VBS.Tune 

Detected as: VBS.Tune 
Infection Length: 6,689 bytes 
Area of Infection: .VBS Files - Windows 95, 98, NT, 2000 
Likelihood: Rare 
Detected on: Dec 29, 1999 
Region Reported: US 
Characteristics: Worm 




Description 

The Windows Scripting Host (WSH) is required for this virus to replicate. WSH is packaged with Windows 98, Windows 2000, Windows NT and Internet Explorer 5, or can be downloaded from Microsoft's web site and installed in Windows 95. This Visual Basic Script virus begins by copying itself to the following locations: 

c:\windows\tune.vbs 
c:\windows\system\tune.vbs 
c:\windows\temp.vbs 
Next, the virus adds the following registry keys to ensure that it is executed each time the system is rebooted: 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ScanRegistry HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TaskMonitor 
Then, the virus identifies each of the drives to which the infected computer is attached and copies itself to the root directory of all fixed and network drives. 

If Microsoft Outlook is installed, the virus first checks for the existence of the following registry key: 

HKCU\Software\Microsoft\Windows\CurrentVersion\Sent? 
If the key is not found, it is created. Then the virus attempts to mail itself to each entry in the address book with the following information: 

Subject: Please Read
Body: Hey, you really need to check out this 
attached file I sent you...please check it 
out as soon as possible.

The email also contains an attachment named: TUNE.VBS 

If mIRC is installed on the target computer in the default directory of c:\mirc, the virus modifies c:\mirc\script.ini and c:\mirc\mirc.ini such that each time an IRC user joins the infected user's channel, a copy of TUNE.VBS is sent via DCC. Similarly, if Pirch98 is installed on the target computer in c:\pirch98, the virus modifies c:\pirch98\events.ini and c:\pirch98\pirch98.ini such that each time an IRC user joins the infected user's channel, a copy of TUNE.VBS is sent via DCC. 

Repair Notes 

Search for all instances of TUNE.VBS and delete them. 
The added registry keys should be deleted. 
If applicable, the following files should be restored from a clean backup: 
c:\mirc\script.ini 
c:\mirc\mirc.ini 
c:\pirch98\events.ini 
c:\pirch98\pirch98.ini 

    Source: geocities.com/timessquare/alley/2794

               ( geocities.com/timessquare/alley)                   ( geocities.com/timessquare)