This malicious Visual Basic Script (VBS) usually arrives on a system as a file downloaded from the Internet by unsuspecting users when visiting malicious Web sites. It may also arrive as a file dropped or downloaded by other malware.
Upon execution, it connects to the following URL to download a malicious file detected by Trend Micro as TROJ_AGENT.OFB:
The said file is saved in the Temporary folder with the file name SVCIPA.EXE. This VB Script also executes the downloaded file.
As a result of this, the behavior of the downloaded Trojan may be observed on the affected system.
This malicious script runs on Windows 98, ME, NT, 2000, XP, and Server 2003.
Analysis By: Hazel Mariscal