Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.



13 February 2007

VBS.Winter.B is a Visual Basic Script worm. Like many other worms, it uses Microsoft Outlook, mIRC, and Pirch to spread itself. The worm arrives as the file UndetectedWorm.vbs. Upon execution, the worm attempts to open a connection to a Web site. Any .vbs and .vbe files are overwritten with a copy of the worm.

Antivirus Protection Dates

  • Initial Rapid Release version 19 December 2000
  • Latest Rapid Release version 28 September 2010 revision 054
  • Initial Daily Certified version 19 December 2000
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date pending
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When executed, the VBS.Winter.B worm will perform the following actions:
  • Copies itself to the Windows System directory as UndetectedWorm.vbs.
  • Adds the value "UndetectedWorm" to the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run to enable itself at startup.
  • Searches for the mIRC program directory. If present, overwrites the script.ini file to spread itself when connected to mIRC.
  • Searches for the Pirch program directory. If present, overwrites the events.ini file to spread itself when connected to Pirch.
  • For each separate address list found in Microsoft Outlook, a single email is sent with each address entry added as a .bcc address. The email contains the UndetectedWorm.vbs file.
  • Searches for .vbs and .vbe files on mapped drives, shared drives, and disk drives in which disks are present. Overwrites these files with a copy of itself.
  • The worm attempts to connect to the Web site
The worm also keeps a record of its infection by creating the registry key HKCU\Software\Undetected. In this key, it stores information after it has attempted to mail itself using Outlook. It also records whether it has affected the mIRC or Pirch programs. These actions are marked by the values mailed, mirqued, and pirched being created and set to 1. This allows the worm to perform a check for previous infections.