http://web.icq.com

VBS.Lisa.A@mm, VBS.CharleneThis Visual Basic Script (VBScript) worm infects files with VBS and VBE extensions in all drives of an infected system. It propagates through Microsoft Outlook, Kazaa, and mIRC as an HTML-based email message with the following details: 

To: <recipient’s address> 
Subject: Click YES and vote against war! 

This email message does not have an attachment since this VBScript worm is embedded as a script in the body of the email. The email is sent to all recipients in Microsoft Outlook Address Book of the infected system. 

This worm also deletes .DOC files and certain critical system files such as WIN.COM and REGEDIT.EXE. In addition, it creates up to 5,000 folders and non-malicious text files, thus downgrading the computer’s performance. Additionally, this malware hides the desktop icons of the computer and formats the drive C of computers running on Windows 98 or ME. 

This VBScript file infector worm runs on Windows platforms that supports the Windows Scripting Host.

Payloads:

Hides desktop icons 
Deletes Files Deletes REGEDIT.EXE from the Windows directory 
Creates 5,000 folders and non-malicious files on drive C 
Deletes Files Deletes .DOC files in all drives of the infected system 
Deletes Files Deletes other critical files from the Windows directory 
Formats Hard Disk Formats drive C of systems running on Windows 98 or ME 

VBS component – 17,370 Bytes; HTM component – 29,274 Bytes 

Installation 

Upon execution, this Visual Basic Script (VBScript) worm creates a copy of itself in the Windows folder using a random seven-character file name, e.g. QWPYSWX.vbs: 

%Windows%\<Random filename>.vbs 

* Where %Windows% refers to your Windows folder which by default is C:\Windows for Windows 95, ME and XP systems and C:\WINNT for Windows NT and 2000 systems. Whereas, <Random filename> refers to the random seven characters generated by the worm for its file name. 

Then, it creates an autorun entry in the registry to ensure its automatic execution at every Windows startup: 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 
<Random filename> = "wscript.exe %WINDOWS%\<Random filename>.vbs %" 

Aside from this, it also creates the registry entry below and automatically increments the value on each infection: 

HKEY_CLASSES_ROOT\Lisa\InfectionDate
Date = 0 

Email Propagation 

This VBScript worm searches for email addresses in Outlook’s Address Book and sends an HTML–based email message to each of these recipients using Outlook’s Mail Application Programming Interface (MAPI). The HTML-based email message has the following characteristics: 

To: <recipient’s address> 
Subject: Click YES and vote against war! 

The email message does not have an attachment as this worm embeds itself as a script in the body of the email. 

The malware is triggered when the recipient opens the email, and it initially displays this warning message: 

Some software (ActiveX controls) on this page might be unsafe. It is recommended that you not run it. Do you want to allow it to run? 

If the recipient clicks No, the following text will appear in the message body of the email and the worm terminates its execution: 

For voting against war, please open this message again and click yes! It´s very important! Thank you! 

Otherwise, if the recipient clicks Yes, the following text appears in the message body and the worm then proceeds in executing its malicious codes: 

Thank you for voting against war. We will now send an EMail for you to Mr. Bush 

In addition, this VBScript worm adds the following registry entries so that the email sending routine is performed only once: 

HKEY_LOCAL_MACHINE\Software\CLASSES\Lisa\Mail
Send = 00000001 

HKEY_CLASSES_ROOT\Lisa\Mail
Send = 00000001 


IRC Propagation 

This worm also spreads through Internet Relay Chat (IRC). It searches for the mIRC application in all drives of the infected system. If it finds the application, it drops a malicious SCRIPT.INI file in the same path of mIRC. This is used to facilitate the propagation of the worm via IRC. Trend Micro detects this malicious SCRIPT.INI file as IRC_LISA.C. 

Kazaa Propagation 

This malware is also capable of spreading using Kazaa, a peer-to-peer file sharing network. It retrieves the default download folder of Kazaa by querying the registry entry: 

HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DownloadDir 

and drops following files in the default Kazaa download folder (Note the double extensions of the files): 

Silvia Saint Gangbang.avi.vbs 
Britney Spears nude.jpg.vbs 
Christina Aguilera Nipple.jpg.vbs 
Lolita.jpg.vbs 
Madonna - Song.mp3.vbs 
Jennifer Lopez.mp3.vbs 
This enables copies of the VBScript worm to be easily available for download to other Kazaa users. 

File Infection 

In addition, this VBScript worm also searches for files with VBS and VBE extensions in all drives of the infected system and infects them by appending its malicious code. 

Payload 

This malware creates up to 5,000 randomly named folders in drive C upon execution. It also creates a non-malicious text file in each of the folders that contains the string: 

I will never stop loving you 

Additionally, it deletes the file, REGEDIT.EXE from the Windows directory, as well as all .DOC files in all drives. 

Moreover, it also hides the desktop icons upon execution by setting the value of the registry entry: 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 
NoDesktop = “00000001” 

If the computer has been infected by the worm for more than three days, the worm deletes the following files: 

%Windows%\user.dat 
%Windows%\user.bak 
%Windows%\system.dat 
%Windows%\system.bak 
%Windows%\win.com 
Finally, it checks for the C:\Autoexec.bat file and appends batch file commands that formats drive C drive C of computers running on Windows 98 or ME on the next Windows startup. 

Other Details 

This worm is written in Visual Basic Script and works in Windows platforms that supports Windows Scripting Host such as Windows 98, ME, 2000 and XP.