HomeEnterprise

E-Mail Worm Posing As Britney Pics

Michael Singer
By Michael Singer

Britney Spears is not just a pop star – she’s a new worm squirming its way through the Web.

The low-risk bug was identified Tuesday by anti-virus experts including the ones at Anti-Virus Emergency Response Team (AVERT), the anti-virus research division of Network Associates .

The visual basic-based worm originally named VBS/BritneyPic@MM and renamed VBS/Chick@M is currently being tracked across Europe but has the potential to spread worldwide.

The virus is currently detected with the 4150 DATs (or newer) as VBS/Generic@MM when scanning compressed files. The VBS/BritneyPic@MM name will be included in the 4189 DATs.

Like the “Anna Kournikova” and “Jennifer Lopez” e-mail worms before it, “Britney” primarily affects Microsoft Outlook and a popular Internet Relay Chat client program, but uses more social engineering to take advantage of the e-mail recipient.

Social engineering viruses rely on sensational subject lines, in this case “Britney Pics”, to tempt users.

“Even though people swore up and down after the ‘ILOVEYOU’ and ‘Kournikova’ viruses that they would never open another e-mail attachment, they do forget after some time,” says McAfee AVERT researcher Craig Schmugar. “This worm didn’t come directly after a major one, so I would expect people will get hit with this one.”

How It Works

The compiled HTML Help file contains VBScript to e-mail itself to all users in the Outlook address book using MAPI messaging. It arrives in an e-mail message containing the following information.

Subject: RE: Britney Pics

Body: Take a look at these pics …

If you open the CHM file, a Window is displayed and an Internet Explorer warning message appears on top of it.

Clicking YES infects the local system. The worm checks each directory on the C, D, and E drives for SCRIPT.INI.

If it finds one, the worm overwrites the file with mIRC instructions to send itself (from the WINDOWS directory) to IRC users who are on the same channel as the infected user. The worm is then saved to the WINDOWS directory and a registry value is queried to see if the worm has e-mailed itself to others already:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionchm

If the CHM does not equal 1, then the worm proceeds in sending itself to all users in the Outlook address book, and then setting CHM equal to 1 in the registry.

As with all other warnings, anti-virus experts say you should always be weary of attachments in your e-mail unless you are expecting it from the sender. And even then, you might want to consider calling the sender if you still are not sure.

Michael Singer
Michael Singer
Previous article
Application Development Products of the Year 2001
Next article
Oh, for Streaming Out Loud!

Similar Posts

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

Advertisers

Advertise with TechnologyAdvice on InternetNews and our other IT-focused platforms.

Advertise with Us

Menu

Our Brands

Property of TechnologyAdvice.
© 2024 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.