Example:  Viral Script

HTML.Bother.3180

HTML.Bother.3180 is script that uses ActiveX controls to perform malicious actions on your computer. The script modifies the default home page in Internet Explorer. It also appends itself to all .htm and .html files that it finds in the \My Documents and \Windows\Web folders. Finally, if the day of the month matches a random number, the default icon for .html files is changed.

 

Also Known As:	HTML.Bother.3180.dr
Type:	Virus
Infection Length:	3,180 bytes

Virus Definitions (Intelligent Updater) * May 23, 2001 * Intelligent Updater definitions are released daily, but require manual download and installation. Click here to download manually. ** LiveUpdate virus definitions are usually released every Wednesday. Click here for instructions on using LiveUpdate.

Wild: Number of infections: 0 - 49 Number of sites: 0 - 2 Geographical distribution: Low Threat containment: Easy Removal: Easy

Threat Metrics Wild: Low Damage: Low Distribution: Low

Damage

• Payload: If a randomly generated number matches the current day of the month, the default icon for html files will be changed.
  • Modifies files: Appends itself to .htm and .html files in the WEB folder of the Windows directory and in the My Documents folder.

This is a viral script and not a worm. When the .html file is opened in Internet Explorer, the following message appears, and you are asked to allow the ActiveX control to run:

You need ActiveX enabled if you want to see this page.
Please open this page again and click accept ActiveX.
Internet Explorer

If you click No, the script does not run and does not infect the system. The script does not infect systems that use Netscape Navigator as the default browser.

If you allow the ActiveX control to run, or if you are using very low security settings for Internet Explorer, the script performs its malicious actions:

1. First it creates the Hello.txt file on the Windows desktop. This is a two-line text file that contains information about the origin of the script. There is no viral code present in this file, and the file should be deleted.
2. Next, the script creates the PetiK.htm file in the \Windows\System folder. This file is set as the default home page for Internet Explorer. It contains your actual home page in a small scrollable frame, and beneath it the script displays the following message:
   
   Hi, you have my Worm.
   It's not dangerous.
   Contact Symantec Corporation (www.symantec.com/avcenter) to disinfect your computer.
   
3. The script also searches for .htm and .html files in both the \My Documents and the \Windows\Web folders. If .htm and .html files are found in these folders, the script checks for its infection marker. If the files have not been infected, the script appends its code to the end of the file, and leaves a marker at the beginning of the file for future scanning purposes.
4. Finally the script generates a random number, and if that number matches the current day of the month, the script changes the default icon for .html files.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

NAV will properly repair .htm and .html files that have been infected by HTML.Bother.3180. Files detected as HTML.Bother.3180.dr are the original dropper file, and should be deleted.

To remove the virus:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. If any files are detected as HTML.Bother.3180, click Repair. Any files detected as HTML.Bother.3180.dr should be deleted.
4. Delete the Hello.txt file from the Windows desktop.
5. Using Windows Explorer, locate and delete the \Windows\System\PetiK.htm file.

1. Start Internet Explorer, and go the Web page that you want to set as your home page.
2. Click Tools, and then click Internet Options.
3. In the Home page section of the General tab, click "Use Current."

Symantec Security Response - HTML.Bother.3180