following key and delete it:
   
   HKEY_CURRENT_USERSoftwareAbi2001
   
10. Navigate to the key
    
    HKEY_LOCAL_MACHINESoftwareMicrosoft
    WindowsCurrentVersionRun
    
11. In the right pane, look for values that have a random-letter name, for example:
    
    AOIFLKDBNFOIFSDSFKLSDF
    
    The Value Data of this will look similar to
    
    wscript.exe C:WINDOWSAOIFLKDBNFOIFSDSFKLSDF.doc.vbs %
    
    Delete all such values that you find.
    
12. Navigate to the key:
    
    HKEY_LOCAL_MACHINESoftwareMicrosoft
    WindowsCurrentVersion
    
13. In the right pane, double-click
    
    Registered Owner
    
14. In the Value Data box, replace "Abi2001 - Show Must Go On!" with the name of the registered owner of the installed copy of Windows.
15. Navigate to the keys
    
    HKEY_CURRENT_USERSoftwareMicrosoft
    Office9.0WordSecurity
    
16. In the right pane, double-click the value:
    
    Level
    
17. In the ValueData box, replace the value 1 with the value 3, and then click OK.
    
18. Navigate to each of the keys in the following list. For each one, look in the right pane and double-click the value. In the ValueData box, replace the value 1 with the value 0, and then click OK.
    
    NOTE: In the following list, the value that you must double-click appears at the end of each key. For example, for the first key in the list, select the key
    
    HKEY_CURRENT_USERSoftwareMicrosoft
    WindowsCurrentVersionsInternet Settingsones
    
    in the left pane, and double-click the value
    
    1200
    
    in the right pane. Then replace the value 1 with the value 0.
    
    HKEY_CURRENT_USERSoftwareMicrosoft
    WindowsCurrentVersionsInternet Settingsones1200
    
    HKEY_CURRENT_USERSoftwareMicrosoft
    WindowsCurrentVersionsInternet Settingsones1201
    
    HKEY_CURRENT_USERSoftwareMicrosoft
    WindowsCurrentVersionsInternet Settingsones1004
    
    HKEY_CURRENT_USERSoftwareMicrosoft
    WindowsCurrentVersionsInternet Settingsones11200
    
    HKEY_CURRENT_USERSoftwareMicrosoft
    WindowsCurrentVersionsInternet Settingsones11201
    
    HKEY_CURRENT_USERSoftwareMicrosoft
    WindowsCurrentVersionsInternet Settingsones11004
    
    HKEY_CURRENT_USERSoftwareMicrosoft
    WindowsCurrentVersionsInternet Settingsones31200
    
    HKEY_CURRENT_USERSoftwareMicrosoft
    WindowsCurrentVersionsInternet Settingsones31201
    
    HKEY_CURRENT_USERSoftwareMicrosoft
    WindowsCurrentVersionsInternet Settingsones31004
    
19. Navigate to and delete the key
    
    HKEY_CURRENT_USERSoftwareMicrosoft
    Windows Scripting Host
    
20. Navigate to the key
    
    HKEY_CURRENT_USERSoftwareMicrosoft
    WindowsCurrentVersionPoliciesExplorer
    
21. In the right pane, select "NoDesktop" and delete it.
22. Exit the Registry Editor.