Selected viruses, spyware, and other threats: sorted alphabetically
This Visual Basic Script virus scans the current folder and all subfolders for files which end in the extensions ".HTM", ".HTML", or ".HTT", and then infects these files. The virus is encrypted to hide the code of the virus body.
Note: %WINDOWS% denotes the Windows directory (e.g. C:\WINDOWS) and %SYSTEM% denotes the Windows System directory (e.g. C:\WINDOWS\SYSTEM32). The names of these directories may differ between various versions of Microsoft Windows.
VBS/Soraci.A creates %WINDOWS%\Web\Folder.htt. If this file exists already then the virus overwrites it. If the virus is executed from a root folder it creates folder.htt and desktop.ini in the root folder, overwriting any files with those names.
VBS/Soraci.A exploits the "Microsoft VM ActiveX Component vulnerability" to gain full access to the file system and registry.
The virus changes the Internet Explorer Registry Settings as follows:
"Start Page" = "http://[address removed]/hedda_marie_tolentino/index.htm"
"Default_Page_URL" = "http://[address removed]/hedda_marie_tolentino/index.htm"
"Local Page" = "http://[address removed]/hedda_marie_tolentino/index.htm"
If the current system date is 26th September the virus shuts down the Windows Operating System.
History: Analysis and Write-up by: Michael St. Neitzel
© 1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.