Details
I-Worm.Lee-SaltLake

This is a simple worm that replicates through e-mail messages and IRC channels.
The worm arrives in an infected message with an attached VBS file, which is actually the worm’s body. Infected messages have the following properties:
Subject: You get off the ice and respect the referees decision
Message body: Do you agree with the judge’’s decision to disqualify a Korean skater and award Apolo Ohno the gold medal Wednesday night?
Attachment name: SALTLAKE.jpg.vbs

When the worm is launched (when the is worm clicked in an infected file), it copies itself to the Windows system directory with the “SALTLAKE.jpg.vbs” name and registers this file in the registry autorun key.
Then the worm finds the directory where the mIRC client is installed and creates there a “SCRIPT.INI” file. The worm writes in its commands that send the worm’s body to each computer that connects to IRC channels, to which an infected computer is connected.
After creating the “SCRIPT.INI” file, the worm writes an infection mark to the system registry. This mark prevents the worm from writing to the “SCRIPT.INI” file again.
This worm was created using the worm constructor “Vbs Worms Generator”, which was written by the hacker with the pseudonym [K]alamar. This constructor was also used to create the “Anna Kournikova”, “Antrax” and other worms.

Related Posts

This entry was posted on Saturday, December 16th, 2006 at 10:00 pm and is filed under Virus Threats.