Another "Melissa-style" Internet worm. VBS.Monopoly spreads through e-mail using the MS Outlook client. The main difference to "Melissa" is that it is created using Visual Basic Script instead of MS Office's macro language. The most part of its code is encrypted to make analysis more difficult. The virus is delivered through an e-mail message containing the attached "MONOPOLY.VBS" file. When this file (it contains VBScript) is executed it creates the image file "MONOPOLY.JPG" in a temporary folder. It also creates two other files "MONOPOLY.WSH" and "MONOPOLY.VBE".

The VBE file contains encrypted VBScript and is executed with WSH file. When VBE is executed it displays the message: Bill Gates is guilty of monopoly. Here is the proof. Then it displays a picture from the image file. The picture shows Bill Gates' face on Monopoly game board. The worm's spreading routine is very closely related to the routine of the "Melissa" virus. The worm sends itself with a message to all addresses from the Outlook address book.

The message contains the attached file "MONOPOLY.VBS".

Subject: Bill Gates joke

Text: Bill Gates is guilty of monopoly. Here is the proof. :-)

VBS.Monopoly also sends another message to the addresses: [email protected] [email protected] [email protected] [email protected] [email protected]

In this message the worm sends a list of names and addresses from the Outlook address book, ICQ UIN files and information from Windows registry: Registered user name and organisation Network computer name DVD region Country and area code Language Windows version Internet Explorer start page After all that, the worm modifies the system registry: "HKEY_LOCAL_MACHINE\Software\OUTLOOK.Monopoly\" = "True" In this way the worm "marks" the computer and will not send messages with confidential information from this computer for a second time. (analysis courtesy of AVP team) (13/08/99)