This threat is detected as VBS/Amalad and is detected with the 4114 DATs (or greater) as New Script with heuristics turned on. When the VBScript file is executed, the virus will copy itself as OsamaLaden.vbs in the Windows directory, Windows SYSTEM directory and Windows TEMP directory.
The virus will also edit the following registry keys:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner, "OsamaBinLaden"
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OsamaBinLaden, "wscript.exe c:\Windows\System\OsamaLaden.vbs %
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OsamaLaden, "C:\OsamaLaden.bat
It has been observed by other anti-virus vendors to mass mail with the subject line "Osama Bin Laden Comes Back!" and to drop the executable and batch files - osama.exe, laden.exe, alta.exe, Laden.bat and OsamaLaden.bat. Due to errors in the virus code, these files will not be created nor will mass mailing occur.