Weekly Virus Report – VBS/Lisa and Refoav Worms and Dialer.AF Trojan
This week’s report focuses on two worms -VBS/Lisa and Refoav- and a Trojan called Dialer.AF.
VBS/Lisa spreads through IRC chat channels, shared network drives and the KaZaA program. In the case of e-mail, it spreads in a message with the subject “Click YES and vote against war!”. This worm also creates over 5,000 folders in the root directory of the hard disk, and copies a text file with the line “I will never stop loving you” to each of the folders.
VBS/Lisa inserts a series of commands in the Autoexec.bat file in order to format the C:\ drive and reboots the computer so the format process begins. This worm also eliminates the “Regedit.exe” file and, if the system date is three days after infection occurred (or later), VBS/Lisa deletes the following files: “user.dat”, “user.bak”, “system.dat”, “system.bak” and “win.com”. Finally, VBS/Lisa disables all shortcuts on the Windows desktop and, in order to make detection by antivirus programs more difficult, it inserts junk characters in its code.
The second worm we will refer to today is Refoav, which is easy to identify, as it always reaches computers in an e-mail message with the following attached file: “FOAVRE.EXE”. After infecting a computer, it displays a series of messages on screen. Then, it sends itself out to all the contacts in Outlook’s Address Book and to other addresses it finds on the affected computer. Finally, it deletes itself from the computer.
Refoav creates a key in the Windows Registry in order to be run every time Windows is started. Furthermore, it creates the following files: “VBSELI.VBS”, “FOAVRE.EXE” and “DATOSPC.DAT” in the root directory of the infected computer.
Dialer.AF is a Trojan of the dialer type which creates a file called “EROS.EXE” in the affected computer and inserts several keys in the Windows Registry. Dialer.AF has the following effects:
– When it has been installed on the affected computer, it displays an icon in the Taskbar, next to the system clock. If the user right-clicks on this icon, the option Uninstall is displayed. When the user selects this option, the program seems to be uninstalled. However, a process is left in memory and neither the entry inserted in the Windows Registry nor the file are deleted. Therefore, when the computer is restarted, Dialer.AF will remain resident in the affected computer and leave a port open.
– It makes a call to a premium rate number through the Internet and without the user’s consent, with the cost that these calls entail.