VBS/Prune.a@MM

This threat is detected as VBS/Carnival.gen@MM. The virus will copy itself as UN_Interview.txt.vbs in the hard coded directory C:\WINDOWS and C:\WINDOWS\All Users\Start Menu\Programs\StartUp. The virus will then send an email out to all in Outlook Addresslist with the following characteristics:

• Subject : US Goverment Material - Iraq Crisis
• Attachment : UN_Interview.txt.vbs

VBS/Prune.a@MM will map all IP addresses from 128.95.188.0 to 128.95.188.255 to a remote drive as T:   If connected, the worm will copy itself as T:\WINDOWS\All Users\Start Menu\Programs\StartUp\UN_Interview.TXT.vbs, T:\UN_Interview.TXT.vbs and T:\auto.vbs. It will create HCKD.txt which contains IP address that the worm attempted to connect to.

The worm will drop peach.jpg into the Windows TEMP directory. It will then display it:

If day is 1st of month, the virus will copy itself as the following:

• C:\UNZIPPED\DAMN_SOURCE.MPEG
• C:\WINDOWS\DESKTOP\F*CK_FESTIVAL.WMV
• C:\WINDOWS\DESKTOP\PORN_MOVIES-SEX.WMV
• C:\WINDOWS\DESKTOP\COCK_DEEP-SEX.MPG
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM.MP3
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM2.MP3
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM5.MP3
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM7.MP3
• C:\WINDOWS\DESKTOP\www.SEX-MOVIES.MPEG
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM.MP3
• C:\UNZIPPED\DAMN_SOURCE2.MPEG
• C:\WINDOWS\DESKTOP\F*CK_FESTIVAL2.WMV
• C:\WINDOWS\DESKTOP\PORN_MOVIES-SEX2.WMV
• C:\WINDOWS\DESKTOP\COCK_DEEP-SEX2.MPG
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM2.MP3
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM22.MP3
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM52.MP3
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM72.MP3
• C:\WINDOWS\DESKTOP\www.SEX-MOVIES2.MPEG
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM233.MP3
• C:\UNZIPPED\DAMN_SOURCE33.MPEG
• C:\WINDOWS\DESKTOP\F*CK_FESTIVAL33.WMV
• C:\WINDOWS\DESKTOP\PORN_MOVIES-SEX33.WMV
• C:\WINDOWS\DESKTOP\COCK_DEEP-SEX33.MPG
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM33.MP3
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM33.MP3
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM33.MP3
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM33.MP3
• C:\WINDOWS\DESKTOP\www.SEX-MOVIES33.MPEG
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM33.MP3
• C:\WINDOWS\DESKTOP\F*CK_FESTIVAL3553.WMV
• C:\WINDOWS\DESKTOP\PORN_MOVIES-SEX3553.WMV
• C:\WINDOWS\DESKTOP\COCK_DEEP-SEX3553.MPG
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM3553.MP3
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM3553.MP3
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM3553.MP3
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM3553.MP3
• C:\WINDOWS\DESKTOP\www.SEX-MOVIES3553.MPEG
• C:\WINDOWS\DESKTOP\C*NT-EAT-CUM3553.MP3

If day is 1st, 2nd, 3rd, 4th or 5th of month, the virus will attempt to erase files from the root directory, windows directory or the windows SYSTEM directory. On the 5th of any month, it will also display the following message:

Arrives as email attachment UN_Interview.txt.vbs. Executing this file will infect the system.

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.