VBS.Winter.B

Printer Friendly Page

Updated: February 13, 2007 11:34:04 AM


VBS.Winter.B is a Visual Basic Script worm. Like many other worms, it uses Microsoft Outlook, mIRC, and Pirch to spread itself. The worm arrives as the file UndetectedWorm.vbs. Upon execution, the worm attempts to open a connection to a Web site. Any .vbs and .vbe files are overwritten with a copy of the worm.

Antivirus Protection Dates

  • Initial Rapid Release version December 19, 2000
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version December 19, 2000
  • Latest Daily Certified version September 28, 2010 revision 036

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: February 13, 2007 11:34:04 AM


When executed, the VBS.Winter.B worm will perform the following actions:

  • Copies itself to the Windows System directory as UndetectedWorm.vbs.
  • Adds the value "UndetectedWorm" to the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run to enable itself at startup.
  • Searches for the mIRC program directory. If present, overwrites the script.ini file to spread itself when connected to mIRC.
  • Searches for the Pirch program directory. If present, overwrites the events.ini file to spread itself when connected to Pirch.
  • For each separate address list found in Microsoft Outlook, a single email is sent with each address entry added as a .bcc address. The email contains the UndetectedWorm.vbs file.
  • Searches for .vbs and .vbe files on mapped drives, shared drives, and disk drives in which disks are present. Overwrites these files with a copy of itself.
  • The worm attempts to connect to the Web site http://users.tmok.com/~dr_bulge/smt1
The worm also keeps a record of its infection by creating the registry key HKCU\Software\Undetected. In this key, it stores information after it has attempted to mail itself using Outlook. It also records whether it has affected the mIRC or Pirch programs. These actions are marked by the values mailed, mirqued, and pirched being created and set to 1. This allows the worm to perform a check for previous infections.