There's nothing new about the latest Internet worm, Shakira (vbs.vbswg-aq@mm). An e-mail message allegedly containing photos of the Grammy-winning Colombian rock star will instead launch a flood of infected copies on other users of Microsoft Outlook or IRC. Like the Anna worm, Shakira is the product of a VBS worm-generator kit. Most antivirus software vendors already have protection available to block it, hence the official name: Vbswg-aq. When the Shakira worm invades your PC, it displays this message: "You have been infected by the ShakiraPics Worm." Because Shakira is not destructive and just sends e-mail, it currently ranks a 4 on the ZDNet Virus Meter.
How it works
The Shakira worm arrives as e-mail with the subject line "Sharkira pics." The body text is "Hi :i have sent the photos via attachment have funn..." The attached file is shakirapics.jpg.vbs.
If you open the attached file, the worm copies itself into the Windows folder as shakirapics.jpg.vbs, then makes a few changes to the Registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = wscript.exe <WindowsDir> \ShakiraPics.jpg.vbs
In order to keep from spreading twice, Shakira also sets the following Registry keys:
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the attached VBS file in Shakira. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. You may also disable the Windows Scripting Host on your computer to further thwart Shakira. Contact your antivirus vendor to obtain the antivirus signature files that include Shakira.
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, Norman, Sophos, Symantec, or Trend Micro.