Internet-Worm Gives Users a Hard Time under the Guise of an Anti-Virus Warning

13 May 2001
Virus News

Kaspersky Lab, an international data-security software-development company, warns users about the detection of the new Internet-worm going by the "solid" name of VBS.Hard. Our technical support department has already received several reports from users regarding incidences of the malicious program.

VBS.Hard propagates via e-mail, and upon activation, sends itself from infected computers via Microsoft Outlook Express to all addresses located in the Windows address list. This results in the infected computer sending the same number of infected e-mails to as many addresses found in the address book.

The worm is written in Visual Basic Script (VBS), and functions only in systems installed with Windows Scripting Host (WSH is installed in Windows98 and Windows2000 by default).

The worm propagates via e-mail as the VBS-file attachment "www.symantec.com.vbs," which is the worm's body itself, containing the following features:

Subject = "FW: Symantec Anti-Virus Warning"
Body =
---- Original Message ----
From: [warning@symantec.com]
To: [supervisor@av.net]; [security@softtools.com];
[mark_fyston@storess.net]; [directorcut@ufp.com];
[pjeterov@goldenhit.org]; [kim_di_yung@freeland.ch];
[james.heart@macrosoft.com]
Subject: FW: Symantec Anti-Virus Warning

Hello,

There is a new worm on the Net.
This worm is very fast-spreading and very dangerous!

Symantec has first noticed it on April 04, 2001.

The attached file is a description of the worm and how it replicates itself.

With regards,
F. Jones
Symantec senior developer

Having been sent as an e-mail, the worm creates a fake page with the so-called warning about the VBS.AmericanHistoryX_II@mm virus, when in fact, this virus does not exist.

Following this, the worm creates several files:

The first goes by the name of "c:www.symantec_send.vbs" and contains VBS script language that spreads infected e-mails via MS Outlook Express to all addresses found the Windows address book.

The second file, going by the name of "c:\message.vbs," contains script that on the 24th of November, distributes the following message:

Some shocking news
Don't look surprised!
It is only a warning about your stupidity
Take care!

Both of these file worms register in the system registry in the auto-run section, resulting in start-up upon every Windows start-up. In addition to this, the worm also registers fake virus information as an Internet Explorer start-up page.

To avoid duplicate spreading from the same machine, the worm creates "HKLM\SOFTWARE\Microsoft\WAB\OE Done" in the system registry key and set its value to "Hardhead_SatanikChild". Thusly, it does not spread from the same machine twice.

Detection and removal procedures for the VBS worm "Hard" have already been available in the Kaspersky Lab anti-virus database since May 13.

Kaspersky Anti-Virus can be purchased in the Kaspersky Lab online store or from a worldwide network of Kaspersky Anti-Virus distributors and resellers.

Download the FREE time-limited trial version of Kaspersky Anti-Virus here.

Subscribe to Kaspersky Lab' FREE information service here.