For Consumer

Virus Profile: VBS/Fool

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/27/1999
Date Added: 1/1/2000
Origin: mIRC Channels
Length: N/A
Type: Virus
Subtype: VbScript
DAT Required: 4060
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of VBS file on the local machine as mentioned above; unwarranted changes to SCRIPT.INI or MIRC.INI as mentioned above. Registry modifications as mentioned above. Creation of files as mentioned above.

Methods of Infection

Running VBS/Fool code will directly install itself in systems which support Winscript Host such as IE5 installed systems. Spreading by mIRC is also possible as mentioned above.

Aliases

Fool, Millennium 0.4b, MyPicture.bmp.vbs, VBS.Illen, VBS/Fool.ini, VBS/Mill, VBS/mIRC
   

Virus Characteristics

This is a VBScript file coded to also distribute itself via mIRC installations. By mIRC, it arrives as a file called MyPicture.bmp.vbs. It contains the text:

' Millennium 0.4b vBS/mIRC =]'

which is not displayed. If this VBS file is run, this worm copies itself to these locations:

"c:\windows\system\MyPicture.bmp.vbs"
"c:\WINDOWS\Start Menu\Programs\StartUp\RunDLL.vbs"
"c:\My Documents\MyPicture.bmp.vbs"
"c:\MyPicture.bmp.vbs"

Also it will overwrite all VBS files in the following locations:

"C:\"
"c:\My Documents"
"c:\Windows"
"c:\windows\samples\wsh"

This worm creates the configuration file named script.ini for mIRC to send itself to others!

This worm will also modify the system registry in order to load at Windows startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
"WinLoad" = "c:\windows\system\MyPicture.bmp.vbs"

This worm creates a file called "c:\Millennium.NFO" which contains this text:

"Millennium 0.4b - mIRC/vBS")
"Fear the Millennium"

Next, this worm will create a debug script in the file "short.src", a file called "fix.txt" with the text "Fix.hex". It creates the files "LCODER.HEX" and "FIX.HEX" which contain the files "LCODER.EXE" and "FIX.EXE" respectively which are encoded using a binary-to-ASCII method. The it creates the file "fix.bat" which it then runs.

Fix.bat runs the debug script "short.src" in the program "debug.exe" which is a standard part of DOS. That creates a file called short.com. The program short.com is then run, which decodes lcoder.hex into lcoder.exe. lcoder.exe is an innocent program for encoding and decoding files from binary to ASCII to transport across systems. Then lcoder.exe is run to create fix.exe from fix.hex. Fix.txt is used to supply lcoder.exe with the name of the file to be decoded.

Fix.exe contains a variant of the BackDoor-AB (alias "The tHing") remote access trojan! Then it runs fix.exe, which installs BackDoor-AB onto the system. BackDoor-AB is a very small trojan which is able to:

-Notify a user via ICQ when it is installed
-Inform the intruder of the name of the victims Windows directory
-Upload a file
-Spawn(run) a file on the victim's computer
-Reboot the victim's computer
Its feature set seems to have been designed to allow an intruder to secretly install a larger backdoor. Then fix.bat deletes short.com, short.src, lcoder.exe, lcoder.hex, fix.hex, fix.txt, and fix.bat

The script.ini file will spread the worm to other people as they join the channel, and sends a message to the channel #xmasday as they connect to IRC containing the IRC server, IP address, Operating system, Time, Date, and the time since the last reboot. The mIRC script contains the text:

";mIRC Protection Script DO NOT EDIT!"
";By Khaled Mardem-Bey"
"; www.mirc.com"
which is not displayed. If the infected person changes their Nickname on IRC, it sends a message to the channel "#xmasday" saying "OldNick was [Nickname of IRC user]" If the infected person receives a notice with the text "millennium" it sends a message to the channel "#xmasday" saying "[Current time] [Nickname of user] Killed me, closing mIRC... *I Am Gone*" and exits mIRC. If the infected person quits IRC, it sends a message to the channel "#xmasday" saying "[Nickname of user] stating [the optional reason they gave for quitting IRC]"

If the day is December 31st, it executes the following payloads: It displays the Message Box:

"The End"
"Happy New Year!"

Then it changes the Name, Company, and Product Name the computer is registered to by changing the registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner" to "Millennium 0.4b", "HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization" to "uNF", and "HKLM\Software\Microsoft\Windows\CurrentVersion\ProductName" to "Winblows 2000". Then it overwrites the "c:\autoexec.bat" file to contain the instructions:

"@Echo off"
"Echo Your Computer is NOT Y2K Complient!"
"Echo Sorry For this Inconvenience"
"pause"
"echo Millennium 0.4b"
"pause"

   
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.