Another "Melissa-style" Internet worm written in VBS. It requires Windows Scripting Host to be installed (default on Windows 98 and Windows 2000). Overwrites a lot of files with itself (vbs, vbe, js, jse, css, wsh, sct, hta). Creates .jpg.vbs and .jpeg.vbs files from the images and then deletes the original file. ".mp3" and ".mp2" are not erased : their names are simply modified and they are hidden.

The virus spreads itself by looping through your address book ( Windows 98 and Windows 2000 ) and by modifying the setup of MIRC to display an infected web page on connections.

There are already several variants of this worm

• Mother's Day - targets .INI and .BAT files.
• Susitikim - a Lituanian variant.
• fwd : Joke - where the script is renamed Very Funny

If you don't have any anti-virus, follow these instructions

You'll need F-Secure Anti-Virus 4.07, 4.08 to apply these updates

fsupdate site 1 * fsupdate site 2

IMPORTANT NOTES

1 - Scan all files. If the virus activated, there is a good chance that files with non standard (double points) extensions are infected. In addition, your F-Secure Anti-Virus may not be configured to scan the worm's target extensions.

2 - The virus doesn't append itself to files, it either creates infected files or overwrites existing files with infectious code. It can not be "disinfected" : the infected files are the worm itself and need to be removed : delete the infected files.

3 - The virus creates infected files ( among others ) with the name

MSKernel32.vbs in the Windows system folder.
Win32DLL.vbs in the Windows folder

You might be afraid to remove them because they look like system files but they are not : these files should be removed as they are essential to the survival of the worm.

REGISTRY Modifications

HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
may be set to 0 - this key can be safely removed

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
These keys will run the worm and MUST be removed

The Worm uses a load balancing mechanism to fetch a fake WIN-BUGSFIX.exe file from different web sites.

HKCU\Software\Microsoft\Internet Explorer\Main\StartPage","http://www.skyinet.net/~young1s/
HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/
skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/
jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/
sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxc
bvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe

This "bugfix" is then run through the following key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
This key should be removed eventhough the files have probably not been downloaded in each infection since the incriminated sites are currently down. If the WIN-BUGSFIX.exe file can be found on your hard disk, there is a risk that confidential information has been sent out of your company. You should at least change all your passwords.

And the MSIE Start page is then reset.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"

Link to the F-Secure Corporation description of the virus