Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

VBS/VBSWG.AQd

Aliases: Worm/Shakira

VBS/VBSWG.AQ is a worm written in Visual Basic Script created by means of the generator VBSWG 1.1 (Visual Basic Script Worm Generator).  The worm body is encrypted.  The worm spreads as a file attachment of email messages or by means of IRC client mIRC.  As a result of the worm activity some files on the disk are overwritten and thus irretrievably damaged.
The worm arrives on computer in an email message with subject Shakira's Pictures.  In the attachment is a file ShakiraPics.jpg.vbs with size of approximately 7997 bytes.  The body of the message is formed by the following text:

Hi :
i have sent the photos via attachment
have funn...

Note: In the following text the symbolic entry %windir% is used instead of the name of directory in which the operating system Windows is installed, as that may be because of obvious reasons different at any single installation.

When the file in the attachment containing the worm code is executed it is copied as the file ShakiraPics.jpg.vbs into directory %windir%.  The worm creates in the system registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry with value wscript.exe %windir%\ShakiraPics.jpg.vbs %.  By doing so it ensures its activation at each system restart.
The worm sends its copies to all email addresses it finds in the address book.  The fact that it has already sent its copies from the infected computer it records in the system registry by creating the key HKCU\software\ShakiraPics\mailed.  It sets the value of the key to 1.
Then the worm looks for the directory in which the IRC client mIRC is installed.  If the worm finds it, it creates the file script.ini in it.  This file contains the initial setting of the IRC client.  The file created by the worm will through DCC offer the download of the worm to everybody who is connected to the same channel as the user of the infected computer is.  The worm will record creation of the file mirc.ini by creating a key HKCU\software\ShakiraPics\mirqued in the system registry.  It will set the key value to 1.  System NOD32 identifies this created file as mIRC/Salim.A.
Subsequently, the worm searches through all accessible disks and overwrites files with extensions vbs and vbe by its copies.  That means that their original contents are irretrievably destroyed.  At the end of its activity the worm displays a window with the following message:


The worm can be identified in a suspected file by a freely seen text 'Vbs.ShakiraPics Created By TGK in the first line.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.