Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/Haptime.B@mm


Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload File deletion
Detection files published 13 Nov 2001 03:00:00
Description created 13 Nov 2001 03:00:00
Description updated 13 Nov 2001 03:00:00
Malware type VIRUS
Alias VBS/Haptime.D
Spreading mechanism EMAIL
Summary None



VBS/Haptime.B@mm is a virus that infects HTML files and also sends itself over mail.

When activated it drops four infected files, Syslog.vbs, Syslog.hta, Syslog.htm and Instlog.htm.

It searches through the hard disk for HTML, VBS, HTM and ASP files to infect. The file c:windowssyslog.htm will be set to the desktop wallpaper, by editing the following registry key:

HKEY_CURRENT_USER\Control Panel\desktop\wall Paper\

To spread through email, it changes the following registry keys (wrappet for readability):

HKEY_CURRENT_USER\Identities\(User ID)\Software\Microsoft\
Outlook Express\5.0\Mail\Message Send HTML="1"
HKEY_CURRENT_USER\Identities\(User ID)\Software\Microsoft\
Outlook Express\5.0\Mail\Compose Use Stationery="1"
HKEY_CURRENT_USER\Identities\(User ID)\Software\Microsoft\
Outlook Express\5.0\Mail\Stationery Name="C:\WINDOWS\Instlog.htm"

C:\windows\Untitled.htm will now be embedded in all mail sent from MS Outlook Express.

As you see from the Registry settings, this worm usees the stationery feature of Outlook Express. Stationery is used as a template in HTML format for new messages. With this "feature" in MS Outlook you can change the fonts and background used in the mail message. VBS/Haptime sets HTML as the default message format and then creates an infected HTML page and set this one as the default stationery for MS Outlook Express. After this all new messages sent from an infected computer will automatic include the infected HTML file in its HTML-formatted body.

It also utilizes a security hole in an ActiveX control from Microsoft, scriptlet.typelib, to be executed without the user's knowledge. If the security patch from Microsoft is not installed, it is enough for infected emails to be displayed in the preview pane of MS Outlook Express to get activated.

Read more about this security hole in our security article, which also has links to the patch from Microsoft.

Payload Details

If the sum of the current day and month adds up to 13, it will search the hard disk for EXE and DLL files and delete all files with these extensions.




To reset the MS Outlook settings: Start MS Outlook Express. Select Tools -> Options and the Compose tab. If you do not use stationery, unchek both Mail and News in the Stationery sections. Otherwise, click the Select button and select the stationery you want to use.

Last Updated: 12 Nov 2015 11:06:12