Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Alias:VBS_DAIRA.A, VBS/Daira@MM, VBS.Daira@mm, VBS/SSIWG2.A.Worm, VBS.SSIWG2 worm
Type:Worm 
Size: 
Origin: 
Date:00-00-0000 
Damage:Spreads by email, using Microsoft Outlook and it can infect Microsoft Word 2000 documents. 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Low 

DistributionWorm/Matra spreads over Microsoft Outlook. The email contains:
Subject: Very Important Message
Body: Here is the document you were waiting for
Attachment: VIM.txt.vbs

Technical DetailsWhen activated, the worm is copied as "MATSUDARIA_V" on drive C:(hidden).
Another copy is made in System directory, as "W32BACKUP.DLL.VBS" (also hidden).

It makes the following registry autostart entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runw32 Backup = "C:\WinDIR%\%SystemDIR%\w32backup.dll.vbs"

Another copy, named "VIM.TXT.VBS" is created in Windows System (hidden), which is sent as mass mailer.

Word 2000 infection (normal.dot):
This worm creates a copy in root C:, named "MATSUDARIA_M" (hidden). It tries to copy the code of "MATSUDARIA_M" into "NORMAL.DOT" macro. It blocks the auto macro "Document_Open".

As stated earlier, the worm VBS file has the Macro infecting part commented out. However, when this worm is activated from a Macro, it exhibits different behavior. It attempts to delete the macros in the active document if either of the following registry entries are true: HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\SecurityLevel = "" HKEY_CLASSES_ROOT\VBSFile\ScriptEngine = ""

This worm then disables the Option, Tools>Macro. It also disables the following keyboard commands:
Alt + F8 -Viewing of Macros
Alt + F11 -Visual Basic Editor

It creates a file named COMDLG16.SCR in the Windows system directory, which is responsible for checking a variable in the registry. It checks the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\9.0\Word\General CheckBoot = "0"
This registry variable increases each time the file COMDLG16.SCR is run, and when it becomes greater than 18, the worm changes the file, AUTOEXEC.BAT, by appending some codes. The altered AUTOEXEC.BAT displays the following text when executed:
Matsudaira
Virus
I-Worm/VBS/W2000M/Matsudaira
(c) 2001 by Tokugawa Ieyasu
Press any key to continue...

This worm also creates the following registry entry so that the file, COMDLG16, is executed at every Windows startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runcomdlg = "%SystemDIR%\comdlg16.src"
It checks if the file, W32BACKUP.DLL.SCR, exists in the Windows system directory, and if not, it makes a copy of itself in the Windows system directory, with the macro code commented, or preceded by an apostrophe.
It also adds the following registry entry so that this copy is executed at every Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runw32 Backup = "C:\%WinDIR%\%SystemDIR%\w32backup.dll.vbs"

It also creates the file, WIN32DLL.SRC, in the directory of the open or active document. This file is responsible for copying this worm's code into the active document. To prevent re-infection, the worm checks if the code module's name is "Matsudaira".
A registry entry is created so that the file, WIN32DLL.SRC, is run at every Windows startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunInfDoc = "%ActiveDocumentPath%\win32dll.src"

The %ActiveDocumentPath% is the variable path of the currently open Word 2000 document. This entry is deleted by WIN32DLL.SRC after infecting the active document. The worm sets the security level of Microsoft Word to Low, by setting the following registry entry as such: HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\SecurityLevel = "1"
This allows macros to execute without prompting the user.

The worm also adds/modifies the following registry entries: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ AdvancedHidden = "0"
This hides hidden or system files in Windows Explorer by turning on the option: "Do not show hidden or system files". HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ AdvancedHideFileExt = "1"
This hides the file extensions of certain files by turning on the option: "Hide file extensions for known types". HKEY_CLASSES_ROOT\VBSFile\Shell\Edit\Command(Default) = "C:\%WinDIR%\WScript.exe "%1" %*"
HKEY_CLASSES_ROOT\VBSFile\Shell\Print\Command(Default) = "C:\%WinDIR%\WScript.exe "%1" %*" HKEY_LOCAL_MACHINE\Software\CLASSES\VBSFile\DefaultIcon(Default) = "shell32.dll,-152" HKEY_LOCAL_MACHINE\Software\CLASSES\VBSFile\Shell\Edit\Command(Default) = "C:\%WinDIR%\WScript.exe "%1" %*" HKEY_LOCAL_MACHINE\Software\CLASSES\VBSFile\Shell\Print\Command(Default) = "C:\%WinDIR%\WScript.exe "%1" %*"
HKEY_LOCAL_MACHINE\Software\CLASSES\.src HKEY_LOCAL_MACHINE\Software\CLASSES\.src"VBSFile" HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Script Host HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Script Host\Settings HKEY_USERS\.DEFAULT\Software\Microsoft\Office\9.0\Word\Security HKEY_USERS\.DEFAULT\Software\Microsoft\Office\9.0\Word\Secu3
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.