This encrypted, polymorphic VBScript worm prevents users from reading the code. It comes with the main encrypted code followed by its decryptor function. It was generated by a worm generator program authored by [K]Alamar.
Some of the worm's features are similar to the features of other VBS worms generated using [K]Alamars worm generator. Upon execution, it drops a file, SHAKIRAPICS.JPG.VBS, in the Windows directory. This file is an exact copy of the original worm file.
It then adds this registry entry so that it executes at every Windows startup:
This registry entry points to the WSCRIPT.EXE scripting host, which this worm requires, and the dropped worm file located in the %WinDir% directory, which is usually C:\Windows or C:\WINNT.
It adds the following registry entries as marker flags for its infection status:
It then sends the following email to all addresses listed in the infected user's Microsoft Outlook address book:
Subject: Shakiras Pictures Message Body: Hi :
i have sent the photos via attachment
have funn Attachment: ShakiraPics.jpg.vbs
This worm overwrites the mIRC configuration file, SCRIPT.INI, with its own copy of the said file. This happens only when the VBS worm finds the file MIRC.INI in the C:\MIRC, C:\MIRC32 and %ProgramFiles% folders. The path for the %ProgramFiles% directory is obtained from the following registry entry:
This SCRIPT.INI file is a malicious Internet Relay Chat script that sends copies of this malware to all users connected to the same channel as the infected user. Trend Micro detects the malicious .INI file as IRC_VBSWG.AQ.
This malware then updates the registry values of the entries, "mailed" and "mirqued", to 1 after it completes its mass-mailing routine and the creation of SCRIPT.INI. The worm's routine checks the registry marker before it replicates via email, therefore the sending of unsolicited emails only happens when the registry marker called mailed does not have the value 1. The creation of SCRIPT.INI depends on the value of the "mirqued" registry entry. If it has the value 1, this malware no longer creates the new SCRIPT.INI file.
Local and Remote File System Infection
This VBScript malware copies itself to all .VBS and .VBE files found in all local and remote drives. This effectively overwrites these infected files. If floppy disks or Zip disks are present in the disk drives, the .VBS worm attempts to infect these drives as well.
After performing its propagation routine, the worm then enters an endless loop of dropping copies of itself in the current directory in the event that it is deleted. Because of this, the Windows scripting host (WSCRIPT.EXE) is seen as constantly running in the Task Manager.
Upon execution, this worm displays a message box with the following text strings:
Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.
Open Registry Editor. Click Start>Run, type REGEDIT then hit the Enter key.
In the left panel, double click the following:
In the right panel, locate and delete the registry entry:
"Registry" = "wscript.exe "%WinDir%\ShakiraPics.jpg.vbs "
*Where %WinDir% is the Windows directory, which is usually C:\Windows or C:\WINNT.
Again in the left panel, double click the following:
Also in the left panel, locate and delete the registry key:
Restart your computer.
Scan your system with Trend Micro antivirus and delete all files detected as VBS_VBSWG.A and IRC_VBSWG.A. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.