McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

VBS/Cian

This page shows details and results of our analysis on the malware VBS/Cian

Threat Detail

Malware Type: Virus

Malware Sub-type: Worm

Discovery Date: 2003-02-04

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4247 (2003-02-12)

Updated DAT

4516 (2005-06-17)

 Minimum Engine

5.1.00

File Length

Varies

Description Added

2003-02-11

Description Modified

2003-02-13

Malware Proliferation

Characteristics

This threat is detected as VBS/Cian. This virus will also infect Word Documents and Excel Spreadsheets.

The virus will infect the Normal template and also drop an infected Personal.xls in the XLStart directory. Both Excel and Word are capable of cross infecting each other and both drop the infected script Winstart.vbs which is detected as VBS/Cian. When opening an infected Word document, the virus will disable the macro warning protection and set the security level to low for Word2K. This file is detected as W97M/Generic@MM. It will also disable the menu items Tools/Macro, Tools/Customize, View/Toolbars and Format/Object. The virus will export its code to Evade.jpg in the windows SYSTEM directory. This file is detected as VBA/Generic.src

The virus will then send an email to all in the Outlook Addresslist with one of the following subject lines:

  • Here is that file
  • Important file
  • The file
  • Word file
  • [infected Document] name
  • The file you wanted
  • Here is the file
  • Body: The file I am sending you is confidential as well as important; so don't let anyone else have a copy.
  • Attachment: Infected document

The virus will store the email addresses it has sent the virus to in the following key:

  • HKEY_CURRENT_USER\Software\Zed/[rRlf\VBS/Evade\RecordContacts

When opening an infected Excel spreadsheet, the virus will set the security level to low and exports its code to Evade.gif in the windows SYSTEM directory. This file is detected as VBA/Generic.src. It will save itself as Personal.xls in the XLStart directory. This file is detected as X97M/Generic@MM.

The virus will then send an email to all in the Outlook Addresslist with one of the following subject lines:

  • Here is that file
  • Important file
  • The file
  • Excel file
  • [infected Spreadsheet] name
  • The file you wanted
  • Here is the file
  • Body: The file I am sending you is confidential as well as important; so don't let anyone else have a copy.
  • Attachment: Infected Spreadsheet

The following is an example of how the email may appear:

The virus will edit the registry key to execute the virus upon windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Winstart="Wscript.exe [windows SYSTEM directory]\Winstart.vbs %1"

When the file Winstart.vbs is executed, the virus will copy itself to the following locations in the windows directory:

  • Netlnk32.vbs
  • Conversation.vbe
and in the windows SYSTEM directory
  • Winstart.vbs
  • Wininst32.vbs
  • Winnt32.vbs
  • Winnet32.vbs

The virus will append its code to all VBS and VBE files found on the Hard drive and Network drives. It will also propagate through Peer to Peer applications by searching for the following directories:

  • C:\Kazaa\My Shared Folder
  • C:\My Downloads
  • [Program files directory]\Kazaa\My Shared Folder
  • [Program files directory]\KaZaA Lite\My Shared Folder
  • [Program files directory]\Bearshare\Shared
  • [Program files directory]\Edonkey2000
  • [Program files directory]\Morpheus\My Shared Folder
  • [Program files directory]\Grokster\My Grokster
  • [Program files directory]\ICQ\Shared Files
and infecting all files with the following extension. It will add a .vbs extension to these also:
  • mp3
  • mp2
  • avi
  • mpg
  • mpeg
  • mpe
  • mov
  • pdf
  • doc
  • xls
  • mdb
  • ppt
  • pps

Symptoms

The presence of the file Winstart.vbs in the windows SYSTEM directory.

Method of Infection

Opening an infected document or spreadsheet will infect the local system and all documents and spreadsheets opened thereafter.

Removal

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

United States - English