VBS/Hard-A

Please follow the instructions for disinfecting macro viruses.

VBS/Hard-A is a worm which uses Outlook Express to spread. The worm arrives in an email message with an attachment.

The subject of the message is "FW: Symantec Anti-Virus Warning".

The body of the message contains the text:

----- Original Message -----
From: warning@symantec.com
To: supervisor@av.net ;
security@softtools.com ;
mark_fyston@storess.net ; directorcut@ufp.com ;
pjeterov@goldenhit.org ;
kim_di_yung@freeland.ch ;
james.heart@macrosoft.com
Subject: FW: Symantec Anti-Virus Warning

Hello,

There is a new worm on the Net.
This worm is very fast-spreading and very dangerous!

Symantec has first noticed it on April 04, 2001.

The attached file is a description of the worm and how to protect your pc against it.

With regards,
F. Jones
Symantec senior developer

The attached file is named www.symantec.com.vbs. If this file is launched the worm creates an HTML file and registers it so that it is opened as a Microsoft Hypertext application file. The file is formatted to look like a genuine Symantec virus description on the Symantec website, but the text describes a non-existent worm called VBS.AmericanHistoryX_II@mm.

The worm creates a VBS file called www.symantec_send.vbs in the root directory of the C: drive and changes the Registry key:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the file is run on the next Windows reboot.

The worm sends itself to all contacts found in the Outlook Express address book.

On 24 November, the worm displays a message box containing the following text:

"Don't look surprised!
It is only a warning about your stupidity
Take care!"