Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms

Email-Worm.VBS.Guorm.a

Aliases
Email-Worm.VBS.Guorm.a (Kaspersky Lab) is also known as: I-Worm.Guorm.a (Kaspersky Lab), VBS/Gorum.gen@MM (McAfee),   VBS.Gorum.A@mm (Symantec),   VBS/Gorum-A (Sophos),   VBS/Gorum.A* (RAV),   VBS_GUORM.A (Trend Micro),   VBS/Guormex (H+BEDV),   VBS/Gorum@mm (FRISK),   VBS:VBSWG-D (ALWIL),   VBS/Gorum.A (Grisoft),   VBS.Gorum.A@mm (SOFTWIN),   Worm.Guorm (ClamAV),   VBS/Guorm.A (Panda),   Guorm.B (Eset)
Description added Feb 06 2002
Behavior Email Worm
Technical details

This is an Internet worm that spreads itself as an attachment to e-mail messages. To send infected messages, the worm uses VBS script and MS Outlook. The worm also is able to send its copies to IRC channels by infecting an mIRC client.

There are several versions of the worm. The first is a pure VBS script; another is a Windows executable file that drops a VBS script to infect e-mail messages; the third is an MS Word document with a macro-program inside. All of these worm versions have similar functionality and infect the system in very similar ways.

When the worm file is activated (by double clicking on an attached file in infected messages, or being accepted as an IRC download), it copies itself into the WINDOWS System directory with different names depending on the version:

USER.DLL, WINUSER.EXE
WINUSER.DLL, USER32.DLL.VBS

The worm does not register these files in the system, so these files are not automatically executed then.

The name of the Windows directory is hardcoded in the 1st virus version body (C:\WINDOWS\SYSTEM), so the virus is not able to spread in the case that Windows is installed in another folder.

While mailing its copies, the worm drops a GUORM.VBS script file (or GUORMEX.VBS - depending on the version) to the Windows TEMP directory and spawns it. The script program connects MS Outlook, gains access to the address book and sends worm copies to all addresses listed there. The worm messages contain:

Subject: You know what it is!. ;-P
Body: Hey, here you have!.

The attachment name differs depending on the worm version. The first worm version (sent as a Windows EXE file) has only one variant of the attached file name in infected messages: WINUSER.EXE

Other versions use a combination of randomly-selected names and extensions from the following variants:

Extensions: .VBS, .VBE, .TXT.VBS, .JPG.VBS, .AVI.VBS, .SCR.VBS
Names: links, cool, funny, anti-loveletter, guorm, pot, win2k, icq2k, money, funnypic.jpg, quake, Year2K+1, Mirc2K, Word2001, FunStuff, WindowsMe

To spread to IRC channels, the worm creates a SCRIPT.INI mIRC system file in the mIRC directory (if it is installed). This file contains a set of instructions that sends a worm file to everybody who enters an infected channel.

The worm contains the following "copyright" texts:

BrainMuscle + OldWary + KALAMAR
Guorm
 

Copyright © 1996 - 2009
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com