Home / malwarePDF  

Virus:VBS/Entice


First posted on 19 October 2010.
Source: SecurityHome

Aliases :

Virus:VBS/Entice is also known as VBS/Prune (AhnLab), VBS/Prune.A@mm (Authentium (Command)), VBS/FindPeach.B (CA), VBS.Generic.204 (Dr.Web), VBS/Prune.A (ESET), Email-Worm.BAT.Baatezu (Ikarus), Email-Worm.VBS.Prune (Kaspersky), VBS/Carnival.gen@MM (McAfee), VBS/Prune.A@mm (Norman), VBS/Prune-A (Sophos), BAT.BWG@mm (Symantec), VBS_PRUNE.A (Trend Micro), VBS.Ediboy.A (VirusBuster).

Explanation :

Virus:VBS/Entice is a detection for a virus that attempts to use Microsoft Outlook to send messages to the affected user's contacts , performs date activated payloads and displays messages.
Top

Virus:VBS/Entice is a detection for a virus that attempts to use Microsoft Outlook to send messages to the affected user's contacts , performs date activated payloads and displays messages. Installation Virus:VBS/Entice copies itself as the following: C:\Windows\UN_Interview.txt.vbs The malware copies itself as the following so it runs for each user profile: C:\WINDOWS\All Users\Start Menu\Programs\StartUp\UN_Interview.txt.vbs Virus:VBS/Entice appends itself to existing "C:\mirc\mirc.ini" script, detected as Worm:IRC/Prune.A. It attempts to map a drive as T: to computers found within an IP range of 128.95.188.0 to 128.95.188.255; if successful, Virus:VBS/Entice attempts to copy itself as the following: T:\WINDOWS\All Users\Start Menu\Programs\StartUp\UN_Interview.TXT.vbs Failing this, the malware attempts to copy itself as the following: T:\UN_Interview.TXT.vbs T:\auto.vbs The malware also attempts to create or overwrite a batch script - C:\autoexec.bat - on the affected computer to run a copy of the malware at each computer start using the following instruction: Start c:\UN_Interview.TXT.vbs>null Virus:VBS/Entice also creates the following file: %TEMP%\PEACH.jpg Note: %TEMP% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Temp folder for Windows 2000 and NT is C:\DOCUME~1\<user>\LOCALS~1\Temp; and for XP, Vista, and 7 is C:\Users\<user name>\AppData\Local\Temp. Spreads via€¦ Email Virus:VBS/Entice attempts to use Microsoft Outlook to send an email message to every address in the address list as the following: Subject: "US Goverment Material - Iraq Crisis" Body: "" Attachment: (added from file "C:\WINDOWS\UN_Interview.txt.vbs") Payload Performs date activated payloads The malware performs date activated payloads, depending on the day of the month:

  • If the day of the month is 1, the malware:
  • Copies itself as the following files

    C:\UNZIPPED\DAMN_SOURCE.MPEG
  • C:\WINDOWS\DESKTOP\F*CK_FESTIVAL.WMV C:\WINDOWS\DESKTOP\PORN_MOVIES-SEX.WMV C:\WINDOWS\DESKTOP\COCK_DEEP-SEX.MPG C:\WINDOWS\DESKTOP\C*NT-EAT-C*M.MP3 C:\WINDOWS\DESKTOP\C*NT-EAT-C*M2.MP3 C:\WINDOWS\DESKTOP\C*NT-EAT-C*M5.MP3 C:\WINDOWS\DESKTOP\C*NT-EAT-C*M7.MP3 C:\WINDOWS\DESKTOP\www.SEX-MOVIES.MPEG C:\WINDOWS\DESKTOP\C*NT-EAT-C*M.MP3 C:\UNZIPPED\DAMN_SOURCE2.MPEG C:\WINDOWS\DESKTOP\F*CK_FESTIVAL2.WMV C:\WINDOWS\DESKTOP\PORN_MOVIES-SEX2.WMV C:\WINDOWS\DESKTOP\COCK_DEEP-SEX2.MPG C:\WINDOWS\DESKTOP\C*NT-EAT-C*M2.MP3 C:\WINDOWS\DESKTOP\C*NT-EAT-C*M22.MP3 C:\WINDOWS\DESKTOP\C*NT-EAT-C*M52.MP3 C:\WINDOWS\DESKTOP\C*NT-EAT-C*M72.MP3 C:\WINDOWS\DESKTOP\www.SEX-MOVIES2.MPEG C:\WINDOWS\DESKTOP\C*NT-EAT-C*M233.MP3 C:\UNZIPPED\DAMN_SOURCE33.MPEG C:\WINDOWS\DESKTOP\F*CK_FESTIVAL33.WMV C:\WINDOWS\DESKTOP\PORN_MOVIES-SEX33.WMV C:\WINDOWS\DESKTOP\COCK_DEEP-SEX33.MPG C:\WINDOWS\DESKTOP\C*NT-EAT-C*M33.MP3 C:\WINDOWS\DESKTOP\C*NT-EAT-C*M33.MP3 C:\WINDOWS\DESKTOP\C*NT-EAT-C*M33.MP3 C:\WINDOWS\DESKTOP\C*NT-EAT-C*M33.MP3 C:\WINDOWS\DESKTOP\www.SEX-MOVIES33.MPEG C:\WINDOWS\DESKTOP\C*NT-EAT-C*M33.MP3 C:\WINDOWS\DESKTOP\F*CK_FESTIVAL3553.WMV C:\WINDOWS\DESKTOP\PORN_MOVIES-SEX3553.WMV C:\WINDOWS\DESKTOP\COCK_DEEP-SEX3553.MPG C:\WINDOWS\DESKTOP\C*NT-EAT-C*M3553.MP3 C:\WINDOWS\DESKTOP\C*NT-EAT-C*M3553.MP3 C:\WINDOWS\DESKTOP\C*NT-EAT-C*M3553.MP3 C:\WINDOWS\DESKTOP\C*NT-EAT-C*M3553.MP3 C:\WINDOWS\DESKTOP\www.SEX-MOVIES3553.MPEG C:\WINDOWS\DESKTOP\C*NT-EAT-C*M3553.MP3

    Note: Some of the above file names have been censored.
  • Displays a message box titled "Coming from NoWhere?!.." with this content "XXX - I Love pr00n.. I want Sex - XXX "
  • Attempts to delete the %windir% folder

    Note: %windir% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Windows folder for Windows 2000 and NT is C:\Windows or C:\WinNT; and for XP, Vista, and 7 is C:\Windows.
  • If the day of the month is 2, it attempts to delete all files in the %windir% folder
  • If the day of the month is 3, it attempts to delete files found in C:\
  • If the day of the month is 4, it attempts to delete files found in %windir%\system\*.*
  • If the day of the month is 5, it attempts to delete files found in c:\*.*
  • Displays messages Virus:VBS/Entice displays a message box titled "PATZAK worm ver 1.0" with the following content: "You have been infected by Patzak Worm v1.0 / All your data has been earased! - Keyboard: Disabled / Mouse: Disabled / Data: EARASED(LOL!) "

    Analysis by Patrick Nolan

    Last update 19 October 2010

     

    TOP