Home / malware VBS.Breetnee.B@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
VBS.Breetnee.B@mm is also known as N/A.
Explanation :
The worm is a vb-script in a html-page embedded in a chm-file.
When "caifanes.chm" file is opened, it shows a message box with the
text:
and it opens the html page:
It copies itself in the "Windows" folder (C:Windows or C:Winnt), with the name "caifanes.chm". It sends an email to the first contact in address book, through the Outlook.
The email has:
Subject:
"RE:Nuevo video de Caifanes"
Body:
"Caifanes regresa y te muestra su nuevo video musical
Regards,
< user's name >"
Attachment:
the virus - a vb-script in a html-page embedded in a chm-file.
In order to send the infected email just once, it creates the registry key
"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionchm" with the value "1".
It also spreads itself through the mIRC. It searches the mIRC folder: It searches first the hard disk ( drives C:, D:, E: ) in order to find "mirc.ini" and second, it searches in registry the key HKEY_LOCAL_MACHINESOFTWARECLASSESChatFileDefaultIcon,
in order to find the location of the file "mirc.exe".
If it finds the mIRC folder, it creates there a file, "script.ini", which sends the chm-file through mIRC.Last update 21 November 2011