VBS/SSIWG2.A@mm

Alias/esI-Worm.Matra, VBS.Matsudaira, VBS/Daira.A@mm, VBS/SSIWG2.A@mm, VBS/Vim.A@mm
Release DateMay 12, 2006
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 11.579
Description

Visible Symptoms

  • Existence of this file on the local system -

    win32dll.src
    comdlg16.src
    VIM.txt.vbs
    C:\matsudaira_V
    C:\matsudaira_M

  • Email messages arrive from infected users in this format-

    Subject: Very Important Message
    Body:
    Here is that document you were waiting for.
    Attachment: "VIM.txt.vbs"

  • Windows 9x systems may appear to hang during boot time - this is due to several console display statements added to the C:\AUTOEXEC.BAT startup file by this virus

Detailed Analysis

  • Virus is coded in VBScript with a size of 15,808 bytes

  • The script contains two components - a Word2000 macro infection method and a VBScript infection method

    • The Word2000 infection code is commented and is the first 163 lines of the VBScript file

    • The VBScript infection code writes the macro code to a source file, initiates an instance of Word2000 and then imports the source code to the global template causing the environment to become infected

  • Virus modifies registry such that files with extension .SRC are identified by the operating system as VBScript files, and thus directly executable

  • The macro infection code writes the VBScript code to a file in the documents folder as "win32dll.src", then modifies the registry to run this file at Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\
    InfDoc = (document path)\win32dll.src

  • The VBScript infection code writes an additional file to the Windows\System folder as "w32backup.dll.vbs", then modifies the registry to run this file at Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\
    w32 Backup = Windows\System\w32backup.dll.vbs

  • The macro virus hooks the Word event handler of opening infected documents in order to run its code

  • Virus writes a file "comdlg16.src" which is a simple method of lowering the macro security in Word2000 in order to infect that environment

  • Virus sends an email to all contacts in the Outlook address book in this format -

    Subject: Very Important Message
    Body:
    Here is that document you were waiting for.
    Attachment: "VIM.txt.vbs"

  • Virus creates a registry entry -

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Office\9.0\Word\General Check\
    Boot = 1

    and sets the value to one, then increases the value by one every time the macro code runs. When the value is greater than 18, the virus appends instructions to C:\AUTOEXEC.BAT to display a message -

ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³°
³ ÛÜ ÜÛ ÛßÜ ßßßßß Üßßß Û Û ÛßßÜ ÛßÜ ßßß ÛßßÜ ÛßÜ ³°
³ Û ß Û Û Û Û ßÜ Û Û Û Û Û Û Û ÛÜÜß Û Û ³°
³ Û Û ÛßßÛ Û ßÜ ßÜÜÜß ÛÜÜß ÛßßÛ ÜÜÜ Û Û ÛßßÛ ³°
³ ÜÜÜÜÜÜÜÜÜß ³°
³ ³°
³ Û Û ßßß ÛßßÜ Û Û Üßßß ³°
³ Û Û Û ÛÜÜß Û Û ßÜ ³°
³ Û ÜÜÜ Û Û ßÜÜÜß ßÜ ³°
³ ÜÜÜÜÜÜÜÜÜß ³°
³ ³°
³ ³°
³ ³°
³ ³°
³ ³°
³ ³°
³ ³°
³ I-Worm/VBS/W2000M/Matsudaira ³°
³ (c) 2001 by Tokugawa Ieyasu ³°
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ°
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
Description Last Updated Date: Mar 13, 2007
Reference: ID - 15578