high
Summary
Summary
Action- More Information
| Protection available since | 25 March 2004 17:18:52 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Sophos recommends that HTML files are backed up before disinfection is initiated.
More Information
VBS/Soraci-A is a HTML-based script which infects files with an extension of HTM, HTML or HTT in the current folder and all sub-folders of the current folder and changes browser settings for Microsoft Internet Explorer by setting the following registry entries:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
= "http://www.geocities.com/hedda_marie_tolentino/index.htm"
HKLM\Software\Microsoft\Internet Explorer\Main\Local Page
= "http://www.geocities.com/hedda_marie_tolentino/index.htm"
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
= "http://www.geocities.com/hedda_marie_tolentino/index.htm"
VBS/Soraci-A uses the "Microsoft VM ActiveX Component" vulnerability associated with Microsoft Internet Explorer to access the file system and registry without any of the usual security restrictions placed on ActiveX controls. See Microsoft security bulletin MS00-075.
VBS/Soraci-A creates a new version of <WINDOWS>\Web\Folder.htt and when VBS/Soraci-A is run from the root folder it creates the files folder.htt and Desktop.ini in the root folder, replacing any existing copies of these files.
When run on September 26th VBS/Soraci-A causes Windows to shut down.
VBS/Soraci-A can arrive on the computer by browsing websites whose HTML pages contain the script, or via HTML-based mail messages.
|
