VBS/Haptime.D@mm

description-logoAnalysis

  • Virus is coded in VBScript and is approximately 9400 bytes
  • If the sum of the current month value plus the day value of the month equals 13, this virus will attempt to delete files with extensions .EXE and .DLL-

    For example:
    January 12 (where 1 + 12 = 13)
    February 11 (where 2 + 11 = 13)

    November 2 (where 11 + 2 = 13)
    December 1 (where 12 + 1 = 13)
  • Virus creates an infected HTML file on the local drive as "instlog.htm" and uses this file as stationary for composing email messages in Outlook Express 5.0

  • Virus infects files of type .ASP, .HTML, .HTM, .HTT and .VBS and tracks the number of files which have become infected

  • Virus searches potential host file for this string to determine if the file is infected - if the string is not found, the file is targeted for infection -

    "Rem What a KING-SIZE PIG!!! "

    The file is also searched for email addresses, and if any are found, an email message is sent to that email with "instlog.htm"

  • When the number of files infected reaches 366, this virus will attempt to reply to email messages in the Outlook inbox with a copy of the virus as "instlog.htm"

Telemetry logoTelemetry