Wscript/Jer.worm

Virus Characteristics

This is a Visual Basic Script worm, originally posted within an web page encoded in HTML and VBScript. This worm attempts to distribute itself vai IRC channels and also MAPI email. This trojan also contains a registry modification routine which modifies policy settings, changing the appearance of the Desktop among other setting changes.

There have been a few variants created after the initial release of this script. It was reportedly sent as a link to several users in a chat session who reportedly visited the page where the script was hosted.

In the original web page, it was titled “THE 40 WAYS WOMEN FAIL IN BED” and contained text as well as the Internet worm scripting. Users who viewed the web with low Internet security settings were highest at risk.

The script when run writes a file to the local system and modifies the registry to load this file at Windows startup. The first version of the script wrote “ewell.htm” while another variant wrote “1on1mail.htm”. The registry location is:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

The registry is also modified with these changes (original values are ’0′):

HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NoClose = 1
NoDesktop = 1
NoFind = 1

HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesNetwork
NoNetSetup = 1

HKLMSoftwareMicrosoftWindowsCurrentVersion
Version = VBS.Brian_Ewell
RegisteredOwner = Did you just get this job?
RegisteredOrganization = Symantec® 2000

After modifying the registry, this worm modifies the local script files MIRC.INI or SCRIPT.INI in a method to distribute itself when joining IRC channels.

After this process, it attempts to send a message using MAPI email in this format:

Subject = “Brian Ewell Resume”
Body = “I would really like to get a new job. Please check out my resume.”
“Enjoy ”
“Brian Ewell”
Attachments = “Ewell.htm”