Threat behavior
Worm:VBS/VBSWGbased.gen is a detection for generic script code that is known to be automatically generated by a malware tool.
A virus with this detection copies itself to various locations in the system, such as the Windows Startup folder, the Windows folder, and so on. It also create autostart entries in the system registry so that they are automatically run every time Windows starts up.
It can spread via email. It sends an email containing a virus copy to all contacts in a user's Microsoft Outlook account using a predefined format for the subject, body, and attachment. For example, a particular variant is known to send out a copy of itself as an attachment with the file name AnnaKournikova.jpg.vbs, enticing a recipient to open the email using social engineering techniques.
It can also spread by infecting VBS files found in the system.
More recent variants may also the ability to copy themselves to other drives in the system, such as USB drives, along with the file autorun.inf, which may allow the virus copy to automatically run when the drive is accessed.
As payload, it alters script files for mIRC or PIRCH programs so that a copy is automatically sent to other users when the chat program is run. Depending on the variant, it may also execute a specific payload, such as displaying a message on a certain date, or altering the Internet Explorer home page.
Later variants of this virus are encrypted in an attempt to bypass detection by antivirus products.
Analysis by Patrik Vicol
Prevention