As the world cup is moving towards the final stages, the excitement is
raging. A new virus with a subject line saying ‘WorldCup News!’ is on the
prowl, the text in the virus mails says ‘read me for more world cup news!’
and it contains a WorldCup.bat file attached with it. UK based Sophos, a virus
solution provider has issued a warning regarding the virus to all of its
subscribers the world over.
When executed the worm will create, execute and on occasions delete the
files, worldcup_score.vbs, eyeball.reg, japan.vbs, england.vbs, ireland.vbs,
uraguay.vbs and argentina.bat. Though not many companies in India are affected
by this virus as of now, the virus can, if neglected, create problems on a large
scale with small and medium scale enterprises.
Worldcup_score.vbs is the file that executes the mass mailing properties of
the worm. An email with the above characteristics will be sent to all contacts
in the user's Microsoft Outlook address book. In addition to that, Eyeball.reg
creates the following registry entry so that a copy of the worm is run when
Windows starts up: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\cqlyg.
According to Sophos an attempt will be made to copy eyeball.reg over all REG
files contained in folders in the user's path and the Windows, current and
parent folders. Japan.vbs will attempt to start a copy of the worm called
argentina.bat.
An attempt will be made to copy japan.vbs over all VBS files contained in the
folders of the users path and the Windows, current and parent folders.
Simultaneously England.vbs will set the following registry entry so that a copy
of the worm is run when Windows starts up: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\eifxi.
Ireland.vbs attempts to create a shortcut in the root folder to a copy of the
worm. The shortcut would be called pif.lnk. Uraguay.vbs attempts to create a
shortcut to brazil.vbs, which in turn will try to execute paraguay.vbs.
Paraguay.vbs does not exist.
The worm creates copies of itself using the names, world_cup_.bat, germany.bat,
china.bat, russia.bat, turkey.bat, denmark.bat, costarica.bat, wini.bat,
spain.bat and italy.bat. These copies are most likely to be in the Windows
folder. The virus has got capabilities to delete anti-virus related executables.
The virus also searches for a mIRC installation and creates the file
script.ini if one is found. The script.ini file will attempt to forward a copy
of the worm to anyone who joins an IRC channel the infected user is currently
logged on to. The folder C:\ThisIsOnlyASimpleWorm will be created and will
contain a single copy of the worm named WorldCup.bat.
A virus identity file (IDE) file, which provides protection is available with
the Sophos site and it will be incorporated into the August 2002 (3.60) release
of Sophos Anti-Virus.