VBS.San@m

SUMMARY

VBS.San@m is a script worm which spreads through email. The worm utilizes a known Microsoft Outlook Express security hole (Scriptlet.TypeLib) so that a viral file is created on the system without having to run any attachment. Simply reading the received email message causes the virus to be placed on the system. Microsoft has patched this security hole. The patch is available at:

http://www.microsoft.com/technet/ie/tools/scrpteye.asp

If you have a patched version of Outlook Express, this worm will not work automatically.

The worm copies itself into the StartUp folder and sets itself as the default signature for Microsoft Outlook Express. It also modifies the default start page for Internet Explorer to connect to a Web site that contains another worm, VBS.Valentin@mm.

Protection

• Virus Definitions (Intelligent Updater) February 13, 2001

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Moderate
• Removal: Moderate

Damage

• Damage Level: Medium
• Payload Trigger: If the day is the 8th, 14th, 23, or 29th of the month
• Payload: The worm will attempt to delete files from the C drive if it is executed or currently infecting a system on one of the trigger dates.
• Deletes Files: Deletes files from subfolders on the C: drive.
• Modifies Files: Appends happysanvalentin to subfolders on the C drive.
• Causes System Instability: Could delete critical system files if the payload is triggered.

Distribution

• Distribution Level: Medium

TECHNICAL DETAILS

Once the worm has infected a system, it copies itself to the StartUp folder as the Loveday14-a.hta file. This folder is hardcoded in the worm as C:WindowsStart MenuProgramsStartUp. If the computer is running the Spanish version of Windows, it copies it to the C:WindowsMenú InicioProgramasInicio folder. This allows the worm to execute every time that the computer is started.

The worm creates the Index.html file in the WindowsSystem folder. This file becomes the default signature for Outlook Express. This allows the worm to spread to other users when you send email. This is the same method by which WScript.KakWorm distributes itself.

If the payload is triggered, the worm deletes files contained within subfolders on drive C. This means that C:Windows will not be deleted, but the contents of C:WindowsSystem will be. It also renames subfolders by appending "happysanvalentin" to them. C:WindowsSystem thus becomes C:WindowsSystemhappysanvalentin.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

To recover from this infection:

NOTE: If the payload has triggered on your system, you may have to reinstall Windows before you can perform any of the following steps.

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files that are detected as infected by VBS.San@m.
4. Click Start, point to Find, and then click Files or Folders.
5. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
6. In the Named box, type (or copy and paste) the following file name:
   
   loveday14-a.hta
   
7. Click Find Now. When found, delete the Loveday14-a.hta file.
8. Within Microsoft Outlook Express, restore your default signature.
9. Restore any deleted files from backup or reinstall the software. If necessary, rename any subfolders that were changed by the worm back to their original names.