Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

VBS.JongBoy@mm

VBS.JongBoy@mm

Discovered:
27 February 2001
Updated:
13 February 2007

VBS.JongBoy@mm is a worm that can spread using the popular chat program mIRC and through Microsoft Outlook. VBS.JongBoy@mm deletes the Regedit.exe file and attempts to overwrite several other system files.

VBS.JongBoy@mm is, like many other worms, written in the Visual Basic Scripting (VBS) language. Due to the fact that many worms are written in the Visual Basic scripting language, SARC offers a tool to disable the Windows Scripting Host.

NOTE: Definitions dated prior to 27 February detect this worm as Bloodhound.VBS.Worm.

Antivirus Protection Dates

  • Initial Rapid Release version 27 February 2001
  • Latest Rapid Release version 28 September 2010 revision 054
  • Initial Daily Certified version 27 February 2001
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date pending
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

VBS.JongBoy@mm is a worm written in the Visual Basic Scripting language. The worm spreads using Microsoft Outlook and mIRC. If executed, this worm deletes the Regedit.exe file, which will prevent you from editing the Windows registry.

When executed, the worm does the following:
  1. It attempts to modify the Script.ini file used by mIRC; however, this will only work if mIRC is installed in the default installation path, C:\Mirc. The modification to Script.ini causes infected computers to send the worm using the IRC network.
  2. The worm attempts to send itself to everyone in the Microsoft Outlook address book. It also adds a registry key so that it does not perform this action more than once.
  3. Next, it executes its damaging payload. It attempts to overwrite every file in the \Windows\System folder that has the file extension .ocx, .dll, or .sys. It overwrites the files with a copy of itself.
  4. It then attempts to delete Regedit.exe.
  5. Finally, this worm checks the system date. If it is the 5th, 10th, or 15th of any month, the worm goes into an endless loop that keeps opening Notepad.exe.



To remove this worm:

NOTE:
If the worm has already run, it is likely that you will first have to reinstall Windows.
  1. Run LiveUpdate to make sure that you have the most recent virus definitions.
  2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
  3. Delete any files detected as VBS.JongBoy@mm.


Writeup By: Neal Hindocha