Virus Profile: VBS/Baracu.A@mm

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/27/2001
Date Added: 3/5/2001
Origin: Europe
Length: 5,944 bytes
Type: Virus
Subtype: VbScript
DAT Required: 4126
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

This script will copy itself to the local system:

windir\MSNetLog.vbs
windir\Command\Energy.vbs

This script will write another script as (windir\SearchMSN.vbs) to search a hard coded path for (C:\Windows\MSNetLog.vbs) and if not exist then it recreates from the "backup copy" from (windir\Command\Energy.vbs).

Methods of Infection

This virus uses 6 possible subject/body combinations when sending itself via Outlook. Possible selections are the following:

subject = Surprise
body = A nice surprise for you, check it out...

subject = Great...
body = Great app, check it out..

subject = Important, Please Read
body = A paper I downloaded from Symantec about new virus, you should read

subject = Happy Birthday
body = A happy birthday surprise

subject = Take a look...
body = Take a look and the app that chenge to a pic

subject = Great Joke.. Read it
body = Read this joke, it is so great... ha ha

This script will copy itself to the local system:

windir\MSNetLog.vbs
windir\Command\Energy.vbs

This script will write another script as (windir\SearchMSN.vbs) to search a hard coded path for (C:\Windows\MSNetLog.vbs) and if not exist then it recreates from the "backup copy" from (windir\Command\Energy.vbs).

The registry is modifed:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SearchMSN=windir\SearchMSN.vbs

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSNetLog=windir\MSNetLog.vbs

HKCU\Microsoft\Internet Explorer\Main\
Start Page=http://vx.dirtyhosting.com

If either (C:\Mirc\Mirc.ini) or (C:\Mirc32\mirc.ini) exists, then the MIRC.INI file is replaced to distribute the file (windir\Command\Energy.vbs).

The email routine runs after the above take place, sending to all recipients in all lists.

The file types (.sys, .dll, .ocx) are replaced with copies of the script. The file REGEDIT.EXE is deleted from the (windir) directory.

Lastly, if the day of the month is equal to (2, 10, 20, 28) then the script will attempt to initiate instances of Notepad.exe in a continuous loop.

Aliases

VBS.JongBoy@mm (NAV)
   

Virus Characteristics

This is a VBScript virus which attempts to distribute itself through mIRC and Outlook. McAfee AVERT has not received samples of this from the field. This threat also contains file replacement instructions for several extension and file types.

At the top of the code, the following comment lines exist:

' ************** ' VBS.Baracuda ' By Dr.T/BCVG 'VBS.Baracuda, Dr.T/BCVG...finished at 24/02/01

This script contains a simple method to randomize choosing one of 6 different subject/body combinations.

   
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.