Selected viruses, spyware, and other threats: sorted alphabetically
VBS/San.A is a worm written in the language Visual Basic Script.
To spread it uses Microsoft Outlook Express. After activation it copies itself as the file loveday14-a.hta into the directory c:\WINDOWS\Start Menu\Programs\Startup\. If the system language is Spanish the directory c:\WINDOWS\Menú Inicio\Programas\Inicio\ will be used. Files in this directory are run at each Windows start and so repeated activation of the worm is ensured. The worm checks if the file index.html
exists in the directory WINDOWS/SYSTEM. If it is not there, it will create it. The worm manipulates the system registry and sets it so that Outlook Express will use this created file index.html as
a pre-selected signature. The worm sets the start page for Explorer to http://www.terra.es/personal/acaymo.
This worm contains a very dangerous payload. It is run on each 5th, 12th, 23rd and 29th day in a month. The worm creates in each directory on dirive C: a directory with the same name but adds the text "happysanvalentin" to it and deletes the original directory and its contents.
© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.