================================================ Subject: Here's a nice one... {=o/ From: "]\\[][G}{T§TÖ®]v[" To: Date: Wed 4 Jul 2001 17:00:50 -0400 ================================================ Since most of you use MS Outlook Express 5.0, I thought that you might want to keep on a watch for this one... hope none of you happen to get the virus and not know about it (reformat, anyone?) ¤]\[][G}{T§TÖ®]v[¤ AKA NightStorm TAKEN FROM http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_HAPTIME.B VBS_HAPTIME.B Virus type: VBScript Destructive: Y Aliases: HAPTIME, HAPTIME.B Description: This Visual Basic Script (VBS) worm propagates via Microsoft Outlook Express 5.0 by configuring the default stationery to an external file that is dropped by this worm when it is executed. To infect, it appends itself as an embedded script to an infected file. If the current day and the current month are equal to 13, it deletes all .DLL and .EXE files on the local and network drives. Solution: 1. Download the fix tool Fix_Haptime.exe. (http://www.antivirus.com/vinfo/security/fix_haptime.exe). It is also suggested that you view the README file (http://www.antivirus.com/vinfo/security/readme_haptime.txt) 2. Extract or unzip the contents of the fix tool. 3. Go to an MS-DOS prompt (Start|Programs|MS-DOS Prompt), then go to the directory where you extracted the tool. 4. Run the tool by typing: FIX_HAPTIME.EXE. *Note: if you are using Microsoft Outlook Express as your default email program, disable the stationery you're using because it may be infected with the worm and will be deleted in the next step. To do this: 1. Open Outlook Express 2. Click Tools|Options 3. Select the Compose tab 4. Unmark the checkbox beside Mail in the Stationery section 5. Click apply or ok 6. Scan your system with your antivirus program, and delete all files detected as VBS_HAPTIME.A and VBS_HAPTIME.B. To do this, you must download the most recent update of your program's virus patern file and scan your system. Other email users may use HouseCall, Trend Micro's free online virus scanner. (http://housecall.antivirus.com/) After performing step 6, choose your favorite stationery again. TECHNICAL DETAILS : Trigger condition 1: System Month + System Day = 13 Payload 1: Deletes Files (Deletes all .DLL and .EXE files in the local and network drives Language: English Platform: Windows Encrypted: No Size of virus: ~11,374 Bytes Details: Upon execution, this worm drops a copy of itself as SYSLOG.HTM in the Windows directory. When the active desktop is enabled, it creates the following registry entry: HKEY_CURRENT_USER\Control\Panel\Desktop\ wallPaper=%WinDir%\SYSLOG.HTM %WinDir% is the directory where Windows is installed. It infects files with the extensions .HTML, .HTM, .HTT, .ASP, and .VBS by appending its code as an embedded script. To propagate, it configures the Microsoft Outlook Express 5.0 default stationery to an external file that is infected with this virus. Thereafter, every email the infected user sends out in Microsoft Outlook Express 5.0 carries an embedded virus code that executes when the recipient opens the email. It modifies the following registry settings in order to execute its propagation routine: HKEY_CURRENT_USER \Identities\(UserID)\Software\ Microsoft\Outlook Express\5.0\Mail\Compose Use Stationery="1" HKEY_CURRENT_USER \Identities\(UserID)\Software\ Microsoft\Outlook Express\5.0\Mail\Message Send HTML="1" HKEY_CURRENT_USER \Identities\(UserID)\Software\ Microsoft\Outlook Express\5.0\Mail\Stationery Name="%WinDir%\syslog.htm" or "%WinDir%\syslog.hta" or "%WinDir%\syslog.vbs" or "%WinDir%\instlog.htm" It also infects .HTT files in the %WinDir%\web folder, which causes the virus to execute each time a folder is viewed as a Web page. To track the number of times the virus is executed, it creates the following registry entry: HKEY_CURRENT_USER \Software\Help\ It checks for a value in this registry key to determine when the virus has executed 366 times, so that it can attach itself to all emails sent by the infected user. If the sum of the system date (mm + dd) is 13, it deletes all .DLL and .EXE files in the local and network drives. To unsubscribe or change your preferences for the Creed-Discuss list, visit: http://www.winduplist.com/ls/discuss/form.asp