VBS/Soraci-A

Please follow the instructions for removing worms.

Sophos recommends that HTML files are backed up before disinfection is initiated.

VBS/Soraci-A is a HTML-based script which infects files with an extension of HTM, HTML or HTT in the current folder and all sub-folders of the current folder and changes browser settings for Microsoft Internet Explorer by setting the following registry entries:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
= "http://www.geocities.com/hedda_marie_tolentino/index.htm"

HKLM\Software\Microsoft\Internet Explorer\Main\Local Page
= "http://www.geocities.com/hedda_marie_tolentino/index.htm"

HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
= "http://www.geocities.com/hedda_marie_tolentino/index.htm"

VBS/Soraci-A uses the "Microsoft VM ActiveX Component" vulnerability associated with Microsoft Internet Explorer to access the file system and registry without any of the usual security restrictions placed on ActiveX controls. See Microsoft security bulletin MS00-075.

VBS/Soraci-A creates a new version of <WINDOWS>\Web\Folder.htt and when VBS/Soraci-A is run from the root folder it creates the files folder.htt and Desktop.ini in the root folder, replacing any existing copies of these files.

When run on September 26th VBS/Soraci-A causes Windows to shut down.

VBS/Soraci-A can arrive on the computer by browsing websites whose HTML pages contain the script, or via HTML-based mail messages.