Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


VBS/Merlin is a script worm written in Visual Basic Script.  It arrives on computer as an email message with the subject "WindowsXP Betatest".  This message is in HTML format.  In the message body is located text  "This message has permanent errors. It can be displayed only if executing of components ActiveX is enabled".  If it is not the case the following message is displayed:
You need ActiveX enabled if you want to see this message again and click
Microsoft Outlook
When the message is read the worm is activated.  First it generates a random filename consisting of seven characters.  These characters are capital letters from P to Z.  After that the worm creates a key in the system registry in HKey_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\******* where instead of characters "*" is located the name generated beforehand. The value of this key is set so that upon start of the operating system the worm is activated by means of the program wscript.exe which is a part of the operating system.  Then, under the created name and under the name WindowsXP.html it copies itself into the directory in which the operating system Windows is installed.  After that it deletes each message with subject WindowsXP Betatest from the received mail and deleted mail folders.  Then the worm sends its copy to all addresses in the Outlook contacts.
VBS/Merlin is capable of spreading on shared disks in local computer network.  On disks like those it writes itself into the directory in which the operating system Windows is installed, under the name generated at the beginning.
The worm presents itself by various activities depending on the ordinal number of the day in a month.  On the second day in a month it tries to download the worm VBS/Homepage from and ensure its activation after the system restart.  Further on it tries to delete files User.dat, User.bak, System.dat, System.bak and Regedit.exe.  Then it causes the computer to switch off.
On the fourth day in a month it modifies the file autoexec.bat in such a way that disk C: will be formatted after a restart.
On the fifth day in a month it modifies setting of the monitor working area.
On the seventh day in a month it manipulates with program Microsoft Agent setting.
Then it searches through accessible disks and attacks files with extensions vbs and vbe.  It deletes files with doc extension.  If it finds a mirc.ini file, which is an initialising script for IRC client mIRC, it modifies its contents.  When a new user is connected to the same channel he will receive a copy of the worm by means of DCC.  The worm also implements an extensive manipulation with the system registry.  It modifies the contents of the following keys:

HKey_Current_User\Software\Microsoft\Windows Script Host\Settings\Timeout
HKey_Current_User\Software\Microsoft\Windows Script Host\Settings\Remote
HKey_Current_User\Software\Microsoft\Windows Script Host\Settings\Enabled
HKey_Current_User\Software\Microsoft\Windows Script Host\Settings\TrustPolicy
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1204
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1201
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1204
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1201
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1204

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.