Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


VBS/Sargo.A is a worm that spreads by means of the file NastySarah.jpg.vbs in a file attachment of email messages.  It is written in Visual Basic Script but it contains errors which prevent its successful spreading.  When the file NastySarah.jpg.vbs is run the worm copies itself into the subdirectory SYSTEM of the directory where the operating system Windows is installed (typically /WINDOWS/SYSTEM).  It ensures its activation in the future by creating the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NastySarah".  The worm sets the value of the key such that the file NastySarah.jpg.vbs containing the worm will be run.  To spread the worm prefers to use the MAPI interface.  If MAPI is not installed it tries to use Collaboration Data Objects or Microsoft Outlook.  If it does not find any of the mentioned options it will display the following message:

The worm code contains an error which is presented by displaying the window with error message Windows Scripting Host.  The worm checks messages in received mail.  If it finds the string "NASTYSARAH" in a message subject it deletes it.  The worm answers to messages received within the previous 4 days.  It sends its copy to these addresses .  In the body of the answer the following text is written: Thanks for your mail! I've been kind of busy lately, and haven't really had time to do a full reply, so, until I do, check this out.  Then the text Regards (name of the original sender) follows and a copy of the original message is added.  If there are any requests concerning the sent message the worm answers them by a message confirming that it was really sent by the author and that the file in the attachment is safe.  With the probability of 5% the worm modifies keys in the system registry.  That may cause for example change of registered Windows user to VBS/NastySarah@m.  On May 31st the worm tries to write the message: Have you ever heard of that fat, ugly bitch Sarah Gordon? She claims to be 'discovering what drives us', but really, she just pisses us off! In honor of Sarah Gordon, fat bitch of the high seas! but it never succeeds because of an error in the code and as a result an error message is displayed.  Then the worm modifies the file autoexec.bat in such a way that the whole disk C: will be deleted at the next system restart.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.