Virus Characteristics
This is a VBScript file coded to also distribute itself via mIRC installations. By mIRC, it arrives as a file called MyPicture.bmp.vbs. It contains the text:
' Millennium 0.4b vBS/mIRC =]'
which is not displayed. If this VBS file is run, this worm copies itself to these locations:
"c:\windows\system\MyPicture.bmp.vbs"
"c:\WINDOWS\Start Menu\Programs\StartUp\RunDLL.vbs"
"c:\My Documents\MyPicture.bmp.vbs"
"c:\MyPicture.bmp.vbs"
Also it will overwrite all VBS files in the following locations:
"C:\"
"c:\My Documents"
"c:\Windows"
"c:\windows\samples\wsh"
This worm creates the configuration file named script.ini for mIRC to send itself to others!
This worm will also modify the system registry in order to load at Windows startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
"WinLoad" = "c:\windows\system\MyPicture.bmp.vbs"
This worm creates a file called "c:\Millennium.NFO" which contains this text:
"Millennium 0.4b - mIRC/vBS")
"Fear the Millennium"
Next, this worm will create a debug script in the file "short.src", a file called "fix.txt" with the text "Fix.hex". It creates the files "LCODER.HEX" and "FIX.HEX" which contain the files "LCODER.EXE" and "FIX.EXE" respectively which are encoded using a binary-to-ASCII method. The it creates the file "fix.bat" which it then runs.
Fix.bat runs the debug script "short.src" in the program "debug.exe" which is a standard part of DOS. That creates a file called short.com. The program short.com is then run, which decodes lcoder.hex into lcoder.exe. lcoder.exe is an innocent program for encoding and decoding files from binary to ASCII to transport across systems. Then lcoder.exe is run to create fix.exe from fix.hex. Fix.txt is used to supply lcoder.exe with the name of the file to be decoded.
Fix.exe contains a variant of the BackDoor-AB (alias "The tHing") remote access trojan! Then it runs fix.exe, which installs BackDoor-AB onto the system. BackDoor-AB is a very small trojan which is able to:
-Notify a user via ICQ when it is installed
-Inform the intruder of the name of the victims Windows directory
-Upload a file
-Spawn(run) a file on the victim's computer
-Reboot the victim's computer
Its feature set seems to have been designed to allow an intruder to secretly install a larger backdoor. Then fix.bat deletes short.com, short.src, lcoder.exe, lcoder.hex, fix.hex, fix.txt, and fix.bat
The script.ini file will spread the worm to other people as they join the channel, and sends a message to the channel #xmasday as they connect to IRC containing the IRC server, IP address, Operating system, Time, Date, and the time since the last reboot. The mIRC script contains the text:
";mIRC Protection Script DO NOT EDIT!"
";By Khaled Mardem-Bey"
"; www.mirc.com"
which is not displayed. If the infected person changes their Nickname on IRC, it sends a message to the channel "#xmasday" saying "OldNick was [Nickname of IRC user]" If the infected person receives a notice with the text "millennium" it sends a message to the channel "#xmasday" saying "[Current time] [Nickname of user] Killed me, closing mIRC... *I Am Gone*" and exits mIRC. If the infected person quits IRC, it sends a message to the channel "#xmasday" saying "[Nickname of user] stating [the optional reason they gave for quitting IRC]"
If the day is December 31st, it executes the following payloads: It displays the Message Box:
"The End"
"Happy New Year!"
Then it changes the Name, Company, and Product Name the computer is registered to by changing the registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner" to "Millennium 0.4b", "HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization" to "uNF", and "HKLM\Software\Microsoft\Windows\CurrentVersion\ProductName" to "Winblows 2000". Then it overwrites the "c:\autoexec.bat" file to contain the instructions:
"@Echo off"
"Echo Your Computer is NOT Y2K Complient!"
"Echo Sorry For this Inconvenience"
"pause"
"echo Millennium 0.4b"
"pause"