Database : VBS.Noon
VBS.Noon
Virus Name: VBS.Noon
Aliases: I-Worm.Noon, VBS.Wormmie, I-Worm.Wormmie
Type: Worm
Resident: No
Stealth: No
Trigger: None
Payload: Deletes Rundll32.exe in C:\Windows.
Comments:

This is a typical VBS worm that uses Microsoft Outlook MAPI to mail itself out to all contacts in the email address book. One notable difference though lies in how this worm reacts to different mailer programs installed on the computer.

When this worm is activated it deletes the file C:\Windows\Rundll32.exe. This path name is hardcoded in the virus. Depending on which email client you are using at the time, the virus will then do one of two things:

If you are using Outlook, this worm will create copies of itself on your C drive with the following names (the path and file names are hard-coded in the worm):

C:\Wormmie.vbs
C:\Wormmie.bat
C:\Wormmie.ini
C:\Wormmie.pif
C:\Program Files\Wormmie.vbs
C:\My Documents\Wormmie.vbs

The virus also creates the following file in your \Windows\System folder:

%System%\Wormmie.vbs

The file Wormmie.vbs is used by the worm to send itself out to all the contacts in your Microsoft Outlook Address Book. While going through your contact list, this worm displays a message box with the email address of each contact that is sent a copy of the worm. After emailing each contact, this worm will create the following registry key, which it sets to the value of 1:

HKEY_CURRENT_USER\software\An\mailed

If you are using a email client other than Microsoft Outlook, this worm will display the following series of message boxes:

If the registry key HKEY_CURRENT_USER\software\An\mailed is set to 1, the worm displays the following message box:

If the registry key HKEY_CURRENT_USER\software\An\mailed is not set to 1, the worm displays the following message box:

Finally the worm does a time check to see if the time is equal to 00:00:00 or 12:00:00. If the time is equal to 00:00:00 it displays the following message box:

If the time is equal to 12:00:00 the worm displays the following message box:

Following the email program-dependent actions discussed prefiously, the worm opens one of three Internet search engines. Finally the worm displays a message box with the following text:

Wormmie
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!
Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie! Wormmie!

Copyright © 2001, All Rights Reserved.
Created & Maintained by VQUEST.