Content

VBS/Helvis

Type
Trojan
SubType
VbScript
Discovery Date
10/25/2002
Length
5,590
Viruschecker.vbs - 1,901
Minimum DAT
4231 (10/30/2002)
Updated DAT
4231 (10/30/2002)
Minimum Engine
5.1.00
Description Added
10/28/2002
Description Modified
11/22/2002 5:33 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat is detected as VBS/Helvis. When executed, the trojan modifies the registry by setting the following value to 0:

HKEY_CURRENT_USER\Software\MicrosoftWindows Scripting Host\Settings\Timeout,"0"

The trojan then opens up the website www.madblast.com using Internet Explorer. The picture of an Elvis impersonator is then displayed.

Using Outlook, the trojan emails all messages found in the Inbox and Sent Items to the email address vcheckpr@hotmail.com. Messages found in the Inbox are sent to the above address with the subject line modifed with the string "ibox" and the count number. Example:

Subject: ibox1 Hello.

Messages found in Sent Items are sent to the above address with the subject line modified with the string "sbox" and the count number. Example:
Subject: sbox1 Hello

All messages that contain Halloween Elvis in the subject line are be deleted.

The trojan creates another file VirusChecker.vbs in the hard coded path: c:\winnt\profiles\all users\start menu\programs\startup\. This file also sends messages found in the Inbox and Sent mail folders that have been received or sent the day before with the exception of Monday as it sends messages that are three days old.

Symptoms

An internet browser opens up to the url site above displaying the picture of the Elvis impersonator.
Presence of the file:
c:\winnt\profiles\all users\start menu\programs\startup\VirusChecker.vbs.

Method of Infection

Executing the VBScript.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This threat is detected as VBS/Helvis. When executed, the trojan modifies the registry by setting the following value to 0:

HKEY_CURRENT_USER\Software\MicrosoftWindows Scripting Host\Settings\Timeout,"0"

The trojan then opens up the website www.madblast.com using Internet Explorer. The picture of an Elvis impersonator is then displayed.

Using Outlook, the trojan emails all messages found in the Inbox and Sent Items to the email address vcheckpr@hotmail.com. Messages found in the Inbox are sent to the above address with the subject line modifed with the string "ibox" and the count number. Example:

Subject: ibox1 Hello.

Messages found in Sent Items are sent to the above address with the subject line modified with the string "sbox" and the count number. Example:
Subject: sbox1 Hello

All messages that contain Halloween Elvis in the subject line are be deleted.

The trojan creates another file VirusChecker.vbs in the hard coded path: c:\winnt\profiles\all users\start menu\programs\startup\. This file also sends messages found in the Inbox and Sent mail folders that have been received or sent the day before with the exception of Monday as it sends messages that are three days old.

Symptoms

Symptoms -

An internet browser opens up to the url site above displaying the picture of the Elvis impersonator.
Presence of the file:
c:\winnt\profiles\all users\start menu\programs\startup\VirusChecker.vbs.

Method of Infection

Method of Infection -

Executing the VBScript.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

    N/A