For Consumer

Virus Profile: VBS/Fireburn@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 5/30/2000
Date Added: 5/30/2000
Origin: Germany
Length: 5,132
Type: Virus
Subtype: VbScript
DAT Required: 4081
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of any of the file names mentioned above, which is also distributed by email, existence of the file RUNDLL32.VBS in the Windows folder, email propagation as mentioned above.

Methods of Infection

If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not normally present on Windows 95 or Windows NT unless Internet Explorer 5 is installed.

When the worm is first run it drops copies of itself in the file "C:\WINDOWS\RUNDLL32.VBS".

It also adds this registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSrundll32=rundll32.vbs

in order to run the worm at system startup.

The worm changes the name of the registered owner of the system to "FireburN" by changing this registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\
RegisteredOwner=FireburN

The worm also creates a copy of itself in the WINDOWS folder using one of the following file names picked at random (one file name contains expletive word which has been censored):

Ultra-Hardcore-Bondage.JPG.vbs
Christina__NUDE!!!.JPG.vbs
CuteJany__BigTits!.GIF.vbs
MyGirlfriend__NUDE!.JPG.vbs
Aguiliera__NUDE!!.JPG.vbs
!Jany__Gets-f***ed!.GIF.vbs
cute__EmmaPeel!!!.JPG.vbs
Julie17__xxx.GIF.vbs

If the mIRC client is installed on the users system, the worm overwrites the file SCRIPT.INI in order to propogate via mIRC sessions. The script also creates another copy of the worm in the WINDOWS\SYSTEM folder, under the random name as above.

The worm's payload contains a check for the date of 20th June. On this day the worm displays a message box with the title "FireburN", containing the message:

"I'm proud to say that you are infected by FireburN !"

It also disables the mouse and keyboard by adding the following 2 registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Shut_Up=rundll32 mouse,disable

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Shut_Up2=rundll32 keyboard,disable

Aliases

VBS/Fireburn.a
   

Virus Characteristics

This is a VBS mass-mailing worm that uses Microsoft Outlook and mIRC to propogate. This worm is a VBS program that is sent to all users in the victim's address book and is attached to an email with varying subject lines, depending on the language version of the host system which sent the message. This worm contains a date activated payload which disables the keyboard and mouse on June 20th.

The worm contains a check for a folder "C:\Programme".
If this folder is found, then the worm uses the German language for the email's subject and message.

In English, the email message will have this characteristic:

Message="Hi, how are you?"
Body=
Hi, look at that nice Pic attached !
Watching it is a must ;)
cu later...

In German, the email message will have this characteristic:

Subject="Moin, alles klar?" Body=
Hi, wie geht's dir?
Guck dir mal das Photo im Anhang an, ist echt geil ;)
bye, bis dann..

The message will contain an attachment of one of the following randomly picked file names (one file name contains expletive word which has been censored):

Ultra-Hardcore-Bondage.JPG.vbs
Christina__NUDE!!!.JPG.vbs
CuteJany__BigTits!.GIF.vbs
MyGirlfriend__NUDE!.JPG.vbs
Aguiliera__NUDE!!.JPG.vbs
!Jany__Gets-f***ed!.GIF.vbs
cute__EmmaPeel!!!.JPG.vbs
Julie17__xxx.GIF.vbs

This VBS worm contains the following comments which are never displayed:
'greets: to all members of 'UnCreativeLabs'

   
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.