Trend Micro Threat Encyclopedia | Latest information on malware, spam, malicious URLs, vulnerabilities

Threat Encyclopedia

Save & Share
Choose your country:

VBS_VBSWG.AQ

Overview

Malware type: VBScript

Aliases: Shakira, I-WORM.LEE, VBS/VBSWG, VBS.VBSWG.AQ@mm, LEE

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Description:
June 6, 2002: Due to increased virus activity, the risk level of VBS_VBSWG.AQ has been upgraded from Low to Medium.

This Visual Basic Script (VBScript) worm propagates using Microsoft Outlook, an arrives in an email with the following:

Subject: Shakiras Pictures
Message Body: Hi :
i have sent the photos via attachment
have funn
Attachment: ShakiraPics.jpg.vbs

This worm is generated by a worm generator program authored by [K]Alamar.

For additional information about this threat, see:

Description created: May. 28, 2002 6:12:27 PM GMT -0800
Description updated: Jun. 6, 2002 2:30:02 PM GMT -0800

Technical Details

Size of malware: 7,995 Bytes

Initial samples received on: May 28, 2002

Related to: IRC_VBSWG.AQ

Payload 1: Spams email

Trigger condition 1: Windows startup

Payload 2: Displays Message

Trigger condition 1: Upon execution

Payload 3: Modifies Files (Overwrites mIRC SCRIPT.INI, .VBS files and .VBE files)

Trigger condition 1: Windows startup

Details:

Installation

This encrypted, polymorphic VBScript worm prevents users from reading the code. It comes with the main encrypted code followed by its decryptor function. It was generated by a worm generator program authored by [K]Alamar.

Some of the worm's features are similar to the features of other VBS worms generated using [K]Alamars worm generator. Upon execution, it drops a file, SHAKIRAPICS.JPG.VBS, in the Windows directory. This file is an exact copy of the original worm file.

It then adds this registry entry so that it executes at every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
Registry "wscript.exe" %WinDir%\ShakiraPics.jpg.vbs

This registry entry points to the WSCRIPT.EXE scripting host, which this worm requires, and the dropped worm file located in the %WinDir% directory, which is usually C:\Windows or C:\WINNT.

It adds the following registry entries as marker flags for its infection status:

HKEY_CURRENT_USER\Software\ShakiraPics
mailed

HKEY_CURRENT_USER\Software\ShakiraPics\
mirqued

Mass-mailing Routine

It then sends the following email to all addresses listed in the infected user's Microsoft Outlook address book:

Subject: Shakiras Pictures
Message Body: Hi :
i have sent the photos via attachment
have funn
Attachment: ShakiraPics.jpg.vbs

IRC Infection

This worm overwrites the mIRC configuration file, SCRIPT.INI, with its own copy of the said file. This happens only when the VBS worm finds the file MIRC.INI in the C:\MIRC, C:\MIRC32 and %ProgramFiles% folders. The path for the %ProgramFiles% directory is obtained from the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\ProgramFilesDir

This SCRIPT.INI file is a malicious Internet Relay Chat script that sends copies of this malware to all users connected to the same channel as the infected user. Trend Micro detects the malicious .INI file as IRC_VBSWG.AQ.

This malware then updates the registry values of the entries, "mailed" and "mirqued", to 1 after it completes its mass-mailing routine and the creation of SCRIPT.INI. The worm's routine checks the registry marker before it replicates via email, therefore the sending of unsolicited emails only happens when the registry marker called mailed does not have the value 1. The creation of SCRIPT.INI depends on the value of the "mirqued" registry entry. If it has the value 1, this malware no longer creates the new SCRIPT.INI file.

Local and Remote File System Infection

This VBScript malware copies itself to all .VBS and .VBE files found in all local and remote drives. This effectively overwrites these infected files. If floppy disks or Zip disks are present in the disk drives, the .VBS worm attempts to infect these drives as well.

Others

After performing its propagation routine, the worm then enters an endless loop of dropping copies of itself in the current directory in the event that it is deleted. Because of this, the Windows scripting host (WSCRIPT.EXE) is seen as constantly running in the Task Manager.

Upon execution, this worm displays a message box with the following text strings:

You have been infected by the ShakiraPics Worm.

Solution

Minimum scan engine version needed: 5.200

Pattern file needed: 1.292.00

Pattern release date: May 28, 2002

Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Open Registry Editor. Click Start>Run, type REGEDIT then hit the Enter key.
In the left panel, double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>Run
In the right panel, locate and delete the registry entry:
"Registry" = "wscript.exe "%WinDir%\ShakiraPics.jpg.vbs "
*Where %WinDir% is the Windows directory, which is usually C:\Windows or C:\WINNT.
Again in the left panel, double click the following:
HKEY_CURRENT_USER>Software
Also in the left panel, locate and delete the registry key:
ShakiraPics
Restart your computer.
Scan your system with Trend Micro antivirus and delete all files detected as VBS_VBSWG.A and IRC_VBSWG.A. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.