VBS.TripleSix
Description VBS.TripleSix
This is a worm written in Visual Basic Script language (VBS). This worm spreads via e-mail and IRC (Internet Relay Chat) channels.
Being executed the worm script displays the message:
Does your name add up to 666?
This handy little tool will tell you what your name adds up to in ASCII
characters (without including spaces and without converting numbers to
ASCII). It is just for fun, it does not mean you are going to go to hell
if you get a 666. You should probably read the bible if you are concerned
about that.
Then it asks user for names and counting sum of ASCII codes of characters in entered text:
Does your name add up to 666?
Enter your name. Also try names from your family and friends. And if you
want something interesting try BILL GATES 3 (Bill's real name is Bill
Gates the third) and HOLY BIBLE. Press Cancel or Ok without entering any
name to exit.
When empty text is entered the worm proceed to its spreading routine. At first this routine creates zipped archive with itself inside. To create archive the worm uses "pkzip" utility stored inside worms body in text-based-encrypted format and decripts it before executing. Then the worm places created archive in Windows directory with name "666TEST.ZIP".
Another file that the worm creates is "REGSVR.VBS" in the Windows system folder. The worm modifies system registry to execute this script every Windows startup.
Being executed this script enumerates all disk drives on the computer and checks following folders on them:
MIRC
MIRC32
PIRCH
PIRCH98
If inside checking folder or its subfolders where is MIRC or PIRCH (popular IRC clients) executable files, the worm creates script for found IRC client that sends 666TEST.ZIP file with worm inside to every joined to IRC channel.
It also checks system date and on fifth of every month changes desktop wallpaper with tiled cartoon picture of sad face.
At last the worm attepts to spread via e-mail using MS Outlook itn the same way as "Melissa" macro-virus do. The message infected with worm contains attached "666TEST.ZIP" archive with worm script inside. The message subject is "666 test", and body is "> Does your name add up to 666 in ASCII characters? Are you going to go to hell?".
The worm doesn't spreads from one computer twice. To prevent duplicate spreading it creates key in system registry:
"HKEY_LOCAL_MACHINESoftwareMIRC/OUTLOOK/PIRCH.VanHouten" = "True"
Check other viruses! Be aware! Use Antiviral Software
Macro.Word.Helper.a
Description Macro.Word.Helper.a
It is an encrypted virus. It contains only one macro AutoClose and infects documents and the NORMAL.DOT file on closing. Depending on the system date it sets the password "help" for current document.
Macro.Word.Hiac
Description Macro.Word.Hiac
This macro virus does not manifest itself in any way. It contain two macros in infected documents and NORMAL.DOT:
Documents NORMAL.DOT
--------- ----------
AutoClose Hi
AC AutoClose
The virus copies itself to the global macros area and to documents on file closing (AutoClose) - it copies the macros "AutoClose" <-> "Hi", and "AC" <-> "AutoClose".
|