Home / malware VBS.Stream.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
VBS.Stream.A is also known as N/A.
Explanation :
This is an Internet Worm, which spreads in WinNT/2000 systems.
The virus comes as a mail sent from the victim with the following format:
From:
Subject:New Generation of drivers.
Body:
Microsoft has published new driver for all types Video Cards, compatible with Windows 95/98/NT/2000/XP. You can read about it in attachment document. Best wishes, Microsoft.
Attachment: driver.doc (many spaces) .vbs
A picture of the mail received looks like this:
When the user executes the attachment the virus copies itself in the Windows directory under the same name. If it is not executed from an NTFS partition, it quits. Otherwise the virus creates 4 streams of data attached to the file odbc.ini (also in Windows directory).
The streams are named:
- main
- user
- group
and they contain other parts of the virus.
File streams are particular to NTFS partitions and a normal view of that file would not show those streams. After this, the virus creates a file go.vbs in the system directory, and executes it after 10 seconds. The second part of the virus (stored in go.vbs ) creates the file %windir%System32
as
otepad.vbs where it puts together the streams from odbc.ini.
After another 10 seconds this last file is executed and here the main viral action is. Now the virus send itself using MAPI (Mail API) to the first 50 contacts with the same format as shown above. Next, it creates a user Lord_Nikon and adds that user to the Administrators group.Last update 21 November 2011
