For Home

Virus Profile: VBS/Horty.a@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/24/2002
Date Added: 4/25/2002
Origin: Unknown
Length: 7,775
Type: Virus
Subtype: VbScript
DAT Required: 4102
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The above message displayed on the 12th of May. The deletion of the Windows directory on the 13th of May. The above registry change and the presence of some the following files:

  • c:\x-F***.TXT.vbs
  • kernel32.vbs
  • JENNA-JAMESON-FREE-SUPERF***.TXT.vbs
  • ALEXIA.TXT.vbs
  • Natasa.TXT.vbs
  • JENNA-JAMESON-FREE-SUPERF***.txt
  • KISSme.TXT.vbs
  • P***Y.TXT.vbs
  • x-F***.TXT.vbs
  • 2T**S.TXT.vbs
  • myD**K.TXT.vbs
  • PORN.TXT.vbs
  • UFOxxx.TXT.vbs
  • ALIENS.TXT.vbs
  • theBAR.TXT.vbs
  • DrD**K.TXT.vbs

Methods of Infection

Executing one of the above files, apart from JENNA-JAMESON-FREE-SUPERF***.txt, which is a plain text file.

Aliases

Kagra, VBS/Horty
   

Virus Characteristics

This threat is detected as VBS/Pica.worm.gen. The virus may arrive as an email attachment JENNA-JAMESON-FREE-SUPERF***.TXT.vbs and will send an email using Outlook to all recipients in the Contact Folder in the following format:

  • Subject: Jenna Jameson pornostar free superf***+photo addresses
  • Body: Do you wanna see super pornostar,Jenna Jameson,in a special superf***? Double click on the attachment of this mail,and get also some interesting sex-sex-sex addreses... "
  • Attachment: JENNA-JAMESON-FREE-SUPERF***.TXT.vbs

If the virus was executed from the A:\ or B:\ drive, it will copy itself to c:\x-F***.TXT.vbs. It then copies the following infected files to the Windows Directory: kernel32.vbs and JENNA-JAMESON-FREE-SUPERF***.TXT.vbs, ALEXIA.TXT.vbs to the Windows System Directory, and Natasa.TXT.vbs to the Windows Temp Directory. The following infected files can be created on A: or B: drive:

  • KISSme.TXT.vbs
  • P***Y.TXT.vbs
  • x-F***.TXT.vbs
  • 2T**S.TXT.vbs
  • myD**K.TXT.vbs
  • PORN.TXT.vbs
  • UFOxxx.TXT.vbs
  • ALIENS.TXT.vbs
  • theBAR.TXT.vbs
  • DrD**K.TXT.vbs
The following registry key is added so that the virus will run on the next boot up of the system:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUpdate kernel32.vbs

A text file JENNA-JAMESON-FREE-SUPERF***.txt is created in the Windows Directory and then opened in Notepad. VBS/Horty.a@MM also uses an infection counter in HKLM\SOFTWARE\WUpdate, and will send emails out 4 times from an infected machine. If the day is 13th of May, the virus will delete the Windows directory. If the day is 12th of May, the following message will be displayed:

Variants

Variants information
Virus Name Type Subtype Differences
VBS/Horty.d@MM Virus E-mail worm

This threat is detected as VBS/Pica.worm.gen. The virus copies itself as run32dll.vbs and clickme.vbs in %windows% directory. The virus will recurse through the Outlook Inbox and Sent Folder and resends these back to the sender. The subject is changed to "FREE PORN SITES" and attaches the file clickme.vbs. On 26 July, may display the message "FREE PORN SITES".
   
Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.