VIRUS NAME : VBS/Jord.a
Virus Characteristics
This threat is detected as W32/Trilisa.vbs. The virus copies itself as ORD.doc.vbs, ORD_photo.jpg.vbs and JERRY.vbs to the Windows Font directory. It then edits the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Please...,
\JERRY.vbs"
Checks to see if the value of
HKEY_CURRENT_USER\Control Panel\International\iCountry = 34, and if not creates the key
"HKEY_LOCAL_MACHINE\Software\Singapore","0". If the registry key does equal 34, then the virus creates the key
"HKEY_LOCAL_MACHINE\Software\Singapore","1"
If the registry key "HKEY_LOCAL_MACHINE\Software\Singapore" does not equal 1, the virus then proceeds with the damaging payload routine. The following files are deleted from fixed, network, and RAM Disk drives:
*.ace
*.asf
*.asm
*.arj
*.avi
*.bmp
*.doc
*.gb
*.gba
*.gbc
*.gif
*.jpeg
*.jpg
*.js
*.lhz
*.log
*.mdb
*.mid
*.mod
*.mov
*.mp
*.mp2
*.mp3
*.mpeg
*.mpg
*.pdf
*.ppt
*.rar
*.rm
*.rtf
*.smc
*.txt
*.wav
*.wp
*.xls
*.zip
regedit.*
regedb32.*
If day is 12th of June, a message will be displayed.
Symptoms
The above message displayed and the list of files deleted. Also the presence of the following files in the Windows Font directory:
ORD.doc.vbs, ORD_photo.jpg.vbs and JERRY.vbs
Method Of Infection
Executing one of these files ORD.doc.vbs, ORD_photo.jpg.vbs or JERRY.vbs
|
