Virus

W32/Qizy.A

Analysis

  • Virus is 32 bit with a compressed file size of 32,768 bytes
  • Virus was written in Visual C++ and contains an embedded VBScript component that contains instructions to send the virus using Outlook to the first 666 contacts in the Outlook address book
  • The VBScript component attempts to compose an email in this format and send it to others -

    Subject = "Merry Christmas!"
    Body =
    "You've probably received enough e-cards. Here's a nice Christmas screensaver instead :)"
    Attachments = "xmas.scr"

  • If the virus is run, it will extract the VBScript component, run it, then remove it from the hard drive

  • The virus will then begin searching for target executables to infect - if a suitable file is found, the virus will prepend itself to that file, increasing the file size by 32,768 bytes

Recommended Action

  • Enable blocking of files with the extension .SCR via SMTP, POP and HTML protocol