VBS/SSIWG.U@mm
Analysis
- Virus is coded in VBScript with a size of 5,669
bytes - much of the code is encrypted making visual
analysis difficult
- Virus adds a key in the registry to load at Windows
startup-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
CUC0O0 = C Windows\System\CUC0O0.VBS - Virus writes two files to the local system-
Windows\System\AntiVirus700.com
Windows\System\CUC0O0.VBS -
Virus launches AntiVir700.com which is a virus known as VCS - this dropped virus then infects COMMAND.COM
- Virus sends emails to all contacts listed in the
address book for Outlook in this format -
Subject: WARNING!!! THIS IS URGENT PLEASE READ.
Body: Your system is in need to be cured from a DEADLY Virus that has been detected on your system.Virus Name: W97.Hurricane.700
It has infected: Your .COM Files and your .EXE Files
Size: 1234
detectable: NO
disinfectable: YESplease read the .TXT file for further information on how to disinfect the Virus in your system!
WARNING!!!WARNING!!!WARNING!!!WARNING!!!WARNING!!!
signed,Anti-Virus Company
P.S for further onfo please contact me at anytime.
AV@hotmail.com
Attachment: infectious .VBS file