This threat is detected as W32/Trilisa.vbs. The virus copies itself as ORD.doc.vbs, ORD_photo.jpg.vbs and JERRY.vbs to the Windows Font directory. It then edits the following registry keys:
<WINDOWS font directory>\JERRY.vbs"
Checks to see if the value of
HKEY_CURRENT_USER\Control Panel\International\iCountry = 34
, and if not creates the key "HKEY_LOCAL_MACHINE\Software\Singapore","0"
. If the registry key does equal 34, then the virus creates the key "HKEY_LOCAL_MACHINE\Software\Singapore","1"
If the registry key "HKEY_LOCAL_MACHINE\Software\Singapore" does not equal 1, the virus then proceeds with the damaging payload routine. The following files are deleted from fixed, network, and RAM Disk drives:
If day is 12th of June, the following message will be displayed: