When executed, the VBS.Forgotten.A@mm worm performs the following actions:
- Copies itself to the Windows System directory as vb1.com.vbs.
- Searches for the mIRC program directory. If present, the worm overwrites the Script.ini file to spread itself when connected to mIRC.
- Searches for the Pirch program directory. If present, the worm overwrites the Events.ini file to spread itself when connected to Pirch.
- Sends a single email message to each address list found in Outlook, with each address entry added as a BCC address.
- Searches for .vbs and .vbe files on mapped drives, shared drives, and floppy disk drives in which disks are present. Overwrites these files with a copy of itself.
- Adds the value vb1 to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run to enable itself at startup.
The worm also keeps a record of its infection by creating the registry key HKEY_CURRENT_USER\Software\(ANSWER)
. In this key, it stores information after it attempts to mail itself using Outlook. It also records whether it has affected the mIRC or Pirch programs. These actions are marked by the values "mailed," "mirqued," and "pirched" being created and set to 1. This lets the worm perform a check for previous infections.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":