World cup virus kicks-off

CIOL Bureau
New Update

As the world cup is moving towards the final stages, the excitement is

raging. A new virus with a subject line saying ‘WorldCup News!’ is on the

prowl, the text in the virus mails says ‘read me for more world cup news!’

and it contains a WorldCup.bat file attached with it. UK based Sophos, a virus

solution provider has issued a warning regarding the virus to all of its

subscribers the world over.


When executed the worm will create, execute and on occasions delete the

files, worldcup_score.vbs, eyeball.reg, japan.vbs, england.vbs, ireland.vbs,

uraguay.vbs and argentina.bat. Though not many companies in India are affected

by this virus as of now, the virus can, if neglected, create problems on a large

scale with small and medium scale enterprises.

Worldcup_score.vbs is the file that executes the mass mailing properties of

the worm. An email with the above characteristics will be sent to all contacts

in the user's Microsoft Outlook address book. In addition to that, Eyeball.reg

creates the following registry entry so that a copy of the worm is run when

Windows starts up: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\cqlyg.

According to Sophos an attempt will be made to copy eyeball.reg over all REG

files contained in folders in the user's path and the Windows, current and

parent folders. Japan.vbs will attempt to start a copy of the worm called



An attempt will be made to copy japan.vbs over all VBS files contained in the

folders of the users path and the Windows, current and parent folders.

Simultaneously England.vbs will set the following registry entry so that a copy

of the worm is run when Windows starts up: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\eifxi.

Ireland.vbs attempts to create a shortcut in the root folder to a copy of the

worm. The shortcut would be called pif.lnk. Uraguay.vbs attempts to create a

shortcut to brazil.vbs, which in turn will try to execute paraguay.vbs.

Paraguay.vbs does not exist.

The worm creates copies of itself using the names, world_cup_.bat, germany.bat,
china.bat, russia.bat, turkey.bat, denmark.bat, costarica.bat, wini.bat,

spain.bat and italy.bat. These copies are most likely to be in the Windows

folder. The virus has got capabilities to delete anti-virus related executables.

The virus also searches for a mIRC installation and creates the file

script.ini if one is found. The script.ini file will attempt to forward a copy

of the worm to anyone who joins an IRC channel the infected user is currently

logged on to. The folder C:\ThisIsOnlyASimpleWorm will be created and will

contain a single copy of the worm named WorldCup.bat.

A virus identity file (IDE) file, which provides protection is available with

the Sophos site and it will be incorporated into the August 2002 (3.60) release

of Sophos Anti-Virus.