VBS/Guorm - VBS script virus

See also

Full description

Alias:	VBS/Gorum.a
Type:	Worm
Size:	~
Origin:
Date:	05-31-2000
Damage:	Sent by email.
VDF Version:	6.20.00.00
Danger:	Medium
Distribution:	Medium

DistributionThe worm sends itself to all addresses found in Outlook. If Outlook 2000 is installed, the virus sends the following email:

Subject:
You know what it is. ;-P

Body:
Check it out!

Attachment name- formed out of the following text strings:

links
cool
funny
anti-loveletter
guorm
pot
win2k
icq2k
money
funnypic.jpg
quake
Year2K
Mirc2K
Word2001
FunStuff
WindowsMe

extensions:

.vbs
.vbe
.txt.vbs
.jpg.vbs
.avi.vbs
.scr.vbs

Technical DetailsThe VB script multiplies itself as winuser.dll and user32.dll.vbs in Windows system directory.
The virus also ensures that the script is run by every system start. The registry entry for this is:

user32=wscript.exe
%Windows-System-Verzeichnis%\user32.dll.vbs % HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Then the virus checks if it has been sent by email using Outlook Address Book. This is marked in the registry:

HKCU\software\Guorm, bookmark mailed.

Then the virus scans all drives for mIRC program. In the directories containing the files

mirc.ini
mirc32.exe
mlink32.exe

it replaces and/or creates the file script.ini.
This only happens if the scanning has not been performed before (the bookmark Mirqued in the registry key HKCU\software\Guorm does not exist). Using this ini file, the virus sends itself through IRC.

See a brief description here.

Description inserted by Crony Walker on Tue, 15 Jun 2004 14:00 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back