Content

VBS/Soraci

Type
Virus
SubType
VbScript
Discovery Date
05/09/2003
Length
Varies
Minimum DAT
4264 (05/14/2003)
Updated DAT
4849 (09/11/2006)
Minimum Engine
5.1.00
Description Added
02/25/2004
Description Modified
03/24/2004 2:29 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a file infecting VBScript virus that infects files with extension HTT, HTM, and HTML. When run, the virus will create or modify the following registry keys to change the Internet Explorer start page:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Page_URL" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local Page" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main "Default_Page_URL" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main "Local Page" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main "Start Page" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm

The virus creates the following files:

  •  %SysDir%\icarOs.dll (2,824 bytes)
  •  %SysDir%\icarOs2.dll (3,748 bytes)
  •  %SysDir%\scanregw.vbe (3,718 bytes)

(Where %SysDir% is the Windows System directory on the system, for example c:\WINDOWS\SYSTEM.)

A registry entry is also created to run the virus on Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "ScanRegistry " = %SysDir%\scanregw.vbe

This virus has a malicious payload to restart Windows continuously if the date is September 26.

Symptoms

  • Presence of the files and registry entries detailed above
  • Increase in the size of HTT, HTM and HTML files

Method of Infection

Running an infected file will cause the virus to append itself to all HTT, HTM and HTML files.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • VBS.Manual (AVP)
  • VBS.Soraci (NAV)
  • VBS/Manual (F-Prot)

Characteristics

Characteristics -

This is a file infecting VBScript virus that infects files with extension HTT, HTM, and HTML. When run, the virus will create or modify the following registry keys to change the Internet Explorer start page:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Page_URL" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local Page" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main "Default_Page_URL" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main "Local Page" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main "Start Page" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm

The virus creates the following files:

  •  %SysDir%\icarOs.dll (2,824 bytes)
  •  %SysDir%\icarOs2.dll (3,748 bytes)
  •  %SysDir%\scanregw.vbe (3,718 bytes)

(Where %SysDir% is the Windows System directory on the system, for example c:\WINDOWS\SYSTEM.)

A registry entry is also created to run the virus on Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "ScanRegistry " = %SysDir%\scanregw.vbe

This virus has a malicious payload to restart Windows continuously if the date is September 26.

Symptoms

Symptoms -

  • Presence of the files and registry entries detailed above
  • Increase in the size of HTT, HTM and HTML files

Method of Infection

Method of Infection -

Running an infected file will cause the virus to append itself to all HTT, HTM and HTML files.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A