VBS/Dismissed.A

Download VIRUSfighter NOW
VBS/Dismissed.A Destructivity: Spreading: Overall risk:
  
• Detected by virus detection files published: 12/20/2001 • Type: Virus
• Virus characteristics first published: 12/20/2001 • Spreading mechanism: Network, Webpage, IRC, File Infection
• Virus characteristics latest update: 12/17/2003 • Overall risk: Low
• Alias: VBS/Maldal.C • Payload: File deletion
• Infection type: Microsoft Visual Basic Script  

Virus type Spreading
mechanism 		Destructivity
and payload 		Additional
descriptions 		Detection
and removal
This is a script virus that is helped distributed by the W32/Maldal.C worm.

The Maldal worm sets the Internet Explorer home page to point to an infectious page on Geocities.
This home page contains a javascript that will attempt to plant and run a malicious Visual Basic script virus - VBS/Dismissed - on the users hard disk. This page is now down, so further infection should be stopped.

This script is located on the root directory under the name ROL.VBS, and will:

- Set the start page of Internet Explorer to a different site.

- copy itself to the Windows directory as Zacker.vbs

- create Dalal.HTM to the Windows directory. This file contains only a reference to the original home page on geocities.

- Delete files from a number of antivirus installations.


- Copy ZACKER.VBS and DALAL.HTM to the root directory of available network drives under the names SERVER.VBS and DALLAH.HTM, respectively.

- Look for ASP, HTM anf HTML files and append a reference to the infectious web site

- Look for LNK, ZIP, JPG, JPEG, MPG, MPEG, DOC, XLS, MDB, TXT, PPT, PPS, RAM, RM, MP3 and SWF files and create a copy of Zacker.vbs under the same name, but with an appended .VBS extension. So, if you have a file called FILE.ZIP, you will get an infectious copy called FILE.ZIP.VBS. The original file will be deleted. This can cause a lot of destruction.

- If it finds a file called MIRC.INI, it will overwrite all INI files in that directory with a small string that will advertise the infectious URL every time the user is on IRC.

- Depending on a semi-random value, it will attempt to delete all files in the Windows directory and its subfolders. It then will display a messagebox containing antisemitic text, and reboot the machine.

Some of this functionality seems to be somewhat buggy and may not work properly.
# - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z
To protect and serve, VirusFighter