JS/Fortnight-D

Please follow the instructions for disinfecting macro viruses.

Please follow the instructions for removing worms.

Microsoft patch

You should install any relevant patches mentioned in the Microsoft article above.

Signature file

You should check the signature file for Outlook Express 5.0 and the Start Page of Internet Explorer or the Home Page of Netscape.

JS/Fortnight-D is a virus that is combination of JavaScripts and Java Applets. When an email infected with JS/Fortnight-D is read by an HTML aware mail client the virus attempts to open a website. The website runs a Java Applet that makes use of Troj/ByteVeri-A to run itself locally.

JS/Fortnight-D then attempts to drop a file S.HTM in WINDOWS that it will set as the signature for Outlook Express 5.0.

JS/Fortnight-D also creates a file in the Windows folder called hosts. The hosts file has the effect of subverting access to certain websites.

JS/Fortnight-D edits the following registry entries:

HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\AdvancedTab
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix

The following files will be dropped in the Favorities Folder:

Nude Nurses.url
Search You Trust.url
Your Favorite Porn Links.url

JS/Fortnight-D exploits a vulnerability in the Microsoft VM ActiveX component.

If an affected web page is opened, a JScript embedded on the page attempts to use the vulnerability in order to drop files on a local drive, change registry keys without the user's knowledge or perform any other malicious action on the local computer.

For more details about the Microsoft VM ActiveX component exception vulnerability please see Microsoft Security Bulletin MS00-075.