Classification

Category :

Malware

Type :

Worm

Aliases :

Fool, MyPicture, Illen, The Thing

Summary

VBS/Fool is a VBScript worm that spreads itself via IRC client.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:Fool.A

When the worm is executed it copies itself to the following locations:

	c:\windows\system\MyPicture.bmp.vbs 	c:\WINDOWS\Start Menu\Programs\StartUp\RunDLL.vbs 	c:\My Documents\MyPicture.bmp.vbs 	c:\MyPicture.bmp.vbs

Then it replaces all .VBS files from the following directories with itself:

c:\

 c:\windows

 c:\my documents

 c:\windows\samples\wsh

Then it replaces both "script.ini" and "mirc.ini" files from the "c:\mirc" directory. When another user joins to the same IRC channel where the infected user is, the worm will send itself. The message it sends looks like this:

Hi. (server) (port) (ip address) (os) (time) (date) (channel name) it's

 been (time) since my last reboot! Mil0.4b

and it sends the file, "MyPicture.bmp.vbs".

Then the worm adds the following registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\WinLoad

This will execute the worm on the next reboot.

After that the worm creates a text file, "c:\Millennium.NFO" that contains the text below:

Millennium 0.4b - mIRC/vBS

 Fear the Millennium

At December 31st, the payload activates showing a message box:

Happy New Year!

and changing the registered owner to "Millennium 0.4b", the registered organization to "uNF" and the product name to "Winblows 2000".

Then it replaces the "autoexec.bat". When the system is restarted, it shows a message:

	Your Computer is NOT Y2K Complient! 	Sorry For this Inconvenience 	Millennium 0.4b

Finally this variant drops several files ("fix.txt", "fix.hex", "fix.bat", "lcoder.hex" and "short.src") to the current directory. Then the worm executes the "fix.bat" file.

The FIX.BAT file is a batch file that uses the standard DEBUG.EXE utility to create a binary from the Assembly source code file SHORT.SRC. Then the created SHORT.COM file is run. This file decodes the LOADER.HEX file into a binary LOADER.EXE. Then the LOADER.EXE is run and it processes the FIX.TXT file that instructs it to decode FIX.HEX into a binary FIX.EXE. Then the FIX.EXE is run and all dropped files are deleted.

The FIX.EXE file is a backdoor server (a hacker's remote access tool) called 'the tHing v1.6'. The backdoor's executable is compressed with an UPX file compressor. After being run the backdoor installs itself to system - it copies itself as EXPLOR.EXE into Windows directory and modifies SYSTEM.INI file so that it will be run during each Windows session. The backdoor adds its execution string after the 'shell=explorer.exe' tag.

When the backdoor is activated, it notifies its author about victim's presence on-line using a WWPMsg.dll library. The 'Victim is ONLINE' message is sent. Then the backdoor provides a limited access to the infected system for a hacker who has a compatible client part of this backdoor. It should be noted that the backdoor server is password-protected so it will accept connection only from a client that has the correct password.

Variant:Fool.GSeason

This variant contains the following comments at the start of its code:

'tHiS iS jUsT a BaCtErIa

 'It wILL oNlI sPrEad~~

 'Dun Worry

 'Bacteria Grown By fox

When the worm is executed, it copies itself to:

C:\Windows\Important.txt.vbs

 C:\Important.txt.vbs

 C:\Windows\System\Important.txt.vbs

 C:\My Documents\Important.txt.vbs

Next VBS/Fool.G shows a messagebox:

This is a very important message from Bill Gates

 New Virus Will be out this season, look out for it!!

The worm overwrites "c:\autoexec.bat", so files with the following extensions will be deleted from "C:\My Documents" directory: ".txt", ".mp3", ".bmp", ".jpg", ".gif", ".zip", ".exe" and ".wav". Also the following text will be displayed when the system is restarted:

Important Message!!

 Message From Bill Gates

 New viruses is out this season!!!

 Look Out!!!

VBS/Fool.G uses mIRC to send itself when an infected user joins a channel using a file name "important.txt.vbs".

Next the worm drops a script to the Windows starup directory as "SpreadByADrive.txt.vbs". This script will, when the system is restarted, attempt to copy the worm to "A:\important.txt.vbs".

Finally it creates a text file to the desktop as "ImportantMessage.txt". The file contains the following text:

Message From Bill Gates

 Please be alert that there will be new virus be out this season

 Please Look Out!!!

 Pass this message to other people

The worm also displays a message box:

There will be a text file on your desktop

 Please Read Carefully