The Virus, a worm named "VBS.Hard.A@mm", has begun showing up in users' e-mail disguised as a virus alert from trusted anti-virus company Symantec. The subject line reads:

"FW: Symantec Anti-Virus Warning", and an attachment named "www.symantec.com.vbs, written in Microsoft Visual Basic Script (VBS) propagates through the Outlook Express e-mail client

The e-mail appears to be sent by a senior Symantec developer, the fictitious "F. Jones."   The message is: 

Hello,

There is a new worm on the Net.

This worm is very fast-spreading and very dangerous!

Symantec has first noticed it on April 04, 2001.

The attached file is a description of the worm and how it replicates itself.

With Regards,

F. Jones

Symantec senior developer

If you receive this e-mail, delete it immediately.  Do not click on the attachment.

If a user clicks on the file attachment, www.symatec.com.vbs is executed (opened, launched...) and VBS.Hard.A@mm word delivers it's payload in the following manner:

1. It copies itself as the C:\www.symantec.com.vbs file.

2. It then tries to create a fake Symantec virus information for a non-existent threat - VBS.AmericanHistoryX_II@mm.  This fake web page is created as C:\www.symantec.com.hta.  In creating this fake web page, it uses the helper files: C:\Switch.bat and C:\www.symantec.com.{3050F44D8-98B5-11CF-BB82-00AA00BDCE0B}  (The latter will be created if the .hta file type is not registered as the hex-ID shown above.  In this case, the worm runs the C:\Switch.bat to rename the second file to C:\www.symantec.com.hta.

3. Next, the worm creates the C:\www.symantec_send.vbs file, which instructs Microsoft Outlook Express to send the file C:\symantec.com.vbs to everyone in your Outlook Express address book. This same script also creates a marking key in the Windows registry " HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WAB\OE Done" that is set to the value "Hardhead_SatanikChild."

4. And then, VBS.Hard.A@mm creates the C:\Message.vbs file, which contains a message-displaying payload.  The payload is triggered every November 24th.  It displays the message:

5.  The worm sets or creates several registry keys:  

• To the registry key HKEY_CURRENT_USER\SOFTWARE|Microsoft\Windows\CurrentVersion\Run - it adds the following three values:   1) Outlook:  C:|www.symantec_send.vbs.  This launches the VBS file that sends out the e-mail message.  2)  Symantec C:\infected with virus.vbs.  Since there is no such file being dropped, this registry key modification does not affect the system, and 3) Message  C:\message.vbs - This launches the message-displaying script, which will display the message every November 24th.

• In the registry key, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main, it changes the value data of the Start Page to C:\www.symantec.com.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}, which sets the start page of Internet Explorer to the fake virus information page.

Removal Instructions:  

To remove this worm, delete files detected as VBS.Haed.A@mm, undo the changes that it made to the registry, and reset the Internet Explorer Start Page.  Click on This Link to be taken to the detailed removal instructions page on Symantec's Website.

Techsmart Computer Services advocates Education and Protection as the best means of prevention.  The $39.00 or so you spend today on virus detection software could be your "$aving" grace in the event of a virus attack on your computer.  And the hour or so you spend learning about viruses, how they are classified, how they deliver their payloads, and how to spot a potential virus can be invaluable.  Finally, it can't be stressed enough - "Back up your system on a regular basis."  (Back up, Back up, Back up...)

If you need to have this virus or any other virus removed for you, please contact the experts at Techsmart Computer Services for professional virus removal service.