Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


VBS/SSIWG.S is a worm created with the help of the script worms’ generator SSIGW.  It is able to spread by means of email or the IRC clients mIRC and Pirch.  The how the worm spreads depends on installation of Windows Scripting Host (WSH) which is a standard part of the operating systems Windows 98 and higher.
The worm arrives on computer as an email file attachment with the subject "vyzva!" and the message text body containing the text "Vsetkym obcanom!" (meaning: To all citizens!”).  The files image002.jpg, vyzva.jpg.vbs or in some cases also vyzva.html are attachments of this message.
The file image002.jpg contains a picture of a known medial magnate and politician.  The picture looks like this:

The file vyzva.jpg.vbs contains the worm code.  When it is run the worm copies itself using the filename vyzva.jpg.vbs into the directory where  the operating system Windows is installed.  The worm ensures its activation with the help of the system registry by creating the item TimeZone in the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.  The worm sets its value so that it is run after a system restart.
The worm then tries to send out its copies to all contacts in the address book of Microsoft Outlook.  It also determines whether IRC client mIRC or Pirch is installed.  If this is the case, the worm will create the file script.ini for mIRc script.ini and the file events.ini for Pirch.  These files will cause that the respective client will, by means of dcc, offer the download of the worm to everybody who is connected to the same channel as the user of the infected computer is.
The file vyzva.html contains an alleged personal statement of a known medial magnate and politician.  In it he offers the program of his political party and comments some politically interesting topics.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.