PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This destructive Visual Basic Script (VBS) file infector attempts to attach itself at the beginning of target host files and inserts hyperlinks to a picture of a baby over the Internet.

  TECHNICAL DETAILS

File Size: 1,834 bytes
File Type: VBS
Initial Samples Received Date: 06 Nov 2002

NOTES:

VBS_SUCOP.A uses WSCRIPT.EXE to perform its malicious tasks. Upon execution, this malware displays the following:

Upon execution VBS_SUCOP.A displays a GUI with the header VBS.WhyMe containing the text - Fret Now!! Just A Simple Virus By The Hocus Pocus Team!!

When the OK button is pressed, the malware proceeds with dropping the following files in the C:\WINDOWS\Desktop folder:

  • 7baby.vbs - This is the copy of this malware.
  • HocusPocus.URL - Another copy of the malware, this is a hyperlink serving as a shortcut to C:\WINDOWS\TEMP\7baby.vbs

The virus also creates the file C:\WINDOWS\Favorites\HocusPocus.URL, which is a shortcut to http://www.bo<blocked>ed.com/hocus_pocus, the virus writer's web page. Since this link is in the Favorites folder, the shortcut is shown at the Favorites menu of the Internet browser of the infected system.

This virus searches for VBS files in C:\ and attempts to attach itself at the beginning of each host. However, due to errors in its code, it sometimes partly overwrites the host file, making the host unexecutable.

When a user visits the site, http://www.boed.com/hocus_pocus/7baby.jpg, VBS_SUCOP.A downloads a picture and saves it in C:\WINDOWS\Start Menu\Programs\Startup\7baby.jpg. Thus, aside from every malware execution, this picture is supposed to be displayed at every Windows restart.

This nonmemory-resident virus displays an "OK" message before terminating:

VBS_SUCOP.A nonmemory-resident virus displays an OK message before terminating

Infected files have the following remarks at the start of their codes:

VBS.WhyMe by HocusPocus in notepad
I'm just a baby.. :P

These remarks are shown for every file infected successfully.

  SOLUTION

Minimum Scan Engine: 9.750
FIRST VSAPI PATTERN FILE: 1.380.33
FIRST VSAPI PATTERN DATE: 06 Nov 2002

Scan your computer with your Trend Micro product and note files detected as VBS_SUCOP.A

NOTES:

Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:
Removing the Malware-Dropped Files

To remove the malware from your system, first delete the files dropped by the malware.

  1. Open Windows Explorer. Right-click Start then click Explore.
  2. In the left-hand panel, click C:\WINDOWS\Desktop.
  3. Locate and delete the file: HocusPocus.URL
  4. In the left-hand panel again, click C:\WINDOWS\Start Menu\Programs\Startup
  5. Locate and delete the file: 7baby.jpg
  6. Close Windows Explorer.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as VBS_SUCOP.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.


Did this description help? Tell us how we did.