McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

VBS/Shuker

This page shows details and results of our analysis on the malware VBS/Shuker

Threat Detail

Malware Type: Trojan

Malware Sub-type: VbScript

Discovery Date: 2004-01-24

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4321 (2004-01-29)

Updated DAT

4317 (2004-01-21)

 Minimum Engine

5.1.00

File Length

2,590 Bytes

 Description Added

2004-03-19

Description Modified

2004-04-01

Malware Proliferation

Characteristics

On executing this VBScript, the trojan will create the files c:\message.txt and C:\virus.html .  These file contains the following message:

  YOURE COMPUTER HAS BEEN INFECTED
 PLEASE PANIC THIS IS NO A DRILL
YOU SHOULD BE MORE CAREFUL WHEN SURFING THE NET
 THIS MESSAGE WAS BROUGHT TO YOU BY ***
 IF YOU WANT TO GET RID OF THIS VIRUS FORMAT YOU HARD DRIVE

It will also create the file C:\shut.bat .  This file, when executed, will exit windows.  The trojan will also attempt to delete the following registry keys:

  • HKEY_CLASSES_ROOT\.doc\
  • HKEY_CLASSES_ROOT\.txt\
  • HKEY_CLASSES_ROOT\.bat\
  • HKEY_CLASSES_ROOT\.zip\
  • HKEY_CLASSES_ROOT\.exe\
  • HKEY_CLASSES_ROOT\.html\
  • HKEY_CLASSES_ROOT\.vbs\
  • HKEY_CLASSES_ROOT\.dll\
  • HKEY_CLASSES_ROOT\.sys\
  • HKEY_CLASSES_ROOT\.log\
  • HKEY_CLASSES_ROOT\.*

Symptoms

The presence of the files C:\message.txt, C:\virus.html and C:\shut.bat.

Method of Infection

Executing the trojan VBScript.

Removal

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

United States - English