Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

VBS/San.A


VBS/San.A is a worm written in the language Visual Basic Script.  To spread it uses Microsoft Outlook Express.  After activation it copies itself as the file loveday14-a.hta into the directory c:\WINDOWS\Start Menu\Programs\Startup\.  If the system language is Spanish the directory c:\WINDOWS\Menú Inicio\Programas\Inicio\ will be used.  Files in this directory are run at each Windows start and so repeated activation of the worm is ensured.  The worm checks if the file index.html exists in the directory WINDOWS/SYSTEM.  If it is not there, it will create it.  The worm manipulates the system registry and sets it so that Outlook Express will use this created file index.html as a pre-selected signature.  The worm sets the start page for Explorer to http://www.terra.es/personal/acaymo.
This worm contains a very dangerous payload.  It is run on each 5th, 12th, 23rd and 29th day in a month.  The worm creates in each directory on dirive C: a directory with the same name but adds the text "happysanvalentin" to it and deletes the original directory and its contents.



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page