Discovered: September 2, 2003
Updated: February 13, 2007 12:06:53 PM
When VBS.Masscal.Worm is executed, it performs the following actions:
- Copies itself to the following locations:
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
- C:\Documents and Settings\All Users\Start Menu\Programs
- C:\Documents and Settings\All Users\Start Menu\Programs
- C:\Documents and Settings\All Users\Desktop
- C:\Documents and Settings\All Users\Documents
- C:
- %Temp%
with the file names:
- %User%'s_data_from_the_web.html.vbs
- I_miss_you.txt.vbs
- Tempfolder
- Defragmenter.exe.vbs
- ScanDisk32.exe.vbs
- Win.Security.exe.vbs
- www.symantec.html.vbs
- Update.exe.vbs
- Svchost.exe.vbs
- Scan32.exe.vbs
- Restore.exe.vbs
- Spoolsv.exe.vbs
Note: %Temp% is the default temporary folder, and %User% is the name of the default Windows user.
- Creates a VBS script, C:\Fire.kaz, that searches for .html, .htm, and .htt files in the following folders:
- C:\Documents and Settings\All Users\Desktop
- C:\Program Files
- C:\Windows
and prepends any files discovered with the following text:
"<!-You are a victim of massacres.....->"
- Searches for files with .vbs and .vbe extensions in the following folders:
- %Temp%
- C:
- C:\Windows
- C:\Program Files
- C:\Documents and Settings\%User%
- C:\Documents and Settings\%User%\Desktop
- C:\Documents and Settings\%User%\Desktop\1
- C:\Documents and Settings\%User%\Cookies
- C:\Documents and Settings\%User%\NetHood
- C:\Documents and Settings\%User%\My Documents
- C:\Documents and Settings\%User%\Local Settings
- C:\Documents and Settings\%User%\Application Data
- C:\Documents and Settings\%User%\Local Settings\Temp
- C:\Documents and Settings\%User%\My Documents\My Received Files
- Infects any .vbs or .vbe files discovered by:
- Prefixing the file names with "MASS-"
- Prepending the file with the following text, followed by a copy of itself:
"'You are a victim of massacres....."
- Prepends the following text to .txt, .rtf, and .ini files:
"'You are a victim of massacres....."
"Hello " & user & "."
"'This is just to let you know, what could happen to your files, if you trust bill gates."
"'I could've eliminated what I want, you know, but I am not as dirty as bill gates..."
"'The name of this file was--->" & %filename% & " size: " & %filesize% & "-bytes, hehehe;) -Located on " & %parent_folder%
"-This file was last Accessed in " & %DateLastAccessed% "-and created in " & %DateCreated%
"-Have a nice day ;)"
"|--=--=====-YOUR-FILE-BELOW-=====--=--|"
- Infects .html, .htm, and .htt files with extensions by:
- Prefixing the file name with "MASS-"
- Prepending the following text, following by a copy of C:\Fire.kaz in the form of VBScript:
"<!-You are a victim of massacres.....->"
- Does one of the following:
- Displays the message:
"-I massacri-"
"Sono il cervello, siamo la mente, siamo uniti !"
and executes the executable routine explained in the step nine.
- Displays the message:
%script_name%
"Error# " & %random_number% & %msg%
Notes:
- %script_name% is the name of the viral script file.
- %random_number% is a random number generated by the worm.
- %msg% is one of the following text strings:
" - cannot find adecuated decoder."
" - unable to find help context menu."
" - missing file."
" - device did not loaded properly."
" " & %script_name% & " - is not a valid file."
- Drops a Trojan horse, %Windir%\SystemCal.exe, and runs it in background.
Notes:
- The Trojan horse can cause the windows display to not function properly.
- %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
- Creates the file, C:\Fire.bat, which sends all computers on the local network the following message:
"I got massacred...:'()"
Writeup By: Tony Lee
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
