Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/Haptime.A@mm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 03 May 2001 03:00:00
Description created 15 Aug 2001 03:00:00
Description updated 26 Nov 2002 04:21:00
Malware type VIRUS
Alias Happy Time
VBS.Happytime.A
VBS_Haptime
Spreading mechanism EMAIL
Summary None

VBS/Haptime.A@mm

Spreading

When activated it drops four infected files, Help.vbs, Help.hta, Help.htm and Untitled.htm.

It searches through the hard disk for HTML, VBS, HTM and ASP files to infect. If the sum of the current day and month are 13, it will instead search the hard disk for EXE and DLL files and delete all files with these extensions
The file c:\windows\help.htm will be set to the desktop wallpaper, by editing the following registry key:

HKEY_CURRENT_USER\Control Panel\desktop\wall Paper\

To spread through email, it changes the following registry keys (wrappet for readability):
HKEY_CURRENT_USER\Identities\(User ID)\Software\Microsoft\
   Outlook Express\5.0\Mail\Message Send HTML="1"
HKEY_CURRENT_USER\Identities\(User ID)\Software\Microsoft\
   Outlook Express\5.0\Mail\Compose Use Stationery="1"
HKEY_CURRENT_USER\Identities\(User ID)\Software\Microsoft\
   Outlook Express\5.0\Mail\Stationery Name="C:\WINDOWS\Untitled.htm"

C:\windows\Untitled.htm will now be embedded in all mail sent from MS Outlook Express.

As you see from the Registry settings, this worm usees the stationery feature of Outlook Express. Stationery is used as a template in HTML format for new messages. With this "feature" in MS Outlook you can change the fonts and background used in the mail message. VBS/Haptime set HTML as the default message format and then creates an infected HTML page and set this one as the default stationery for MS Outlook Express. Then all new messages sent from an infected computer will automatic include the infected HTML file in its HTML-formatted body.

It also utilizes a security hole in an ActiveX control from Microsoft, scriptlet.typelib, to be executed without the user's knowledge. If the security patch from Microsoft is not installed, it is enough for infected emails to be displayed in the preview pane of MS Outlook Express to get activated. Read more about this security hole in our security article that also has links to the patch from Microsoft.

Payload Details

n/a

Analysis

n/a

Removal

To remove the virus perform a full scan of your disks and let NVC clean/remove infected files. To reset the MS Outlook settings:   Start MS Outlook Express. Select Tools -> Options and the Compose tab. If you do not use stationery, unchek both Mail and News in the Stationery sections. Otherwise, click the Select button and select the stationery you want to use.


Last Updated: 12 Nov 2015 11:06:11