Staple / BloodHound Virus

** Virus Alert: VBS_STAPLE.A **

VBS_STAPLE.A is a new Visual Basic Script virus that is currently in the wild. Upon execution, this virus displays a message box and then sends itself out via email to the first 50 recipients listed in the address book of the infected user. A sample of the email is as follows:

Subject: RE:Injustice
Message Body:
Dear <Outlook Username;
Did you send the attached message, I was not expecting this from you !
Attachment: INJUSTICE.TXT.VBS

This virus also sends the above email to certain email addresses and then tries to access some web sites using Internet Explorer.

Upon execution, this Visual Basic Script virus drops a copy of itself in the Windows System directory and displays a message box titled "HELP US TO STOP THE BLOOD SHED!!" with the following text:

PLEASE ACCEPT MY APOLOGIES FOR DISTURBING YOU.
Remember that one day YOU may be in this situation. We need every possible help. Israeli soldiers killed in cold blood 12 year old Palestinian child Mohammad Al-Durra, as his father tried to protect him in vain with his own body. As a result of the indiscriminate and excessive use of machine gun fire by Israeli soldiers, journalists and bystanders watched helplessly as the child was savagely murdered. Palestinian Red Crescent Society medic Bassam Balbeisi attempted to intervene and spare the child's life but live ammunition to his chest by Israeli fire took his life in the process. The child and the medic were grotesquely murdered in cold blood. Mohammad's father, Jamal, was critically injured and permanently paralyzed. Similarly, approximately 40 children were slain, without the media taking notice or covering these tragedies.
THESE CRIMINAL ACTS CANNOT BE FORGIVEN OR FORGOTTEN!!!! HELP US TO STOP THE BLOOD SHED!!

This virus then updates a value in the registry to ensure that a particular recipient receives the email with the virus only once.

"HKEY_CURRENT_USER\Software\Microsoft\
WAB\"&malead,1,"REG_DWORD"

It also sends a copy of itself as an attachment to the following email addresses:
sar@mod.gov.il
sar@mops.gov.il
sar@moin.gov.il
yor@knesset.gov.il
webmaster@israel.com
amuta@ehudbarak.co.il
foundation@habonimdror.org,
wlzm@jazo.org.il
office@JAFI.org.il
naamatusa@naamat.org
info@azm.org
arie@kba.org
ncli@laborisrael.org
holyland@inisrael.com
sar@mof.gov.il
hachnasot@mof.gov.il
doar@mof.gov.il
mafkal@police.gov.il
yor@knesset.gov.il rmarkus@parliament.gov.il
doar@shaam.gov.il
sar@mops.gov.il
hashkal@mof.gov.il
pniotmas@mof.gov.il
menahel@shaam.gov.il

The virus also tries to access the following web sites using Internet Explorer:
http://www.sabra-shatila.org/
http://www.petitiononline.com/palpet/petition.html
http://www.palestine-info.org
http://freesaj.org.uk/
http://hanthala.virtualave.net/
http://www.ummah.net/unity/palestine/index.htm

Should you receive an e-mail that contains this subject header, message, or the attached file, DO NOT OPEN THE ATTACHMENT - PLEASE DELETE IT IMMEDIATELY.