Home / malware VBS.VBSWG.AQ@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
VBS.VBSWG.AQ@mm is also known as N/A.
Explanation :
The virus copies itself as "ShakiraPics.jpg.vbs"
in windows folder (C:windows or
C:winnt).
This worm spreads through Outlook, Mirc and also infects VBS and VBE files.
It writes in registry the key:
"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunRegistry"
with the value
"wscript.exe C:WindowsShakiraPics.jpg.vbs
%" or
"wscript.exe C:WinntShakiraPics.jpg.vbs
%"
in order to launch a virus copy at the system restart.
It sends an email to every contact from the Outlook address book.
The format of an infected e-mail is:
From:
Attachment:
"ShakiraPics.jpg.vbs"
It also writes the value
"1" in the registry
key
"HKEY_LOCAL_MACHINEsoftwareShakiraPicsmailed"
in order to send infected emails only for the first time.
It spreads through mIRC. It searches the file "mirc.ini"
in the folder C:mirc or C:mirc32.
In case of success it creates (or overwrites) the file script.ini
in order to send itself through mIRC.
It writes the value "1"
in the key:
"HKEY_LOCAL_MACHINEsoftwareShakiraPicsmirqued"
in order to spread through mIRC only once. It
erases all the VBS and VBE
file from all the drives of the disk and puts a copy of itself instead.
While the script is running
it can't be deleted, because it continuously recreates the file with the virus
code.Last update 21 November 2011
