This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
Presence of "WINDOWS\reload.vbs" and "WINDOWS\SYSTEM\LINUX32.vbs"
Presence of the Registry keys:
LINUX32 = WINDOWS\SYSTEM\LINUX32.vbs"
reload = WINDOWS\reload.vbs"
Seeing this message displayed on September 7:
"Dedicated to my best brother Christiam Julian(C.J.G.S.)"
"Att. [random 5 letters] (M.H.M. TEAM)"
Altered Startup and Shutdown screens displayed
Methods of Infection
If this Internet worm is run either intentionally or accidentally, it will install to the local system and also perform actions against files.
This worm will copy itself ot the local system in the following locations:
In the above, the random name could have the following possible file extensions:
".GIF.vbs", ".BMP.vbs", ".JPG.vbs"
The filename itself is generated using a random pick alternating between any letter in the alphabet, and the vowel character set A, E, I, O, U. For instance, a possible filename could be
Next, this worm will modify the registry to load itself via the registry at Windows startup from these locations:
LINUX32 = WINDOWS\SYSTEM\LINUX32.vbs
reload = WINDOWS\reload.vbs
After modifying the registry, it checks for the existence of the file "WINFAT32.EXE". If this file is found, it modifies settings for Internet Explorer to download three files from a web page. The three files are two .BMP files and one .TXT however the names of the files suggest being of .ZIP format - they are not.
The three files copied to the local system are:
These are then copied from the Temporary Internet Files folder to the WINDOWS folder as:
The logo files are bitmap replacements for Windows startup and shutdown screens. The .txt is displayed at Windows startup due to a registry modification made by this worm:
plan colombia = WINDOWS\important_note.txt
After this, the worm writes a file as
in the WINDOWS\SYSTEM folder. This .HTM file contains the worm code.
Next, the worm will run an email routine to distribute itself via MAPI email to all users in the address book - the list of users is not hidden, they are visible in the "To" field.
The email is variable and could have either of four possible formats. The Subject line with either be static (below) or a random 6 letters, and the body will either be static (below) or a random 10 letters:
"US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (HTTP://WWW.2600.COM)<= "
"VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES.."
Attachment = [RANDOM FILE NAME]
The random name is predetermined in an earlier process mentioned above.
After the email routine, this worm performs another action against the system and mapped drives. If this worm find files of type ".VBS" or ".VBE", it will overwrite and replace them with its own code.
If this worm finds files of type ".js", ".jse", ".css", "wsh", "sct", "hta", ".jpg" or ".jpeg", it will first copy itself as that filename and add extension .VBS and delete the original file.
If this worm finds files of type ".MP2" or ".MP3", it will set their attributes to hidden.
Finally, if the current day is September 7, this worm will display a message: "Dedicated to my best brother=>Christiam Julian(C.J.G.S.) Att. [random 5 letters] (M.H.M. TEAM)"
After this message is displayed and cleared, it will attempt to disconnect drives Z: through E: in reverse order.
VBS/Columbia, VBS/Plan, VBS_Colombia, VBS_Columbia