VBS.Hard.A@mm

SUMMARY

VBS.Hard.A@mm is a Visual Basic Script (VBS) worm that uses Microsoft Outlook Express. It arrives with an attachment named "www.symantec.com.vbs" and a subject line of "FW: Symantec Anti-Virus Warning". This email was not distributed by Symantec. If you receive this email, delete it immediately.

Behavior

Symptoms

Transmission

Protection

• Virus Definitions (Intelligent Updater) May 12, 2001

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low

Distribution

• Distribution Level: High
• Subject of Email: FW: Symantec Anti-Virus Warning
• Name of Attachment: www.symantec.com.vbs
• Size of Attachment: 23,268

TECHNICAL DETAILS

VBS.Hard.A@mm tries to disguises itself as a virus warning from Symantec. It arrives as:

Subject: FW: Symantec Anti-Virus Warning.

Attachment: www.symantec.com.vbs

Message:

----- Original Message -----
From: <warning@symantec.com>
Subject: FW: Symantec Anti-Virus Warning


Hello,

There is a new worm on the Net.
This worm is very fast-spreading and very dangerous!

Symantec has first noticed it on April 04, 2001.

The attached file is a description of the worm and how it replicates itself.


With regards,
F. Jones
Symantec senior developer

When www.symantec.com.vbs is executed, VBS.Hard.A@mmworm does the following:

1. It copies itself as the C:www.symantec.com.vbs file.
2. Then it tries to create a fake Symantec virus information page for a non-existent threat, VBS.AmericanHistoryX_II@mm. This fake web page is created as C:www.symantec.com.hta. In creating this fake web page, it uses the helper files:
   • C:Switch.bat
   • C:www.symantec.com.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
     
     The latter will be created if the .hta file type is not registered as the hex-ID shown above. In this case, the worm runs the C:Switch.bat to rename the second file to C:www.symantec.com.hta.
     
3. Then, the worm creates the C:www.symantec_send.vbs file, which contains the instruction to use Microsoft Outlook Express to send the file C:www.symantec.com.vbs to everyone in your Microsoft Outlook Express address book. This script also creates a marking key in the Windows registry
   
   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWABOE Done
   
   that is set to the value
   
   Hardhead_SatanikChild.
   
4. Next, VBS.Hard.A@mm creates the C:Message.vbs file, which contains a message-displaying payload. The payload is triggered every November 24th. It displays the message:
   
   
   
5. The worm then sets or creates several registry keys:
   • To the registry key
     
     HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
     
     it adds the following three values:
     
     • Outlook    C:www.symantec_send.vbs
       
       This launches the VBS file that sends out the email message.
       
     • Symantec   C:infected with Virus.vbs
       
       Since there is no such file being dropped, this registry key modification does not affect the system.
       
     • Message   C:message.vbs
       
       This launches the message-displaying script, which will only display the message on November 24th.
       
   • In the registry key
     
     HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain
     
     it changes the value data of
     
     Start Page
     
     to
     
     C:www.symantec.com.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
     
     This sets the start page of Internet Explorer to the fake virus information web page.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

To remove this worm, delete files detected as VBS.Hard.A@mm, undo the changes that it made to the registry, and reset the Internet Explorer Start Page


To remove the worm files:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as VBS.Hard.A@mm

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. In the left pane, navigate to the following key:
   
   HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
   
4. In the right pane, delete the following values:
   
   Outlook
   Symantec
   Message
   
5. Click Registry, and then click Exit.

NOTE: It is not necessary to remove the marking key that was added by the worm.


To reset the Start Page:

1. Start Microsoft Internet Explorer.
2. Connect to the Internet and go to the page that you want to set as your start page.
3. Click Tools and then click Internet Options.
4. On the General tab, click Use Current, and then click OK.