McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Happy Time

• VBS.Happytime.A (CA)

• VBS/Haptime.gen@MM

• VBS/Help (Panda)

• VBS_Haptime.A (Trend)

Characteristics

This Visual Basic Script virus will append itself to files, delete files, and can spread via embedded VBScript, contained in the body of HTML formatted email messages.

When the script is permitted to run, the virus inserts itself at the end of .ASP, .HTM, .HTML, .HTT, and .VBS files. If the current day plus the current month is equal to 13, the virus attempts to delete .DLL and .EXE files on local and network drives.

The virus saves its viral code to HELP.HTA and HELP.VBS in the first directory found on the C: drive, and to HELP.HTM and UNTITLED.HTM in the WINDOWS directory.

A registry key value is created to set the HELP.HTM file to the current wallpaper which results in the execution of the virus at system startup, if active desktop is enabled:

HKCU\Control Panel\Desktop\wallPaper=%WinDir%\HELP.HTM

In a similar fashion to JS/Kak@M, this virus configures the default stationary used by Microsoft Outlook Express to an external file, %WinDir%\UNTITLED.HTM. This causes each message sent from Outlook Express to contain hidden viral code. These setting are modified in the registry to accomplish this task:

HKCU\Identities\(User ID)\Software\Microsoft\
Outlook Express\5.0\Mail\Message Send HTML="1"

HKCU\Identities\(User ID)\Software\Microsoft\
Outlook Express\5.0\Mail\Compose Use Stationery="1"

HKCU\Identities\(User ID)\Software\Microsoft\
Outlook Express\5.0\Mail\Stationery Name="%WinDir%\Untitled.htm"

Additionally, the .HTT files in the %WinDir%\WEB directory are infected, which results in the virus getting executed each time a folder is viewed as a web page.

The virus keeps track of the number of times that it has been executed by creating a new registry key and incrementing a key value in this key:

HKCU\Software\Help\

Once the counter reaches a multiple of 366, the virus will unsuccessfully attempt to attach UNTITLED.HTM to the email message which it sends.

Symptoms

- Absence of .DLL and .EXE files
- Increase in file length of .ASP, .HTM, .HTML, .HTT, and .VBS files
- Presence of HELP.HTA, HELP.VBS, HELP.HTM, and UNTITLED.HTM files

Method of Infection

VBS/Haptime exists as embedded VBScript code, hidden in the body of HTML formatted email messages and webpages. When an infected document is opened and the script is allowed to execute, the local machine is infected. Once infected, the local machine begins transmitting the virus via email, and LAN propagation.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Happy Time

• VBS.Happytime.A (CA)

• VBS/Haptime.gen@MM

• VBS/Help (Panda)

• VBS_Haptime.A (Trend)

Characteristics

Characteristics -

This Visual Basic Script virus will append itself to files, delete files, and can spread via embedded VBScript, contained in the body of HTML formatted email messages.

When the script is permitted to run, the virus inserts itself at the end of .ASP, .HTM, .HTML, .HTT, and .VBS files. If the current day plus the current month is equal to 13, the virus attempts to delete .DLL and .EXE files on local and network drives.

The virus saves its viral code to HELP.HTA and HELP.VBS in the first directory found on the C: drive, and to HELP.HTM and UNTITLED.HTM in the WINDOWS directory.

A registry key value is created to set the HELP.HTM file to the current wallpaper which results in the execution of the virus at system startup, if active desktop is enabled:

HKCU\Control Panel\Desktop\wallPaper=%WinDir%\HELP.HTM

In a similar fashion to JS/Kak@M, this virus configures the default stationary used by Microsoft Outlook Express to an external file, %WinDir%\UNTITLED.HTM. This causes each message sent from Outlook Express to contain hidden viral code. These setting are modified in the registry to accomplish this task:

HKCU\Identities\(User ID)\Software\Microsoft\
Outlook Express\5.0\Mail\Message Send HTML="1"

HKCU\Identities\(User ID)\Software\Microsoft\
Outlook Express\5.0\Mail\Compose Use Stationery="1"

HKCU\Identities\(User ID)\Software\Microsoft\
Outlook Express\5.0\Mail\Stationery Name="%WinDir%\Untitled.htm"

Additionally, the .HTT files in the %WinDir%\WEB directory are infected, which results in the virus getting executed each time a folder is viewed as a web page.

The virus keeps track of the number of times that it has been executed by creating a new registry key and incrementing a key value in this key:

HKCU\Software\Help\

Once the counter reaches a multiple of 366, the virus will unsuccessfully attempt to attach UNTITLED.HTM to the email message which it sends.

Symptoms

Symptoms -

- Absence of .DLL and .EXE files
- Increase in file length of .ASP, .HTM, .HTML, .HTT, and .VBS files
- Presence of HELP.HTA, HELP.VBS, HELP.HTM, and UNTITLED.HTM files

Method of Infection

Method of Infection -

VBS/Haptime exists as embedded VBScript code, hidden in the body of HTML formatted email messages and webpages. When an infected document is opened and the script is allowed to execute, the local machine is infected. Once infected, the local machine begins transmitting the virus via email, and LAN propagation.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A