VBS/VBSWG.K is a worm written in Visual Basic Script created by means of the generator VBSWG 1.1 (Visual Basic Script Worm Generator).  The worm body is encrypted.  The worm spreads as a file attachment of email messages or by means of IRC clients mIRC and Pirch.
The worm arrives on computer in an email message with subject "Neues von Ihrem Internetdienstleister - Robert T. Online informiert".  In the attachment is a file Neue Tarife.txt.vbs with a size of approximately 7396 bytes.  The body of the message is formed by the following text:

Sehr geehrter Internetsurfer,

es hat sich einiges bei uns getan. Die Telekom kann auch Ihre Internetkosten reduzieren. Wir haben auch für Sie den richtigen Tarif... Damit auch Sie sich entscheiden können, haben wir eine Übersicht aller für Sie relevanter Termine an diese eMail gehängt.
Wir sind Sicher, auch Sie werden Ihren Wunschtarif finden.

Bei fragen stehen wir Ihnen natürlich jederzeit zur Verfügung...

Ihr T-Online Service Team

Note: In the following text the symbolic entry %windir% is used instead of the name of directory in which the operating system Windows is installed, as that may be because of obvious reasons different at any single installation.

When the file in the attachment containing the worm code is executed it is copied as the file Neue Tarife.txt.vbs into directory %windir%.  The worm creates in the system registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T with value wscript.exe %windir%\Neue Tarife.txt.vbs %.  By doing so it ensures its activation at each system restart.
The worm sends its copies to all email addresses it finds in the address book.  The fact that it has already sent its copies from the infected computer it records in the system registry by creating the key HKCU\software\mailed.  It sets the value of the key to 1.
Then the worm looks for directory in which the IRC client mIRC is installed.  If the worm finds it, it creates the file mirc.ini in it.  This file contains the initial setting of the IRC client mIRC.  The file created by the worm will through DCC offer the download of the worm to everybody who is connected to the same channel as the user of the infected computer is.  The worm will record creation of the file mirc.ini by creating a key HKCU\software\mirqued in the system registry.  It will set the key value to 1.  System NOD32 identifies this created file as mIRC/Salim.A.
The worm does the same also in case of the IRC client Pirch.  If the worm finds it in the directory in which it is installed it will create the file events.ini in it.  This file contains the initial setting of the IRC client mIRC. The file created by the worm will through DCC offer the download of the worm to everybody who is connected to the same channel as the user of the infected computer is.  The worm will record creation of the file events.ini by creating a key HKCU\software\pirched in the system registry.  It will set the key value to 1.  System NOD32 identifies this created file as pIRCH/VBSWG.K.
Subsequently, the worm searches through all accessible shared disks and looks for directories containing IRC clients mIRC and Pirch.  If it finds them it will create the abovementioned files in them.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.