VBS/Soraci.AInfection Method
This Visual Basic Script virus scans the current folder and all subfolders for files which end in the extensions “.HTM”, “.HTML”, or “.HTT”, and then infects these files. The virus is encrypted to hide the code of the virus body.
Note: %WINDOWS% denotes the Windows directory (e.g. C:\WINDOWS) and %SYSTEM% denotes the Windows System directory (e.g. C:\WINDOWS\SYSTEM32). The names of these directories may differ between various versions of Microsoft Windows.
VBS/Soraci.A creates %WINDOWS%\Web\Folder.htt. If this file exists already then the virus overwrites it. If the virus is executed from a root folder it creates folder.htt and desktop.ini in the root folder, overwriting any files with those names.
VBS/Soraci.A exploits the “Microsoft VM ActiveX Component vulnerability” to gain full access to the file system and registry.
Reference:
http://www.microsoft.com/technet/security/bulletin/MS00-075.mspxRegistry Changes
The virus changes the Internet Explorer Registry Settings as follows:
HKCU\Software\Microsoft\Internet Explorer\Main\
“Start Page” = “http://[address removed]/hedda_marie_tolentino/index.htm”
HKCU\Software\Microsoft\Internet Explorer\Main\
“Default_Page_URL” = “http://[address removed]/hedda_marie_tolentino/index.htm”
HKLM\Software\Microsoft\Internet Explorer\Main\
“Local Page” = “http://[address removed]/hedda_marie_tolentino/index.htm”
Payload
If the current system date is 26th September the virus shuts down the Windows Operating System.
History: Analysis and Write-up by: Michael St. Neitzel
ปัจจุบัน NOD32 จัดการได้ครับ เจอมาเมื่อเช้า