Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.



23 March 2001
13 February 2007

VBS.Angel@mm is a worm written in the Visual Basic scripting language. However, this worm also includes a 1122-byte variant of W95.CIH . When the worm is executed, it emails everyone in the Microsoft Outlook address book. It also creates and executes a file containing the virus W95.CIH . This variant of W95.CIH contains the payload that will damage the CMOS.

NOTE: Definitions prior to the March 23, 2001, detect the worm as VBS.Rewind.A@mm, and the W95.CIH variant is detected as Bloodhound.W32.EP.

There are several comments inside the worm that points to show that the country of origin for the worm is Brazil.

Precautions that you can take
VBS.Angel@mm, like many other worms, is written in the Visual Basic Scripting language.
  • If you are using Norton AntiVirus 2001, a free program update is available that includes Script Blocking is available.Please run LiveUpdate to obtain this.
  • For other versions of Norton AntiVirus, SARC offers a tool to disable the Windows Scripting Host.

Antivirus Protection Dates

  • Initial Rapid Release version 23 March 2001
  • Latest Rapid Release version 08 August 2016 revision 023
  • Initial Daily Certified version 23 March 2001
  • Latest Daily Certified version 09 August 2016 revision 001
  • Initial Weekly Certified release date pending
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When VBS.Angel@mm is executed for the first time, it does the following:
  1. It copies itself to the Windows temp folder, usually C:\Windows\Temp, as T4umhf5.vbs.
  2. It creates and then executes the file Ale32.exe. This file contains a 1122-byte variant of the virus W95.CIH. This infects the computer with W95.CIH.

    NOTE: This file will not execute under Windows NT/2000.
  3. Next, it adds the value


    to the following registry key:


    This causes the worm to be executed every time that Windows starts.

The worm does not check whether it has already emailed everyone in the Microsoft Outlook address book. Therefore, every time that the computer is restarted, the worm will email everyone in the Microsoft Outlook address book. The contents of the email message that this worm sends are:

Subject: Read the true history on Angelina Julie


Your life
Your work
Your lovers

Attachment: AngelinaJulie.txt.vbs.

To remove the worm:
  1. Run LiveUpdate to make sure that you have the most recent virus definitions.
  2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
  3. If any files are detected as infected by W95.CIH, click Repair.
  4. Delete any files detected as VBS.Angel@mm.

Writeup By: Neal Hindocha