ViRobot

Security Info

  • Security Center
  • Security Dictionary
  • Security Service
  • Free Download!!

Threats DB

VBS.Merlin

Aliases  VBS/Merlin,VBS.Merlin.A@mm
Typical Symptoms  Decreases Memory,Changes registry,Displays message box,File infection,Removes file,Creates file,Formats HDD
Discovered  [korea] 0000-00-00
 [Foreign] 2001-06-18
Type  Virus ActiveField  VBS
Destory/Distribution
Origin  others Encryption  NO
Location  Script Memory residence  NO
Scan engine needed
2001-07-06 [Able to detect & repair]
  • Free trial download
Description
VBS.Merlin is a script virus that spreads itself via emails, mIRC, and mapped network drives.

Upon execution, it creates 500 folders with read-only and hidden attributes.
It deletes all '.doc' files and infects '.vbs' and '.vbe' files.


VBS.Merlin is a script virus that spreads itself via emails, mIRC, and mapped network drives.

Upon execution, it creates 500 folders with read-only and hidden attributes.
It deletes all '.doc' files and infects '.vbs' and '.vbe' files.

The virus sends an email with ActiveX, titled WindowsXP Betatest. When the user tries to open the email, Windows will display a warning message to warn against opening of any email with ActiveX. However, the email displays this message in red:

You need ActiveX enabled if you want to see this e-mail. Please open this message again and click accept ActiveX Microsoft Outlook

If the user allows the running of ActiveX, the system will be infected.

The virus will also send "WindowsXP.html" during mIRC chatting sessions to infect other mIRC users.

Once the system is infected, the virus will copy itself (using random file name) to the Windows folder and creates "WindowsXP.html". It will create 500 folders (with hidden and read-only attributes), including 1K bytes ".txt" file which contains this string - "Irgendwo strahlt immer ein kleiner Stern!".

This virus has several different payloads:

On the 2nd of every month

It modifies the registry to hide its icon on the desktop and updates itself.
It deletes 'regedit.exe', 'User.dat', 'User.bak', 'System.dat', and 'System.bak', and then reboots the system.
It modifies the registry to auto-execute the virus in the next boot-up.

On the 4th of every month

It adds a format command in "autoexec.bat" and then reboots the system.
The system will be formatted after reboot.

On the 5th of every month

It modifies the registry to hide its icon on the desktop.

On the 7th of every month

It displays a message box in German language.
It modifies the following registry so as to auto-execute:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionrun

Value: wscript.exe C:WindowsRANDOM NAME.vbs %

At the next boot-up, it appends itself to '.vbs' and '.vbe' files so that a script error will occur when the user tries to open these files.


Removal Instructions
Do not open emails with the title of "WindowsXP Betatest".

Download the latest definition file of 6 July 2001 or above.


List
Copyright 2008 @ HAURI Inc. All rights reserved. SiteMap