Malware type: VBScript

Aliases: Email-Worm.VBS.Melhack (Kaspersky), VBS/VBSWG.as (McAfee), VBS.Melhack.B (Symantec), Worm/Nedal.5 (Avira), VBS/Meldrop-A (Sophos), Virus:VBS/Melhack (Microsoft)

In the wild: No

Destructive: Yes

Language: English

Platform: Windows

Encrypted: No

Description: 
This destructive Visual Basic Script malware contains several encrypted functions. Each function is automatically executed once its corresponding function has decrypted it.

It also drops different files that are proven malicious.

This VBScript malware propagates by sending email with the following details:

Subject: Osama Bin Laden Comes Back!
Message Body:
Hello People,

You have received Email from Osama Bin Laden.
Allah is The One Of God. No god in the World Accept Allah!
All people in the world love peace and no wars. America and Israel must be destroy to prevent from wars.

Your Sincerely,
Osama Bin Laden
Al-Qaeda Network

The HTML email body contains scripts and binary code that create and execute a file, OsamaBinLaden.VBS, in the Windows directory. This file is a copy of this malware.

This file, however, is executed only if ActiveX is enabled on the recipients email client. The following error is seen on the email body if ActiveX disabled:

You need ActiveX enabled if you want to see this e-mail.
Please open this message again and click accept ActiveX
Microsoft Outlook

For additional information about this threat, see:
Solution
Technical Details

Description created: Sep. 12, 2002 7:32:04 PM GMT -0800
Description updated: Sep. 12, 2002 8:41:21 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.