Virus Profile: VBS/San@M

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/11/2001
Date Added: 2/12/2001
Origin: Spain
Length: N/A
Type: Virus
Subtype: E-mail
DAT Required: 4121
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

- Presence of the file "loveday14-a.hta"
- A modified Outlook Express signature
- Altered Internet Explorer start page, now set to a Spanish website
- Directories on C:\ containing subfolders which contain the phrase, "happysanvalentin"
- The absence of subfolders in directories on C:

Methods of Infection

Opening email messages which are composed in HTML format and which contain the script will install the Internet worm on systems which are vulnerable to the "Scriptlet.TypeLib" exploit. If the Preview Pane is enabled, simply highlighting the message subject is enough to activate the virus. The HTA file is written to the local machine as is the HTML file and both are created at system startup, and with each composition of HTML format email message.


San (F-Prot), San.A (CA), VBS.San.A

Virus Characteristics

This Visual Basic Script virus was discovered on February 11, 2001 in a Usenet posting, by AVERT Virus Patrol. The virus is embedded in an HTML file, uses the Vbscript.Encode method to partially encrypt its code, and makes use of the, so called, "Scriptlet.TypeLib" vulnerability.

When the viral code is executed, it copies itself to the StartUp folder, "c:\WINDOWS\Start Menu\Programs\Startup\loveday14-a.hta". If the Spanish version of Windows is detected, it copies itself to the corresponding Startup folder, "c:\WINDOWS\Menú Inicio\Programas\Inicio\loveday14-a.hta".

The .hta file gets executed at each system startup. The virus creates the file "index.html" in the WINDOWS SYSTEM directory which becomes the infected user's signature in Outlook Express. As a result, messages sent from an infected machine will contain the embedded virus code in the email message.

It sets the Internet Explorer start page to a Spanish website which contains another virus, VBS/Valentin@MM.

If the current day is 8, 14, 23, or 29, the virus attempts to delete the contents of directories on the root level of the C: drive. Subfolder names are appended with "happysanvalentin" (ie. C:\Windows\Desktop becomes C:\Windows\Desktophappysanvalentin".

The virus code contains the comments, "loveday14 by Onel2 Melilla, España 'feliz san valentin davinia."

Use specified engine and DAT files for detection and removal.

Removal of this Internet worm consists of several steps:

* close email client(s)
* install the MS patch mentioned above
* remove the .HTA and/or .HTML files associated with this threat
* turn off 'preview pane' (optional)
* delete the default email signature setting (Tools/Options/Signature)
* delete messages which are not needed which may contain the embedded script

Users may also benefit by removing Windows Scripting Host from their Windows environment. To do this in Windows 9x, go to 'Control Panel' and choose 'Add/Remove Programs'. Click on the 'Windows Setup' tab and double click on 'Accessories'. Scroll down to 'Windows Script Host' and uncheck it and choose 'OK'. It may be necessary to reboot the system. For additional help or support, visit Microsoft's Support Site .

Users may also want to disable 'Active Scripting' in the 'Restricted Sites' zone and set E-Mail to run in the 'Restricted Sites' zone. To do this:

-open Internet Explorer
-choose the Tools menu
-choose Internet Options
-click the Security tab
-click the Restricted Sites icon
-click 'Custom Level'
-scroll down to 'Active Scripting' and set it to Disable or Prompt
-Click OK
-open Outlook
-choose the Tools menu
-choose Options
-click the Security Tab
-In the 'Security Zones' section, choose the 'Restricted Sites' zone

AVERT Recommended Updates :

* scriptlet.typelib/Eyedog vulnerability patch

* Malformed E-mail MIME Header vulnerability patch

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!