Virus:Worm/HappyTime.A.38
Date discovered:08/04/2008
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:No
File size:33,719 Bytes
MD5 checksum:2feb77bf21803dde0449fcf9e59b936d
VDF version:7.00.03.132

 General Method of propagation:
   • Email
   • Mapped network drives


Aliases:
   •  Mcafee: VBS/Haptime.gen@MM
   •  Kaspersky: Email-Worm.VBS.HappyTime
   •  F-Secure: VBS/Haptime.F
   •  Sophos: VBS/Haptime-Fam
   •  Panda: VBS/Help
   •  Eset: VBS/Haptime.E worm
   •  Bitdefender: Worm.VBS.HappyTime


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification
   • Makes use of software vulnerability

 Files It copies itself to the following locations:
   • C:\help.htm
   • C:\help.vbs
   • C:\Documents and Settings\help.hta
   • %WINDIR%\Untitled.htm



It deletes the following files:
   • *.exe
   • *.dll



It may corrupt the following files:
   • %WINDIR%\Web\*.HTT
   • *.HTML
   • *.HTM
   • *.ASP
   • *.VBS

 Registry The following registry keys are added:

– HKCU\Software\Help\Count
– HKCU\Identities\%UserID%\Software\Microsoft\Outlook Express\5.0\
   Mail\
   • Compose Use Stationery = "1"
   • Message Send HTML = "1"
   • Stationery Name = "%WINDIR%\help.htm"

– HKCU\Control Panel\Desktop
   • WallPaper = %Windows%\HELP.HTM

– HKCU\Software\Help\FileName

 Email It uses Microsoft Outlook in order to send emails. The characteristics are described below:


From:
The sender address is the user's Outlook account.


To:
– Email addresses found in specific files on the system.


Subject:
One of the following:
   • Help
   • Fw:%original subject%



Body:
–  The body is empty.


Attachment:
The filename of the attachment is:
   • Untitled.htm

The attachment is a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • .htm
   • .vbs
   • .asp
   • .htt

Description inserted by Alexandru Dinu on Wednesday, December 5, 2007
Description updated by Andrei Ivanes on Tuesday, September 16, 2008

Back . . . .