Home Education E-BooksTravel Troubleshooting Linux Contact Us About Us
Troubleshooting Tips And Steps
Windows & Hardware Tips
Information On Viruses

virus file



Virus Characteristics

This is a file infecting VBScript that sets a default, infected, stationary file for the Microsoft Outlook and Outlook Express email client programs. It exploits the Microsoft VM ActiveX Component Vulnerability.

The script arrives in an email message, hidden from the user, or can be present on websites that contain infected .HTM files. The virus uses the BODY ONLOAD event to trigger the infection. .HTM, and .HTT files on the local system are infected by appending them with the encrypted, viral code. .HTT files are prepended with the BODY ONLOAD trigger, while this action is placed at the beginning of the virus body in .HTM files. The default mail account is retrieved from the registry and a stationary file is created, "BLANK.HTM", and is set as the default stationary file.

HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook Express\ 5.0\Mail\Stationery Name=C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook Express\ 5.0\Mail "Wide Stationery Name=C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\ Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\ 0a0d020000000000c000000000000046\001e0360=blank
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\ MailSettings\NewStationery=blank

The VBScript virus body is saved to the file KERNEL.DLL in the WINDOWS SYSTEM directory and a registry run key is created to load the script at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Run\Kernel32=C:\WINDOWS\SYSTEM\Kernel.dll
This is effective due to the fact that several other registry keys are created to re-associate .DLL files with the WSCRIPT.EXE handler.

HKEY_CLASSES_ROOT\dllfile\ScriptEngine\ (Default)=VBScript
HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode\ (Default)={85131631-480C-11D2-B1F9-00C04F86C324}
HKEY_CLASSES_ROOT\dllfile\Shell\Open\Command\ (Default)=C:\WINDOWS\WScript.exe "%1" %*
HKEY_CLASSES_ROOT\dllfile\ShellEx\PropertySheetHandlers\ WSHProps\(Default)={60254CA5-953B-11CF-8C96-00AA00B8708C}


- Presence of KERNEL.DLL (11,160 bytes) in the SYSTEM directory
- Increase in file size of .HTM and .HTT documents

Method Of Infection

This worm exploits a Microsoft Internet Explorer vulnerability to infect .HTM documents and configure email clients to include an infected document along with each message that is sent out.

If you are fed up with any virus and not getting solution of it. mail us on amgroup@skillsheaven.com and please provide all the detail about virus.