VBS/VBSWG-AQ

Antivirus Software

Filed In:

Antivirus Software

VBS/VBSWG-AQ

New VBS worm poses as Shakira's Pics

Related Resources

• Virus Encyclopedia
• Glossary of terms

Elsewhere on the Web

• Sophos Description
• Outside Article 2

Script kiddies have again employed the "build a worm toolkit", Vbswg (a.k.a. the VBS Worm Generator), and released a new email and IRC (Internet Relay Chat) worm that overwrites VBE and VBS files on local and network drives with copies of itself. According to antivirus vendor Sophos, the VBS/VBSWG-AQ email has the following characteristics:

Subject line: Shakira's Pics
Message text:
Hi :
i have sent the photos via attachment
have funn...
Attached file: ShakiraPics.jpg.vbs

If the attachment is opened, it copies itself to the default Windows folder and modifies the registry, adding the key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Registry
so that the worm loads each time Windows is started.

Upon infection, VBS/VBSWG-AQ also emails itself to all addresses contained in the Outlook address book and, if the IRC program mIRC is installed, the worm creates a script.ini file which spreads the worm via Internet Relay Chat as well. (Sophos detects the script.ini file as mIRC/Simp-Fam). After spreading via emial and mIRC (if available), the worm creates additional registry entries:

HKCU\Software\ShakiraPics\mailed
and

HKCU\Software\ShakiraPics\mirqued

After overwriting files, the worm displays the message:

"You have been infected by the ShakiraPics Worm".

The toolkit used to create this particular worm is the same as was used to create the infamous AnnaKournikova worm which spread rapidly in February 2001.

Guide since 2000

Mary Landesman
Antivirus Software Guide

Sign up for my Newsletter

Explore Antivirus Software

Must Reads