Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

VBS/SSIWG.R

VBS/SSIWG.R is a worm created by the script worms’ generator SSIGW.  It is able to spread by means of email or IRC clients mIRC and Pirch.  Spreading of the worm depends on the installation of Windows Scripting Host (WSH) which is a standard part of the operating systems Windows 98 and higher.  The worm arrives on computer as a file in an email attachment with subject "kewl fotka".  Its body is formed by the following text  "Kukaj na tu supu, co som nasiel :-)" (meaning: See the smash I have found:”).  Attachments of this message are files tvare1.jpg and tvare2.jpg.vbs.  The file tvare1.jpg contains parody on the well-known billboard of the political party SMER.  This is how the picture looked:

The file tvare2.jpg.vbs contains the worm code.  When it is run the worm copies itself under the name vyzva.jpg.vbs into the directory where the operating system Windows is installed.  The worm ensures its activation with the help of the system registry by creating the item WinUpdate in the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.  The worm sets its value so that it is run after a system restart.  The worm then tries to send out its copies to all contacts in the address book of the Microsoft Outlook.  It also finds out whether the IRC client mIRC or Pirch is installed.  If it is, the worm will create the file script.ini for mIRc script.ini and the file events.ini for Pirch.  These files will cause the respective client to, by means of dcc, offer the download of the worm to everybody who is connected to the same channel as the user of the infected computer is.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.