'Mouse Speed Test' Virus/Worm Alert!

Question

Virus Alert! Watch for the 'Mouse Speed Test' message and file attachment!

Answer

This question was answered on January 11, 2002. Much of the information contained herein may have changed since posting.

A new mass mailing VBS worm that masquerades as a 'mouse speed test' is making the rounds.

McAfee has named it the W32/Spester@MM and has posted Poland as the point of origin.

The specific signatures are as follows:

Subject: game: Speed tester v. 1.0 - check your mouse skills

Body: Hello,

How good are your mouse movement skills? Wanna test it? If yes try game Speed tester v.1.0. (you have it in attachment).

It's really funny.

Software requirements:

- Windows operating system

- Java Virtual Machine

regards

Attachment: spdtest.zip

(The .ZIP file carries an .EXE which creates an .INI file and a .VBS file. The VBS file is responsible for mailing the .ZIP package out to others.)

When the .ZIP attachment is opened and the contents are extracted and run, a "game" is played. The challenge is for you to click a button with your mouse.

However, the button moves away from your pointer as soon as it is placed over the button. Various taunting messages are displayed within the button as the game progresses. Finally, one big button, which does not move is displayed. Once clicked, a message box is displayed.

Clicking that button results in a bogus Formatting C drive progress bar.

After a few seconds a message box appears stating that the drive was not formatted.

The virus creates a VBScript file to carry out its mailing routine, "c:\Program Files\Internet Explorer\oneclock.vbs". This VBS file sends the virus to all users found in the Microsoft Outlook Address book using MAPI.

The script has some date activated payloads.

On the 10th day of the month a message box is displayed which reads "Tip Of The Day: You look really beautiful today."

On the 25th day of the month the message is only sent to 1 recipient.

On the 31st day of the month, 51 directories are created, "C:\1o", "C:\1oo", "C:\1ooo", etc. 91 directories are created, "C:\2n", "C:\2nn", "C:\2nnn", etc. 131 directories are created, "C:\3e", "C:\3ee", "C:\3eee" and the message is sent to only 1 recipient.

On September 12th, a message box is displayed which reads "Happy Birthday!!!"

The files creates a marker file which it uses to know if it has emailed its message out: c:\Program Files\Common Files\one.dat

The C:\mIRC\SCRIPT.INI file is overwritten with instructions to send C:\MIRC\SPDTEST.ZIP to IRC users when joining the channel that an infected user is on.

DO NOT OPEN AND RUN THIS OR ANY ATTACHMENT, UNLESS YOU KNOW EXACTLY WHAT IT IS, ESPECIALLY FROM FRIENDS AND FAMILY, AS THESE WORMS SILENTLY SEND THEMSELVES!

Author

Posted by Ken of Data Doctors on January 11, 2002