Virus Alert! Watch for the 'Mouse Speed Test' message and file attachment!
This question was answered on January 11, 2002. Much of the information contained herein may have changed since posting.
A new mass mailing VBS worm that masquerades as a 'mouse speed test' is making the rounds.
McAfee has named it the W32/Spester@MM and has posted Poland as the point of origin.
The specific signatures are as follows:
Subject: game: Speed tester v 1.0 - check your mouse skills
How good are your mouse movement skills? Wanna test it? If yes try game Speed tester v.1.0 (you have it in attachment)
It's really funny
- Windows operating system
- Java Virtual Machine
(The .ZIP file carries an .EXE which creates an .INI file and a .VBS file The VBS file is responsible for mailing the .ZIP package out to others.)
When the .ZIP attachment is opened and the contents are extracted and run, a "game" is played The challenge is for you to click a button with your mouse
However, the button moves away from your pointer as soon as it is placed over the button Various taunting messages are displayed within the button as the game progresses Finally, one big button, which does not move is displayed Once clicked, a message box is displayed
Clicking that button results in a bogus Formatting C drive progress bar
After a few seconds a message box appears stating that the drive was not formatted.
The virus creates a VBScript file to carry out its mailing routine, "c:\Program Files\Internet Explorer\oneclock.vbs" This VBS file sends the virus to all users found in the Microsoft Outlook Address book using MAPI
The script has some date activated payloads
On the 10th day of the month a message box is displayed which reads "Tip Of The Day: You look really beautiful today."
On the 25th day of the month the message is only sent to 1 recipient
On the 31st day of the month, 51 directories are created, "C:\1o", "C:\1oo", "C:\1ooo", etc 91 directories are created, "C:\2n", "C:\2nn", "C:\2nnn", etc 131 directories are created, "C:\3e", "C:\3ee", "C:\3eee" and the message is sent to only 1 recipient
On September 12th, a message box is displayed which reads "Happy Birthday!!!"
The files creates a marker file which it uses to know if it has emailed its message out: c:\Program Files\Common Files\one.dat
The C:\mIRC\SCRIPT.INI file is overwritten with instructions to send C:\MIRC\SPDTEST.ZIP to IRC users when joining the channel that an infected user is on.
DO NOT OPEN AND RUN THIS OR ANY ATTACHMENT, UNLESS YOU KNOW EXACTLY WHAT IT IS, ESPECIALLY FROM FRIENDS AND FAMILY, AS THESE WORMS SILENTLY SEND THEMSELVES!
About the author
Posted by Ken Colburn of Data Doctors on January 11, 2002