Home / malware VBS.HappyTime.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
VBS.HappyTime.A@mm is also known as N/A.
Explanation :
The virus copies itself in C:WindowsUntitled.htm file.
If the virus is contained in a .vbs file, it copies itself in C:Help.vbs, and executes this script every 10 seconds.
If the virus is contained in a .htm or .html file, it copies itself in C:Help.htm file. If the virus is contained in a "text_info" file, it copies itself in C:Help.hta file. In that case the document title is I am sorry!.
In the registry key HKCUSoftwareHelpCount it counts the number of virus executions. It creates and infects a .htm file with the same name as the current wallpaper. This file will be displayed as wallpaper at the system restart and the script will be executes.
If the number of the current day plus the number of the current date is 13, it deletes all the .exe and .dll files.
The worm infects .vbs, .htm, .html, and .asp files, from all the drives of the system. In order to do that, it memories the last file infected in registry key:
HKCUSoftwareHelpFileName.
It sends an email to every address from MS Outlook folders. The subject of the email is Help. It sends its copy as an attachment named Untitled.htm . It sends an email to every address contained in .html files, from all the drives of the system, with the same subject and attachment. It looks for "mailto: address" in .html files.
It sends an email to every address of received mails. The subject of the email is Fw: followed by original subject. It sends its copy as an attachment named Untitled.htm. It sends an email to every address contained in .html files as mailto: address too.Last update 21 November 2011
