VBS/Haptime.D@mm
Analysis
- Virus is coded in VBScript and is approximately
9400 bytes
- If the sum of the current month value plus the
day value of the month equals 13, this virus will
attempt to delete files with extensions .EXE and .DLL-
For example:
January 12 (where 1 + 12 = 13)
February 11 (where 2 + 11 = 13)
November 2 (where 11 + 2 = 13)
December 1 (where 12 + 1 = 13)
-
Virus creates an infected HTML file on the local drive as "instlog.htm" and uses this file as stationary for composing email messages in Outlook Express 5.0
-
Virus infects files of type .ASP, .HTML, .HTM, .HTT and .VBS and tracks the number of files which have become infected
-
Virus searches potential host file for this string to determine if the file is infected - if the string is not found, the file is targeted for infection -
"Rem What a KING-SIZE PIG!!! "
The file is also searched for email addresses, and if any are found, an email message is sent to that email with "instlog.htm"
-
When the number of files infected reaches 366, this virus will attempt to reply to email messages in the Outlook inbox with a copy of the virus as "instlog.htm"