Virus

VBS/Sorry.C

Analysis

  • Virus is coded in VBScript and is 11,033 bytes
  • Virus adds a key in the registry to load at Windows startup-

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\ttfload = (.VBS filename)

  • Virus scans a range of IP addresses and

    • attempts to map the host to the target IP address
    • attempts to search all subfolders on the target system, and copy itself as the filename "ttfloads.vbs" into matching subfolder names
      startm~1\programs\startup\
      profiles\admini~1\startm~1\programs\startup\
      profiles\alluse~1\startm~1\programs\startup\
  • Virus modifies existing SCRIPT.INI mIRC configuration file to send "sndvol.vbs" to others
  • Virus contains this comment line -
    'ttfloader.vbs v0.4 by: soRRyAzzC0DER