Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

VBS/Sorry.C

VBS/Sorry.C is a script worm written in Visual Basic Script.  It only works on systems that have Windows Scripting Host installed (a standard installation-feature of  Windows 98).  On an infected computer the worm copies itself into several directories and sends out its copies.

Note: In the following text the symbolic variable  %windir% is used instead of the name of directory in which the operating system Windows is installed, as the directory can differ depening on the installation.

When the worm is run, it tries to determine the name of the directory in which Windows operating system is installed and additionally in which directory temporary files are stored.  As a next step the worm determines from which file it was executed.  If it was executed from a locality different than the file %windir%\fonts\ttfloads.vbs it copies itself into this file and executes it.  If the worm was not executed from a directory containing the string Startup in its name nor from the file %windir%\fonts\ttfloads.vbs it will display a fake error message:

When a user clicks the "OK" button the worm deletes itself and ends its activity.
Then the worm creates the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ttfload in the system registry and sets it to the value %windir%\fonts\ttfloads.vbs.  By means of this manipulation the worm ensures its activation whenever  the operating system restarts.  It sets the value of the key HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout to 0.  With the probability of 1:1000 it will set the key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start to the value http://www.zonelabs.com/. By doing this, the start page setting of Internet Explorer will be changed to the page of the producer of the personal firewall ZoneAlarm.
After modification of the system registry the worm searches through the accessible disks.  On hard disks and RAM disks, network disks and portable media it searches for directories containing the strings mirc, pub, ftproot, wwwroot, download, upload, share, game, warez, chode, foreskin and dickhair in their names.
While searching through the disks the worm deletes the encountered files network.vbs, mscfg.vbs, winsock.vbs, a24.vbs, mscfg.exe, ashield.pif and netstat.pif.  If it finds a text file it reads its first line. If it finds the text 'ttfloader.vbs v0.4 by: soRRyAzzC0DER, it assumes that it is the worm copy and deletes it.  It deletes also text files containing the texts 'ttfloader.vbs v0.3 by: soRRyAzzC0DER or 'ttfloader.vbs v0.2 by: soRRyAzzC0DER in their first line.
If it finds a directory containing the string mirc in its name, the worm creates the file mirc.ini in this directory and the file sndload.vbs in directory %windir%/fonts/.
If a directory name on the disk contains any of the strings pub, ftproot, wwwroot, download, upload, share, game or warez the worm copies itself into it using a random name.  Creating a random name is simple and efficient – as base the worm uses a name found among files in the directory %windir%/recent adds a random number of spaces to it and adds the extension .vbs.
The worm deletes directories containing the strings chode, foreskin and dickhair in their names.
On portable or network disks the worm copies itself into directories containing the strings my, share, download, downloads in their names.  It creates the name for its copy as described above.  But if the directory contains the string win in its name the worm copies itself into its subdirectories \startm~1\programs\startup, profiles\admini~1\startm~1\programs\startup and \profiles\alluse~1\startm~1\programs\startup as a file with filename ttfloader.vbs.
The worm tries to determine whether ping responses from certain ranges of IP addresses are returned.
The worm keeps record on the number of infected computers in the file %windir%/system/tftload.dll.  Whenever it manages to attack another computer it writes the text "HOST FOUND!" into this file.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.