Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

VBS/Sargo.A


VBS/Sargo.A is a worm that spreads by means of the file NastySarah.jpg.vbs in a file attachment of email messages.  It is written in Visual Basic Script but it contains errors which prevent its successful spreading.  When the file NastySarah.jpg.vbs is run the worm copies itself into the subdirectory SYSTEM of the directory where the operating system Windows is installed (typically /WINDOWS/SYSTEM).  It ensures its activation in the future by creating the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NastySarah".  The worm sets the value of the key such that the file NastySarah.jpg.vbs containing the worm will be run.  To spread the worm prefers to use the MAPI interface.  If MAPI is not installed it tries to use Collaboration Data Objects or Microsoft Outlook.  If it does not find any of the mentioned options it will display the following message:

The worm code contains an error which is presented by displaying the window with error message Windows Scripting Host.  The worm checks messages in received mail.  If it finds the string "NASTYSARAH" in a message subject it deletes it.  The worm answers to messages received within the previous 4 days.  It sends its copy to these addresses .  In the body of the answer the following text is written: Thanks for your mail! I've been kind of busy lately, and haven't really had time to do a full reply, so, until I do, check this out.  Then the text Regards (name of the original sender) follows and a copy of the original message is added.  If there are any requests concerning the sent message the worm answers them by a message confirming that it was really sent by the author and that the file in the attachment is safe.  With the probability of 5% the worm modifies keys in the system registry.  That may cause for example change of registered Windows user to VBS/NastySarah@m.  On May 31st the worm tries to write the message: Have you ever heard of that fat, ugly bitch Sarah Gordon? She claims to be 'discovering what drives us', but really, she just pisses us off! In honor of Sarah Gordon, fat bitch of the high seas! but it never succeeds because of an error in the code and as a result an error message is displayed.  Then the worm modifies the file autoexec.bat in such a way that the whole disk C: will be deleted at the next system restart.



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page