Summary
Summary
Action- More Information
| Included in our products from | April 2002 (3.56) |
|---|---|
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing worms.
More Information
VBS/Numgame-A is an email worm. It spreads as an email with the following properties:
Subject:
Are you <recipient> my valentine?
Message Body:
Hi <recipient> my valentine, remember me? I ain't seen you in ages! Anyway, check-out and play the attached guess-the-number-game to guess who I am. See you soon, bye-bye!
Attachment:
GuessGame.html
or
GuessGame.vbe
When the HTML file is run, it displays a message box containing the text "Guess Game instructions:". It goes on to ask the user to click "Yes" should an ActiveX warning dialog box appear.
Depending on the system configuration, an ActiveX warning dialog may then be displayed.
If the user clicks "Yes" to the ActiveX warning, or no warning appears, the worm creates the file GuessGame.vbe in the Windows directory and executes it.
GuessGame.vbe first creates a copy of itself in the Windows system directory. It then sends an email with the above characteristics to all addresses listed in the user's Outlook Address book.
It next attempts to set the date to 04-08-1981. Depending on the system settings this will result in the system date changing to 4th August 1981 or 8th April 1981 or remaining unchanged.
The worm also sets the following registry values in order to disable the Desktop and the system file checking process:
HKLM\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\SFCDisable = 0xFFFFFF9D
HKCU\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer\NoDesktop = 1
After setting the registry entries the the worm attempts to delete all files from the local and network drives. On each affected drive it also creates a file named autoexec.bat in an attempt to delete files with the following extensions:
*.SYS
*.DLL
*.OCX
*.CPL
*.DAT
*.COM
*.EXE
*.CAB
*.INI
*.INF
*.VXD
*.DRV
*.DOC
*.XLS
*.MDB
*.PPT
*.MP3
*.JPG
*.TXT
*.HTM
*.HTML
*.HTA
*.ASP
*.ASPX
from the following directories:
\
Desktop,
Program Files,
My Documents,
Windows,
System,
Temp,
Windows\SYSTEM32,
Windows\COMMAND,
Windows\INF,
Windows\SYSBCKUP,
\Documents and Settings,
\Inetpub
or their equivalents (e.g. WINNT\system32).
Lastly the worm allows the user to play a guessing game to guess a number between 1 and 100.
|
