TekWarrior- To Protect And Inform The Public

Free Web Hosting Provider - Web Hosting - E-commerce - High Speed Internet - Free Web Page

Main office

Home
Message board
Tech board

News Room

Breaking News
Recent Stories

Security Fortress

Security Home
Virus Central

Bug Alert

Bug Alert Home
Latest Bugs& Patches

Download Center

Latest Downloads
Browser & Add-ons
Compression
E-Mail
Financial
Graphics
Internet
Misc
Multimedia
PC Accelerators
Security/Antivirus
Utilities
Web Accelerators

Reviews

Software Reviews
Hardware Reviews
Miscellearnous Reviews

Site Resources

Archives
FAQ
Staff & Contact
Support Team

Virus Central - The Place for Virus Info

Virus Profile- VBS/Spammer.A.Worm

Spammer is a very aggressive Visual Basic Script (VBS) VBS based polymorphic e-mail worm. The worm does not use a fixed subject line or attachment name. It arrives as an attachment of an e-mail and the subject line starts with "FW: " followed by a file name. The file name seems to have no name (due to a bug) and two extensions like in .Mp3.vbs The real extension is always .VBS. The faked extension is one of the following:

Doc Xls Mdb Bmp Mp3 Txt Jpg Gif Mov Url Htm Txt

The e-mail body does not contain any text, just an attachment with the same name as in the subject line. The name will be different each time the worm generates an e-mail. The name was meant to be constructed using a random entry in the recently used files list (Documents folder in the Start menu), but due to a bug the base file name is always empty. If the recently used files list is empty the name of the attachment will be randomly generated, most likely resulting in a combination of characters that makes no sense. The worm spreads itself by generating an e-mail like described above, attaching itself and sending that e-mail to all recipients in all Outlook address books. In big organizations the volume of e-mail generated has the potential to overload e-mail servers. When spreading the worm changes it code by inserting comments, causing each new generation to grow dramatically in size (typically by around 200KB). The worm will spread targeting Windows 98, Windows 2000 by default and Windows NT 4.0 and Windows 95 if the Windows Scripting Host (WSH) engine is installed. The worm will also copy itself to the Windows and System directories under a randomly generated (garbage) name and register itself in the registry using the garbage name under these keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ The value of the RUN key will point to the Windows directory, the value of RunServices key to the System directory. After sending itself out on e-mail, the worm will start to walk through all files on local hard drives and network drives and effectively rename the extension of all files to VBS and set their size to zero. Probably the author intended to overwrite all files with a copy of the worm code. If this action is completed it will render the infected system unbootable. System reached through outgoing shares are possibly rendered unbootable as well. Note, that even up to date real time protection running on a system that is attacked through a share cannot block the attack because no viral code is actually transferred to the target system. To guarantee protection, make sure that VBS files are included in the list of files to scan. To clean an infected system all detected files have to be deleted and the registry keys mentioned above has to be removed. --UPDATE YOUR DAT FILES!!!!

Network

TekWebNetwork
Tekzone
Tekwarrior
TekWebDesign

Join Network:

Quick Bar

File of the week

IE 5.5

Free file

AdSubtract 1.66 SE

Beta releases

Paint Shop Pro 7 Beta

New releases

WinZip 8.0