Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

VBS.Pica@mm

VBS.Pica@mm

Discovered:
06 August 2002
Updated:
06 August 2002
Systems Affected:
Windows
VBS.Pica@mm is a mass mailing worm that resends all messages in the user's Sent Items folder with its attachment. It has a payload that overwrites all VBS files on local and network drives with itself.
VBS.Pica@mm is a mass mailing worm that resends all email messages in a compromised user's Sent Items folder. It typically arrives as an email message with the following properties:
Subject: FREE PORN SITES

Attachment: clickme.vbs

Message Body will be blank.

When the attachment is executed, the worm will create the following copies of itself in the Windows directory:
run32dll.vbs
clickme.vbs

The worm then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate="wscript.exe %Windows%\run32dll.vbs %"

It then creates the following registry entry as an infection marker. When this entry is present, the worm will not perform its mass mailing:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft="1"

It then searches all local and network drives for .vbs and .vba files and overwrites them with its own code.

The worm will also display the following message on the 26th of July:
Kagra Worm Generator
FREE PORN SITES