For Home

Virus Profile: VBS/Sludge.worm

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/3/2003
Date Added: 2/3/2003
Origin: Unknown
Length: 1,731 bytes
Type: Virus
Subtype: P2P Worm
DAT Required: 4246
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Presence of the aforementioned files and registry key.

Methods of Infection

This worm spread via the Kazaa lite peer-to-peer file sharing application.
   

Virus Characteristics

This threat is proactively detected as "New Script" when using the 4100-4245 DAT files with macro and script heuristics enabled.

This is a VBScript peer-to-peer file sharing worm that intends to spread via the KaZaa, Kazaa Lite, Bearshare, Edonkey2000, and Morpheus applications. Due to an oversight in the code by the virus author, the worm requires Kazaa Lite in order to propagate. When run, the script copies itself using the following file names:

  • 10 naked teens.jpg.vbs
  • 15yteenf**k.jpg.vbs
  • Ad-Aware6.tar.vbs
  • Anton - Schwul oder was.mp3.vbs
  • Bin Laden's Home.doc.vbs
  • Bush is crazy(and stupid).doc.vbs
  • Eminem - I am your father.mp3.vbs
  • How To Rip DVDs.txt.vbs
  • illegalsex.jpg.vbs
  • Kamasutra2003.doc.vbs
  • kievgirl.jpg.vbs
  • Young russian teens.jpg.vbs
To the following folder, if present:
  • %Program Files%\kazaa lite\my shared folder
The worm also intends to copy itself to the following folders (this action fails):
  • %Program Files%\bearshare\shared
  • %Program Files%\edonkey2000\incoming
  • %Program Files%\kazaa\my shared folder
  • %Program Files%\morpheus\my shared folder
The worm copies itself to the %Temp% directory as _uninst12.vbs and creates a registry run key to load itself at system startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Runfaststart" = "%Temp%\_uninst12.vbs"
On March 3rd, a message box is displayed:

   

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations