Details
VBS.Rabbit.a

This is a virus written in Windows Script language, and it is the first known virus of this type, appearing in October 1998. This virus are quite simple – just over 10 commands. It just searches for other script files in the current directory and overwrites them.
The virus do this by using DOS shell commands “find-and-copy-over” and overwriting all *.VBS (Visual Basic Script) files in the current directory.
This virus has a minor bug: when it is executed by a browser, the virus infects all files in the browser’s cache and copies them to the computer’s Desktop (since the browser’s default directory is the Desktop). When this happens, the computer’s Desktop becomes filled with the icons of the infected scripts (the virus replicates like a rabbit, which explains the basis for it’s name – “Rabbit”).
On the 15th of any month, the virus creates an URL file with the “CB.URL” or “The CodeBreakers.URL” name (depending on the virus version), and writes the URL reference there: “http://www.codebreakers.org”. The major virus versions then also run a browser with this URL. While this is occurring, the virus also displays the following Message Box:
VBSv v1.0
by Lord Natas/CodeBreakers
The virus also contains the comments:
VBSv Version 1.0 by Lord Natas/CodeBreakers
First Windows Scripting Virus

Details
VBS.Netlog

This is a worm written in Visual Basic Script language (VBS). It spreads through a network by coping itself to other computers in the network.
Upon being activated, the worm generates a random network IP address (for example 145.65.28.0), and tries to connect to all computers in this network. It changes the last octet of an address from 1 to 255 and tries to connect. If the connection is accepted, the worm copies itself to a connected computer on drive C: in the following folders:
C:C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP
C:\WINDOWS
C:\WINDOWS\START MENU\PROGRAMS\STARTUP
C:\WIN95\START MENU\PROGRAMS\STARTUP
C:\WIN95\STARTM~1\PROGRAMS\STARTUP
C:\WIND95
If all computers in this network are inaccessible, the worm generates a new network IP address.
The worm creates a file “C:\NETWORK.LOG”. In this file, the worm writes all of its activities. The file content appears as follows:
Log file Open
Subnet : 145.65.28.0
Subnet : 23.44.93.0
Subnet : 50.112.201.0
Subnet : 176.3.138.0
Copying files to : \\176.3.138.5\Ñ
Successfull copy to : \\176.3.138.5\Ñ
The spreading ability of this worm is very low, because search of a victim computer takes a lot of time and most computers reject a requested connection.

Details
VBS.Monopoly

Another Melissa-like worm. It spreads through e-mail using MS Outlook client. The main difference between the two worms is this one is written in Visual Basic Script instead of MS Office macro-language. Most of its code is encrypted to make analysis more difficult.
The virus arrives to a computer as an e-mail message with an attached “MONOPOLY.VBS” file. When this file (containing VBScript) is executed, it creates an image file “MONOPOLY.JPG” in a temporary folder. It also creates another two files “MONOPOLY.WSH” and “MONOPOLY.VBE”. The VBE file contains encrypted VBScript and executes with a WSH file.
When VBE is executing, it displays the message:
Bill Gates is guilty of monopoly. Here is the proof

Then it displays picture from the image file. The picture shows Bill Gates’ face on a Monopoly game board.
The worm’s spreading routine is very close to the routine of “Melissa” virus. Worm sends itself to every address from the Outlook address book. The message contains the attached file “MONOPOLY.VBS”.
Subject:
Bill Gates joke
Text:
Bill Gates is guilty of monopoly. Here is the proof.

Warm also sends another message to the following addresses:
monopoly@mixmail.com, monpooly@telebot.com, mooponly@ciudad.com.ar,
mloponoy@usa.net, yloponom@gnwmail.com

In this message, the worm sends a list of names and addresses from an Outlook address book, ICQ UIN files and information obtained in the Windows registry:
Registered user name and organization
Network computer name
DVD region
Country and area code
Language
Windows version
Internet Explorer start page
After all this, the worm modifies the system registry:
“HKEY_LOCAL_MACHINE\Software\OUTLOOK.Monopoly\” = “True”

In this way, the worm marks a computer and will not send messages from this computer next time.

Demonstrations of the virus effects:

monopoly.jpg

Details
VBS.Mcon.b

This worm spreads via networks, scanning them for accessible IP addresses and copies itself to them.
Being activated, the worm copies itself into the Windows fonts directory using the name “ttfload.vbs”, and modifies the system registry to execute this file upon each Windows start-up. If a file has been activated from a folder other than “Fonts” or “Startup,” the worm displays a false system-error message:
ERROR
FILE I/O ERROR
If the worm has been activated from a “Fonts” folder (upon Windows start-up), it runs a spreading routine.
This routine scans local hard drives and network disks. In each folder, it creates a copy of the worm’s file. The created-file name the worm generates is as follows: it obtains a random file name from the recent file list, appends to its name to more than a hundred spaces and then appends the extension “.vbs”. Thus, the true file extension “.vbs” is hidden with a large number of spaces.
After disk scanning is finished, the worm begins scanning the network for accessible IP addresses. It checks randomly generated IP addresses, and if the address is accessible, it tries to copy itself there.
If the worm finds the directory-contained string “mirc” in the name, it creates a SCRIPT.INI file in there. The script program in this file is automatically executed upon MIRC start-up. This script scans the network in the same way as the worm does. If an accessible IP address is found, it sends a worm copy to that address.
Depending on a randomly generated number in one case in a thousand, the worm replaces a browser’s start page to “http://www.zonelabs.com/”.

Details
VBS.Lanus

This virus is written in Visual Basic Script (VBS) language and encrypted (it is a VBE – Visual Basic encoded script). When activated, it searches for files with .html and .htm extensions and infects them by writing its code to the top of file.
The virus marks infected files with a “tag-mark” () and doesn’t infect them again.
The virus doesn’t contain any payload.

Details
VBS.Kerza

This virus is written in Visual Basic Script (VBS) and is installed on a users computer by I-Worm.Maldal. While starting, it searches in all local-disk subdirectories for the following extensions:
“htm”,”html”,”asp”,”lnk”,”zip”,”jpg”,”jpeg”,”mpg”,”mpeg”,”doc”,”xls”,”mdb”, “txt”,”ppt”,”pps”,”ram”,”rm”,”mp3″,”mdb”,”swf”
and infectes them. The virus also deletes anti-virus files and sends messages by e-mail.
Installation
The virus copies iteself to the Windows System directory with the name “zacker.vbs”. It also creates its component in the Windows System directory with the name: “dalal.htm”.
Infecting files
The virus appends a script code to files with the following extensions: “htm”,”html”,”asp”. The script code downloads a virus dropper from the Internet:

http://geocities.com/jobreee/main.htm

It deletes the files and makes its copy with the extension Oldname + “.vbs” for the following file extensions:
“lnk”,”zip”,”jpg”,”jpeg”,”mpg”,”mpeg”,”doc”,”xls”,”mdb”, “txt”,”ppt”,”pps”,”ram”,”rm”,”mp3″,”mdb”,”swf”
Deleting files
The virus deletes all files in the drive with Windows for the following paths:
“\program files\command software\f-prot95\*.*”
“\esafe\protect\*.*”
“\pc-cillin 95\*.*”
“\pc-cillin 97\*.*”
“\program files\quick heal\*.*”
“\program files\fwin32\*.*”
“\program files\findvirus\*.*”
“\toolkit\findvirus\*.*”
“\f-macro\*.*”
“\program files\mcafeevirusscan95\*.*”
“\program files\norton antivirus\*.*”
“\tbavw95\*.*”
“\vs95\*.*”
“\rescue\*.*”
“\program files\zone labs\*.*”

It also deletes the directory:
“\program files\zone labs”
Spreading in an e-mail message
The virus creates and runs, in the Windows System directory, its component file “outlook.vbs”. This component sends a message to the all users from the Outlook address book. The messages contain the following:
Subject: Very important !!!
Body: See this page

http://geocities.com/Jobreee/main.htm

Other actions
The virus displays a dialogue message and reboots the PC. The message text is the following anti-Semitic text:
america will never survive till it dismisses jews from its land
jews bring disasters to any pll they live with
i dunno why they are still alive!!!
lets kill them one by one

Details
VBS.Kalamar
Kalamar is a virus written in the Visual Basic Script language (VBS). It creates a copy of itself with the name “Worm1.vbs” in the Windows directory.
The “Kalamar” virus doesn’t contain any payload.

Details
VBS.Infi

This is a virus written in Visual Basic Script (VBS). When launched, it copies itself to C:\SysPatch.vbs and registers it in the Windows registry auto-start area.
Then, the virus searches all available drives for files with the extension “VBS,” and overwrites them with its own code, deleting the original script’s content.
The virus contains the following “copyright” strings:
Worm name is: VBS.Infektor
Author is: ACIdCooKie
VxBioLabs / Specie and ACIdCooKie

Details
VBS.Hard

This is an Internet-worm written in Visual Basic Script language (VBS). It spreads using MS Outlook Express.
This worm spreads via e-mail by sending infected messages from infected computers. While spreading, the worm uses MS Outlook Express and sends itself to all addresses stored in the Windows Address Book. As a result, an infected computer sends as many messages to as many addresses kept in the Windows Address Book.
It works only on computers on which the Windows Scripting Host (WSH) is installed. In Windows 98 and Windows 2000, WHS is installed by default.
The worm arrives to a computer as an e-mail message with the attached file “www.symantec.com.vbs” that is the worm itself.
The infected message in the original worm version contains:
Subject = “FW: Symantec Anti-Virus Warning”
Body = —– Original Message —–
From: [warning@symantec.com]
To: [supervisor@av.net]; [security@softtools.com];
[mark_fyston@storess.net]; [directorcut@ufp.com];
[pjeterov@goldenhit.org>; [kim_di_yung@freeland.ch];
[james.heart@macrosoft.com]
Subject: FW: Symantec Anti-Virus Warning

Hello,
There is a new worm on the Net.
This worm is very fast-spreading and very dangerous!

Symantec has first noticed it on April 04, 2001.

The attached file is a description of the worm and how it replicates itself.

With regards,
F. Jones
Symantec senior developer
Upon activation, the worm creates a fake Symantec virus information page about the non-existing virus “VBS.AmericanHistoryX_II@mm” and displays it. Then it creates several files that are used later for spreading.
The first file is named “c:\www.symantec_send.vbs” containing Visual Basic Script that instructs MS Outlook Express to send infected messages to all of the addresses in the Windows Address Book.
The second file “c:\message.vbs” contains Visual Basic Script that on November 24th, displays the following message:
Some shocking news
Don’t look surprised!
It is only a warning about your stupidity
Take care!
Both of these files are registered by the worm in the system registry in the autorun section. Thusly, these scripts gain control upon each Windows startup.
The worm also registers a fake-virus information page as the start page of Internet Explorer.
To avoid duplicate spreading from the same machine, the worm creates “HKLM\SOFTWARE\Microsoft\WAB\OE Done” in the system registry key and sets its value to “Hardhead_SatanikChild”. In this way, it does not spread from the same machine twice.

Details
VBS.GaScript

VBS.GaScript is an Internet worm and script virus made with the help of the the virus script construction program Gate Script. The virus and worm code were both written in Visual Basic Script (VBS).
The Gate Script program facilitates the building of viruses and worms that spread via email.
Below is a selection of destructive actions Gate Script administers for generating worms:

copies worms to the system catalog
encrypts code
infects files on local disks (files with vbs and htm extensions).
displays messages on the monitor screen

There are three versions of the Gate Script constructor program. Most viruses generated with it contain mistakes and are therefore inoperative.
Gate Script screen shot.

Details
VBS.FreeLink

This is a worm written in Visual Basic Script language (VBS). This worm spreads via e-mail and IRC (Internet Relay Chat) channels.
Being executed, the worm script creates a new script file “RUNDLL.VBS” in the Windows system folder, and modifies the system registry to execute this script upon every Windows start-up.
Then the worm displays the following message box:
This will add a shortcut to free XXX links on your desktop. Do you want
to continue?

If a user answers is “YES,” the worm creates a shortcut on the desktop with URL to XXX site.
Then the worm enumerates all network drives on a computer, and copies infected script to the root directory of each network drive.
To spread via e-mail, the worm uses MS Outlook. The worm’s spreading routine is very similar to a such routine in the “Melissa” virus, and works in the same way. The message with the infected worm script contains attached worm script (LINKS.VBS).
The message subject: Check this
The message body: Have fun with these links.

The “RUNDLL.VBS” script, when run creates, another script file “LINKS.VBS” in the Windows directory (LINKS.VBS is the same script as described above). Then it scans all fixed drives for folders “MIRC”, “PIRCH98″, “Program Files” (the folder where most Windows programs usually are installed) and also all their subfolders, and searches for the “MIRC32.EXE” or “PIRCH98.EXE” programs (popular IRC clients). If any of these programs are found, the worm creates a script file (SCRIPT.INI for MIRC or EVENTS.INI for PIRCH) that contains commands to send an infected “LINKS.VBS” to other IRC users when they join the same IRC channel to which an infected computer is connected.

Details
VBS.AVM
WinScript.AVM is a family of parasitic viruses written in Windows Script language.
To replicate themselves they use File System Object (FSO). When run, the viruses locate the host file name, read the file contents, locate their body, search for all .VBS files in the Path directories and write themselves to the end of files. The viruses also scan and infect .VBS files the current directory as well as special directories: Desktop, MyDocuments, Startup.
The viruses also create the AVM.VBS dropper file in the Windows directory and register it in the system registry as the auto-run file. As a result, the virus dropper will be automatically executed by Windows on each rebooting.
The viruses contain the comments:
“AVM.a”:

Nick “The Love Monkey” Virus Package by ALT-F4 and ALT-F11
for the Alternative Virus Mafia

“AVM.b”:

allby ALT-F4 and ALT-F11 for the Alternative Virus Mafia

Details
Vbasic Family

These are nonmemory resident dangerous viruses. They search for COM and EXE files and write themselves to the end of the file. Sometimes they erase the CMOS and the MBR of the hard drive. The viruses reportedly disinfect Pakistani Brain virus.
These viruses contain the text string:
KEYB*.COM KEYB*.EXE BASRUN BRUN COBRUN NET$OS *.COM IBMBIO.COM IBMDOS.COM
COMMAND.COM *.* .. \ .. *.EXE Access denied. *.EXE

Some versions of “Vbasic” sometimes display the message “ACCESS Denied” and return to DOS.

Details
Variola
This is a dangerous encrypted stealth boot virus. It writes itself to the boot sectors of floppy disks and to the MBR of the hard drive. It infects the hard drive while loading from infected floppy drive, then it hooks INT 13h and infects floppy disks that are accessed. It saves the original boot and MBR sectors in encrypted form.
Depending on the system timer with probability 1/100 the virus displays the message:
PeaceMaker by VaRiOLa

It then wipes system sectors on all available hard disks and halts the computer.

Details
Vanitas.3712.a

This is a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are accessed. The virus does not infect the files: EMM386, SCAN, F-PROT. While installing memory resident the virus also infects the C:\WINDOWS\COMMAND.COM and C:\COMMAND.COM files (they are of EXE format in DOS 7.x).
The virus has a bug and may halt the system while installing memory resident. On March 27th the virus manifests themselves by a video effect.
The virus contains the text strings:
VANITAS++ v2.0 GR(c)97 by ANAX.
[E-75] goes to Hell. Have a nice deathall