VBS.Illen/mypicture.bmp.vbs

Detected as: VBS.Illen
Known Variants: VBS.Illen.B
Infection Length: 34,110 bytes
Area of Infection: .VBS Files
Likelihood: Rare
Region Reported: US
Characteristics: Trojan, Worm, Trigger

Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the Download Virus Definition Updates page.




Description

VBS.Illen combines features of both a virus and a worm, and acts as a trojan dropper. The Windows Scripting Host (WSH) is required for this virus to replicate. WSH is packaged with Windows98 and Internet Explorer 5, or can be downloaded from Microsoft's web site and installed in Windows95. This Visual Basic Script virus begins by copying itself to the following locations:

c:\windows\system\MyPicture.bmp.vbs
c:\WINDOWS\Start Menu\Programs\StartUp\RunDLL.vbs
c:\My Documents\MyPicture.bmp.vbs
c:\MyPicture.bmp.vbs
Then, the virus overwrites any ".VBS" file in the following directories with its viral code:

c:\
c:\My Documents\
c:\Windows\
c:\windows\samples\wsh\
If mIRC is installed on the target computer, the virus modifies c:\mirc\script.ini and c:\mirc\mirc.ini so that upon connection to IRC, the virus writer is notified of the infected computer's IP address (presumably for use with the trojan program) . When joining an IRC channel, the virus tries to send itself to all users in those channels.

Next, the virus modifies the following registry key:

HKEY_LOCAL_MACHINE\\Software\Microsoft\
Windows\CurrentVersion\RunServices\WinLoad
adding the value, c:\windows\system\MyPicture.bmp.vbs.

A text file named c:\Millennium.NFO is then created in the root directory of the drive C:\. And finally, a packed version of the trojan program Backdoor.TheThing.c is dropped as "FIX.EXE". A batch file launches the trojan program which then copies itself to the windows folder as c:\windows\explor.exe. The trojan program then modifies the [boot] section of c:\windows\system.ini, replacing the line:

shell=explorer.exe
with the line:

shell=explorer.exe explor.exe
This ensures the trojan program will be run anytime a new shell process is created. The trojan program could allow unauthorized users to have remote access to the infected PC.

Payload

On the 31st of December, the virus will modify the following registry keys with the corresponding values:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RegisteredOwner
Millennium 0.4b HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RegisteredOrganizationuNF HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\ProductName
Winblows 2000
Also, on the 31st, c:\autoexec.bat will be overwritten with a text message and the following dialog box will be displayed:

 

Variants

The variant VBS.Illen.B is similar to VBS.Illen as mentioned above. It replicates to the same files in the same directories as mentioned above. However, it stops execution at the point where it modifies the c:\mirc\mirc.ini file

Repair Notes

Infected users should:

Delete all files detected as VBS.Illen or Backdoor.TheThing.c
Restore any .VBS files from a clean backup
Restore c:\mirc\script.ini and c:\mirc\mirc.ini from a clean backup
Delete the c:\...\MyPicture.bmp.vbs value from the HKLM...\RunServices\Winload registry key.
Restore the Registry entries modified on December 31st to their correct values (if applicable)
Restore c:\autoexec.bat from a clean backup (if applicable)
Correct the "shell=" line in the [boot] section of c:\windows\system.ini