Subscribe0 0
This is a virus-worm that spreads via IRC channels. The worm itself is a batch-script file about 3 Kb in length.
The worm copies itself to the following batch files:
C:\Windows\winstart.bat
C:\Windows\LINUX_SH_DOS_BAT_WIN_JS.bat
C:\Win95\LINUX_SH_DOS_BAT_WIN_JS.bat
C:\Win98\LINUX_SH_DOS_BAT_WIN_JS.bat
C:\WinME\LINUX_SH_DOS_BAT_WIN_JS.bat
The batch file drops and executes the JS file LINUX_SH_DOS_BAT_WIN_JS.JS. This JS file displays a dialogue window with the following Title/Subject:
Radix16/SMF
SH-BAT-JS
After this, the worm creates and sends the new e-mail message to the following address:
Radix16@atlas.czThe infected messages contain the following:
Subject: SHBATJS
Body: crazzy bat :) testing MS OTLOOK in the (WORLD)
Attach: LINUX_SH_DOS_BAT_WIN_JS.bat
The virus-worm also creates the file C:\MIRC\SCRIPT.INI. This INI file sends the batch file to the IRC channels.
Installing
While installing, the worm copies its JS component to the Windows directory with the name C:\WINDOWS\LINUX_SH_DOS_BAT_WIN_JS.JS, and registers this file in the WIN.INI run section.
The worm also contains the following text strings:
# /bin/sh
-=LINUX START=-
-=DOS/WIN START=-
ONLY SAMPLE (TEST) LINUX SH DOS BAT WIN JS ...........
WoRlD iS mY
Hot Articles