< < <
Date Index
> > >
VERY IMPORTANT !!!!
by Luís Antonio Cardoso
21 May 2001 03:39 UTC
< < <
Thread Index
> > >
Dear Colleagues,

Excuse me for bothering you, but pay attention to these characteristics of 
the Virus that had been spreaded in our list yesterday (Sunday).

Take care, cause this is new virus.


****************************************************************************************************
VBS/Haptime@MM

This Visual Basic Script virus will append itself to files, delete files, 
and can spread via embedded VBScript, contained in the body of HTML 
formatted email messages.
When the script is permitted to run, the virus inserts itself at the end of 
.ASP, .HTM, .HTML, .HTT, and .VBS files. If the current day plus the 
current month is equal to 13, the virus attempts to delete .DLL and .EXE 
files on local and network drives.
The virus saves its viral code to HELP.HTA and HELP.VBS in the first 
directory found on the C: drive, and to HELP.HTM and UNTITLED.HTM in the 
WINDOWS directory.
A registry key value is created to set the HELP.HTM file to the current 
wallpaper which results in the execution of the virus at system startup, if 
active desktop is enabled:
HKCU\Control Panel\Desktop\wallPaper=%WinDir%\HELP.HTM
In a similar fashion to JS/Kak@M, this virus configures the default 
stationary used by Microsoft Outlook Express to an external file, 
%WinDir%\UNTITLED.HTM. This causes each message sent from Outlook Express 
to contain hidden viral code. These setting are modified in the registry to 
accomplish this task:
HKCU\Identities\(User ID)\Software\Microsoft\
Outlook Express\5.0\Mail\Message Send HTML="1"
HKCU\Identities\(User ID)\Software\Microsoft\
Outlook Express\5.0\Mail\Compose Use Stationery="1"
HKCU\Identities\(User ID)\Software\Microsoft\
Outlook Express\5.0\Mail\Stationery Name="%WinDir%\Untitled.htm"
Additionally, the .HTT files in the %WinDir%\WEB directory are infected, 
which results in the virus getting executed each time a folder is viewed as 
a web page.
The virus keeps track of the number of times that it has been executed by 
creating a new registry key and incrementing a key value in this key:
HKCU\Software\Help\
Once the counter reaches a multiple of 366, the virus will unsuccessfully 
attempt to attach UNTITLED.HTM to the email message which it sends.
**************************************************************************************************

For more detailed infos see: http://vil.nai.com/vil/virusChar.asp?virus_k=99080


Thanks,

Luís...



< < <
Date Index
> > >
World Systems Network List Archives
at CSF
Subscribe to World Systems Network < < <
Thread Index
> > >