< < <
Date Index > > > |
VERY IMPORTANT !!!! by Luís Antonio Cardoso 21 May 2001 03:39 UTC |
< < <
Thread Index > > > |
Dear Colleagues, Excuse me for bothering you, but pay attention to these characteristics of the Virus that had been spreaded in our list yesterday (Sunday). Take care, cause this is new virus. **************************************************************************************************** VBS/Haptime@MM This Visual Basic Script virus will append itself to files, delete files, and can spread via embedded VBScript, contained in the body of HTML formatted email messages. When the script is permitted to run, the virus inserts itself at the end of .ASP, .HTM, .HTML, .HTT, and .VBS files. If the current day plus the current month is equal to 13, the virus attempts to delete .DLL and .EXE files on local and network drives. The virus saves its viral code to HELP.HTA and HELP.VBS in the first directory found on the C: drive, and to HELP.HTM and UNTITLED.HTM in the WINDOWS directory. A registry key value is created to set the HELP.HTM file to the current wallpaper which results in the execution of the virus at system startup, if active desktop is enabled: HKCU\Control Panel\Desktop\wallPaper=%WinDir%\HELP.HTM In a similar fashion to JS/Kak@M, this virus configures the default stationary used by Microsoft Outlook Express to an external file, %WinDir%\UNTITLED.HTM. This causes each message sent from Outlook Express to contain hidden viral code. These setting are modified in the registry to accomplish this task: HKCU\Identities\(User ID)\Software\Microsoft\ Outlook Express\5.0\Mail\Message Send HTML="1" HKCU\Identities\(User ID)\Software\Microsoft\ Outlook Express\5.0\Mail\Compose Use Stationery="1" HKCU\Identities\(User ID)\Software\Microsoft\ Outlook Express\5.0\Mail\Stationery Name="%WinDir%\Untitled.htm" Additionally, the .HTT files in the %WinDir%\WEB directory are infected, which results in the virus getting executed each time a folder is viewed as a web page. The virus keeps track of the number of times that it has been executed by creating a new registry key and incrementing a key value in this key: HKCU\Software\Help\ Once the counter reaches a multiple of 366, the virus will unsuccessfully attempt to attach UNTITLED.HTM to the email message which it sends. ************************************************************************************************** For more detailed infos see: http://vil.nai.com/vil/virusChar.asp?virus_k=99080 Thanks, Luís...
< < <
Date Index > > > |
World Systems Network List Archives at CSF | Subscribe to World Systems Network |
< < <
Thread Index > > > |