Virus Profile: VBS/IISDel.worm

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/6/2004
Date Added: 10/6/2004
Origin: Unknown
Length: 2,034
Type: Virus
Subtype: Worm
DAT Required: 4397
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Enexpected deletion of the files under "C:\Inetpub\wwwroot"
  • The default web page is replaced with the following message.

             "this microsoft iis server is infected with klez virus"
  • Methods of Infection

    This worm spreads via floppy disks.
       

    Virus Characteristics

    Thi VBS script virus spreads via floppy diskette, and deletes files in the IIS web directory.

    When run, this virus copies itself to "a:\freexxx", "C:\windows\sys16\klvb.vbs". Next, it drops a file named ms-iispatch.bat file in the directory "C:\Inetpub\wwwroot".

    This batch file deletes all files with the extensions *.html, *.htm, *.asp, and *.php under the "C:\Intpub\wwwroot" directory. Then this batch file replaces index.html with the one has the message:

     "this microsoft iis server is infected with klez virus"

    The batch file shutdowns the Windows.

    This virus also modifies the registry as follows.

    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "klezupdatecenter" = c:\windows\update.vbs
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "klvb" = c:\windows\sys16\klvb.vbs
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "ms-iispatch" = c:\inetpub\wwwroot\ms-iispatch.bat
    • HKLM\SOFTWARE\vir2k "Klez" = Vbs_Version
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "Download Directory" = c:\windows

    On the 10th every month, it attempts to download the file "update.vbs" from "www.supercat45564456756664.gq.nu", and place it to "c:\windows\update.vbs".

       

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    But in some particular cases, the following steps need to be taken.

    Please go to the Microsoft Recovery Console and restore a clean MBR.

    On Windows XP:

    • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
    • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    • Select the Windows installation that is compromised and provide the administrator password.
    • Issue 'fixmbr' command to restore the Master Boot Record
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.


    On Windows Vista and 7:

    • Insert the Windows CD into the CD-ROM drive and restart the computer.
    • Click on "Repair Your Computer".
    • When the System Recovery Options dialog comes up, choose the Command Prompt.
    • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.
       

    PC Infected? Get Expert Help

    McAfee
    Virus Removal Service

    Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

    $89.95