Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:VBS_DAIRA.A, VBS/Daira@MM, VBS.Daira@mm, VBS/SSIWG2.A.Worm, VBS.SSIWG2 worm
Damage:Spreads by email, using Microsoft Outlook and it can infect Microsoft Word 2000 documents. 
VDF Version: 

DistributionWorm/Matra spreads over Microsoft Outlook. The email contains:
Subject: Very Important Message
Body: Here is the document you were waiting for
Attachment: VIM.txt.vbs

Technical DetailsWhen activated, the worm is copied as "MATSUDARIA_V" on drive C:(hidden).
Another copy is made in System directory, as "W32BACKUP.DLL.VBS" (also hidden).

It makes the following registry autostart entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runw32 Backup = "C:\WinDIR%\%SystemDIR%\w32backup.dll.vbs"

Another copy, named "VIM.TXT.VBS" is created in Windows System (hidden), which is sent as mass mailer.

Word 2000 infection (
This worm creates a copy in root C:, named "MATSUDARIA_M" (hidden). It tries to copy the code of "MATSUDARIA_M" into "NORMAL.DOT" macro. It blocks the auto macro "Document_Open".

As stated earlier, the worm VBS file has the Macro infecting part commented out. However, when this worm is activated from a Macro, it exhibits different behavior. It attempts to delete the macros in the active document if either of the following registry entries are true: HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\SecurityLevel = "" HKEY_CLASSES_ROOT\VBSFile\ScriptEngine = ""

This worm then disables the Option, Tools>Macro. It also disables the following keyboard commands:
Alt + F8 -Viewing of Macros
Alt + F11 -Visual Basic Editor

It creates a file named COMDLG16.SCR in the Windows system directory, which is responsible for checking a variable in the registry. It checks the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\9.0\Word\General CheckBoot = "0"
This registry variable increases each time the file COMDLG16.SCR is run, and when it becomes greater than 18, the worm changes the file, AUTOEXEC.BAT, by appending some codes. The altered AUTOEXEC.BAT displays the following text when executed:
(c) 2001 by Tokugawa Ieyasu
Press any key to continue...

This worm also creates the following registry entry so that the file, COMDLG16, is executed at every Windows startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runcomdlg = "%SystemDIR%\comdlg16.src"
It checks if the file, W32BACKUP.DLL.SCR, exists in the Windows system directory, and if not, it makes a copy of itself in the Windows system directory, with the macro code commented, or preceded by an apostrophe.
It also adds the following registry entry so that this copy is executed at every Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runw32 Backup = "C:\%WinDIR%\%SystemDIR%\w32backup.dll.vbs"

It also creates the file, WIN32DLL.SRC, in the directory of the open or active document. This file is responsible for copying this worm's code into the active document. To prevent re-infection, the worm checks if the code module's name is "Matsudaira".
A registry entry is created so that the file, WIN32DLL.SRC, is run at every Windows startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunInfDoc = "%ActiveDocumentPath%\win32dll.src"

The %ActiveDocumentPath% is the variable path of the currently open Word 2000 document. This entry is deleted by WIN32DLL.SRC after infecting the active document. The worm sets the security level of Microsoft Word to Low, by setting the following registry entry as such: HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\SecurityLevel = "1"
This allows macros to execute without prompting the user.

The worm also adds/modifies the following registry entries: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ AdvancedHidden = "0"
This hides hidden or system files in Windows Explorer by turning on the option: "Do not show hidden or system files". HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ AdvancedHideFileExt = "1"
This hides the file extensions of certain files by turning on the option: "Hide file extensions for known types". HKEY_CLASSES_ROOT\VBSFile\Shell\Edit\Command(Default) = "C:\%WinDIR%\WScript.exe "%1" %*"
HKEY_CLASSES_ROOT\VBSFile\Shell\Print\Command(Default) = "C:\%WinDIR%\WScript.exe "%1" %*" HKEY_LOCAL_MACHINE\Software\CLASSES\VBSFile\DefaultIcon(Default) = "shell32.dll,-152" HKEY_LOCAL_MACHINE\Software\CLASSES\VBSFile\Shell\Edit\Command(Default) = "C:\%WinDIR%\WScript.exe "%1" %*" HKEY_LOCAL_MACHINE\Software\CLASSES\VBSFile\Shell\Print\Command(Default) = "C:\%WinDIR%\WScript.exe "%1" %*"
HKEY_LOCAL_MACHINE\Software\CLASSES\.src HKEY_LOCAL_MACHINE\Software\CLASSES\.src"VBSFile" HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Script Host HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Script Host\Settings HKEY_USERS\.DEFAULT\Software\Microsoft\Office\9.0\Word\Security HKEY_USERS\.DEFAULT\Software\Microsoft\Office\9.0\Word\Secu3
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .