Details:
Arrival and Installation
This malicious, polymorphic Visual Basic (VB) script arrives in encrypted form. It runs whenever a user loads infected HTML files. It then decrypts itself and executes its virus code. Afterwards, it checks the source of its host, whether it is HTML or VBS, to initialize its variables properly.
It creates copies of itself as the following files:
- %System%\Blank.htm
- %System%\Folder.htt
- <malware path>\Folder.htt
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)
Folder View Settings
This malicious VB script also drops a copy of itself as FOLDER.HTT in the folder %Windows%\Web. It then creates the file named DESKTOP.INI in the folder where it executes. The latter file sets the current folder view settings to FOLDER.HTT.
(Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)
If Web content is enabled, the files FOLDER.HTT and DESKTOP.INI are copied to every folder opened in Windows Explorer. In effect, the Explorer window displays the infected FOLDER.HTT, thus running the malicious VB script.
File Infection
When infecting, this malicious VB script searches all available disk drives and subfolders for files with the following extensions:
Infected files are appended with the encrypted version of the malicious VB script.
Payload
When this VB script is executed on the 30th day of February, April, June, August, October, and December, it renames the system files WIN.INI to WON.CHK, and SYSTEM.INI to SYSTEM.CHK.
Exploit
The malicious VB script runs on infected systems unpatched for the VM ActiveX component vulnerability. Installing patches or the latest version of Microsoft Internet Explorer makes the malware unable to execute or propagate.
For more information about this Windows vulnerability, please refer to the following Microsoft Web page:
Analysis By: Steve Inosanto Espino
Revision History: