VBS.DWorld.A is a Visual Basic Script worm. The worm attaches itself to an email message and is sent to everyone in the address book. The worm also uses mIRC to spread.
The payload is a displayed message; the mouse and keyboard are disabled on the 1st and 27th of every month.
Creating the following .ini files:
C:\Mirc\Script.ini
C:\Mirc\Update.ini
Modifying the following .ini file:
C:\Mirc\Mirc.ini
After running mIRC clients, the worm is sent. The name of the attached file is Dragonball.vbs.
Sends an email message using Outlook:
The worm sends an email message to all addresses in the Outlook address book. The message is:
Subject:Hello ;]
Message:Hi , check out this game that j sent you (funny game from the net:])
A bug in the code prevents the worm from attaching.
Infects .vbs and .vbe files:
The worm infects .vbs and .vbe files at the following locations:
Windows folder in Windows 95/98/Me
WINNT folder in Windows NT/2000
Desktop
Folder where the worm is executed
Shows movies:
Launches Windows Movie Player, and opens the movie from http://bdball.metropoli2000.net/
mmedia/videos/clips/dballz.gokuhss1.mpg
Creates and modifies .bat files:
The worm creates C:\Windows\Dragonball.bat and adds its path to the Autoexec.bat file.
Dragonball.bat is only for showing message at startup:
DraGon Ball [Z] by YuP
Thank you and bye bye dragon world!!
On the 1st and 27th of every month, the following message appears:
The mouse and keyboard are disabled.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
The following instructions are general instructions for removing viruses.
Run LiveUpdate to make sure that you have the most recent virus definitions.
Start Norton AntiVirus (NAV), and then run a full system scan, making sure that NAV is set to scan all files.
If any files are found to be infected by VBS.DWorld.A, VBS.DWorld.ini or VBS.Dworld.bat. then click Delete.
Using Windows Explorer, delete the following files:
Windows 95/98/Me
\Windows\Winsock.vbs
\Windows\Sysdir.vbs
\Windows\System\Milioner.vbs
\Windows\System\Dragonball.vbs
\Windows\System\Dragonball.cab
Windows NT/2000
\Winnt\Winsock.vbs
\Winnt\Sysdir.vbs
\Winnt\System32\Milioner.vbs
\Winnt\System32\Dragonball.vbs
\Winnt\System32\Dragonball.cab
Delete these registry keys:
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
