Virus:VBS/FriendMess.B is a VBScript virus. It spreads by infecting certain files, and by sending out copies of itself via email and mIRC.
Installation
Upon execution, Virus:VBS/FriendMess.B drops the following copies of itself in the system:
- <system folder>/Very Funny.vbs
- <system folder>/MSKernel32.vbs
- %windir%/Win32Dll.vbs
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It also modifies the system registry to allow it to run every time Windows starts:
Adds value: "MSKernel32"
With data: "<system folder>\MSKernel32.vbs"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "Win32DLL"
With data: "%windir%\Win32DLL.vbs"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
FriendMess.B also modifies the following registry keys as part of its installation process:
Adds value: "Timeout"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows Scripting Host\Settings
Adds value: "Download Directory"
With data: "c:\"
To subkey: HKCU\Software\Microsoft\Internet Explorer
Spreads Via...
File Infection
Virus:VBS/FriendMess.B spreads by infecting files with the following extensions:
vbs
vbe
js
jse
css
wsh
sct
hta
jpg
jpeg
mp2
mp3
Email
FriendMess.B retrieves addresses from the Windows Address Book (WAB) and attempts to send itself as an email attachment to all found contacts. The details of the email address it sends out are the following:
Subject: "fwd: Joke"
Attachment file name: "Very Funny.VBS"
Message body: "simple but I think this is good..."
mIRC
FriendMess.B attempts to send itself out as the file "Very Funny.html" to all of the user's contacts via mIRC.
Payload
Downloads Arbitrary Files
FriendMess.B modifies the Internet Home Page to point to a file within "skyinet.net" so that when a user opens a browser the file may be downloaded and run in the system. To do this, it makes the following registry modification:
Modifies value: "Start Page"
With data: "http://www.skyinet.net/<removed>/<removed>.exe"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Main
It may also modify the Internet Home Page to be blank.
Analysis by Hong Jia
