VBS/San-A

Please follow the instructions for disinfecting macro viruses.

VBS/San-A is a Visual Basic Script worm.

The worm exploits the Scriptlet Typelib and Eyedog vulnerability in some versions of Microsoft Outlook Express and Microsoft Internet Explorer to automatically execute when the email message is viewed. This is a similar attack as that used by the commonly encountered VBS/Kakworm virus.

Sophos recommends users apply the patch available from Microsoft to close this vulnerability. For more details, please view Microsoft Security Bulletin MS99-032.

The worm can initially infect using two infection paths: either by the user visiting a web page with embedded worm code or opening an infected email message, previewed in a browser or email client without the security patch installed.

When the viral code runs, it drops a file LOVEDAY14-B.HTA into the Windows StartUp folder. On the next occasion the infected computer is rebooted, the dropped HTA file is run. It first changes the Internet Explorer homepage so that it points to a page which contains a dropper for VBS/Valentin-A worm (this web page has now been shut down) and then drops a file called MAIN.HTML into the Windows System directory.

The worm then uses Microsoft Outlook to send the worm to all contacts from the each user's address book. The message comes without a subject and the worm is sent by embedding its script code into each message, so that the message has no attachments.

The worm also attempts to send ten SMS text messages to randomly chosen numbers on a Spanish mobile phone network. The subject of the message is

The URL mentioned in the message contains the embedded virus dropper.

The worm also searches all fixed and network drives for MIRC32.exe or MLINK32.EXE and if any of them is found the worm drops a mIRC (Internet Relay Chat) script which attempts to send the worm to other mIRC users. If any files with a URL extension are found, the worm replaces them with a new one, which points to http://www.terra.es/personal2/jackis2.

On 8th, 14th, 23rd, or 29th day of the month, the worm attempts to overwrite all files on the local hard drive and shared network drives with Spanish text. When a file is overwritten, it is renamed so that it has a double extension with the .TXT extension added to the original one (e.g. Notepad.exe becomes Notepad.exe.txt).

Note: If full scanning is used to detect the worm in email, Sophos Anti-Virus will report it as Mid/San-A. This is due to the infection technique used by the worm.