SECURITY INFO
Latest Threats
Spyware
Spam
Phishing
Hoaxes
PandaLabs
Virus map
Panda Virusometer
TRAINING
General concepts
Technical details
Virus FAQs
Practical tips
DOWNLOADS
Repair utilities
Does my antivirus work?
ActiveScan Pro
Free Antivirus
HOME
What is VirusPortal?
Newsletters
HOME SECURITY INFO TRAINING DOWNLOADS WEBMASTERS
Security Info / Virus encyclopedia / At a glance
Find:    in:  
 

 Way
Threat Level:  Moderate
Distribution:  Low
Damage: Severe
The Threat Level varies according to the Distribution and Damage levels
 
  Effects
 

Way has the following effects:

  • It deletes the content of the system files.
  • It deletes files belonging to certain antivirus programs.

[ top ]  

  Means of infection
 

Way creates the following files:

  • README.TXT.VBS, in the root directory of the hard drive. This file is a copy of the worm created, and is the file that is sent via e-mail. Way deletes it after it has been run for the first time.
  • CHINABOY.JPG.BAT, in the directory c:\I_LOVE_CHINA_BLACK_AT_PACIFIC_PLAZA, which is created by Way . This file is a copy of the worm.
  • SCRIPT.INI. This file is only created if the chat program mIRC is installed. It allows Way to spread via chat.
  • CHINA_BABES.BAT, CHINA_BOYS.BAT and CHINA_GIRLS.BAT in the Windows directory. These files are copies of the worm.
  • CHINA.REG, in the directories indicated by the path command in the AUTOEXEC.BAT file. It contains the Windows Registry entry that is modified by Way. It overwrites all the files with a REG extension in the directories where it is placed.
  • CHINA_HUNKS.VBS: in the directories indicated by the path command in the file AUTOEXEC.BAT. It causes the worm to be run. It overwrites all the files with a VBS extension  in the directories where it is placed.
  • CHINA_LADIES.BAT: it is a copy of the worm. This file overwrites all the files with a BAT extension in the directories where the AUTOEXEC.BAT is stored.
  • PIF.PIF: the worm uses this file to ensure that it is run whenever an MS-DOS window is opened. Then, it overwrites all the files with a PIF extension in the directories where it is placed.
  • VBS.LNK: it is a shortcut to the file that contains the worm. It overwrites all the files with an LNK extension in the directories where it is placed.

Way modifies the following files by deleting their content:

  • WIN.INI
  • SYSTEM.INI

Finally, Way also deletes some files belonging to antivirus programs.

Way creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run =
    Chinablackblackblack "c:\ windows\ china_girls.bat"
    By creating this entry, Way ensures that it is run whenever Windows is started.

[ top ]  

  Means of transmission
 

Way spreads via e-mail and IRC (chat).

1.- Transmission via e-mail:

Way sends itself out to all the contacts in the Outlook’s Address Book in an e-mail message with the following characteristics:

  • Subject:
    Which pub in Singapore is the best in the world?
  • Message:
    Read me to find out!!!!
  • Attachments:
    README.TXT.VBS

2.- Transmission via the IRC channels:

If the IRC program is installed in the affected computer, Way waits for the user to connect to an IRC chat channel. Once in the channel, Way sends itself out to all the users connected to that channel.

[ top ]  

  Other details
 

Way is detected by Panda Antivirus as VBS/Generic.

[ top ]  
Last updated:  June 28, 2002 

 

  © Panda 2009 | Free Antivirus | Make this your home page | Bookmark this page | Send page | Contact us | Legal notice | Privacy Policy