Virus:VBS/Entice

Installation

Spreads via…

Payload

• If the day of the month is 1, the malware:
• Copies itself as the following files
  
  C:\UNZIPPED\DAMN_SOURCE.MPEG
C:\WINDOWS\DESKTOP\F*CK_FESTIVAL.WMV
C:\WINDOWS\DESKTOP\PORN_MOVIES-SEX.WMV
C:\WINDOWS\DESKTOP\COCK_DEEP-SEX.MPG
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M.MP3
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M2.MP3
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M5.MP3
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M7.MP3
C:\WINDOWS\DESKTOP\www.SEX-MOVIES.MPEG
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M.MP3
C:\UNZIPPED\DAMN_SOURCE2.MPEG
C:\WINDOWS\DESKTOP\F*CK_FESTIVAL2.WMV
C:\WINDOWS\DESKTOP\PORN_MOVIES-SEX2.WMV
C:\WINDOWS\DESKTOP\COCK_DEEP-SEX2.MPG
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M2.MP3
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M22.MP3
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M52.MP3
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M72.MP3
C:\WINDOWS\DESKTOP\www.SEX-MOVIES2.MPEG
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M233.MP3
C:\UNZIPPED\DAMN_SOURCE33.MPEG
C:\WINDOWS\DESKTOP\F*CK_FESTIVAL33.WMV
C:\WINDOWS\DESKTOP\PORN_MOVIES-SEX33.WMV
C:\WINDOWS\DESKTOP\COCK_DEEP-SEX33.MPG
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M33.MP3
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M33.MP3
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M33.MP3
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M33.MP3
C:\WINDOWS\DESKTOP\www.SEX-MOVIES33.MPEG
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M33.MP3
C:\WINDOWS\DESKTOP\F*CK_FESTIVAL3553.WMV
C:\WINDOWS\DESKTOP\PORN_MOVIES-SEX3553.WMV
C:\WINDOWS\DESKTOP\COCK_DEEP-SEX3553.MPG
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M3553.MP3
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M3553.MP3
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M3553.MP3
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M3553.MP3
C:\WINDOWS\DESKTOP\www.SEX-MOVIES3553.MPEG
C:\WINDOWS\DESKTOP\C*NT-EAT-C*M3553.MP3

Note: Some of the above file names have been censored.
 
• Displays a message box titled "Coming from NoWhere?!.." with this content "XXX - I Love pr00n.. I want Sex - XXX "

• Attempts to delete the %windir% folder
  
  Note: %windir% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Windows folder for Windows 2000 and NT is C:\Windows or C:\WinNT; and for XP, Vista, and 7 is C:\Windows.

• If the day of the month is 2, it attempts to delete all files in the %windir% folder

• If the day of the month is 3, it attempts to delete files found in C:\

• If the day of the month is 4, it attempts to delete files found in %windir%\system\*.*

• If the day of the month is 5, it attempts to delete files found in c:\*.*