VBS/Triny-J

Please follow the instructions for removing worms.

VBS/Triny-J is a mass-mailing worm.

The worm arrives in an email with the following characteristics:

Subject line: one of

"Awak kenal saya tak???"
"How are you?"
"Virus baru menyerang.."
"RE:Hunt or be hunted..."
"www.geocities.com\~Friends"
"Norton Antivirus Warning www.symantec.com/bug"
"Panda Antivirus Warning www.panda.com"
"Tak is Back... Faster,Braver,Stronger"
"Friends..."
"Long time no see..."
"you know my feeling..."
"FWD: Friends is coming..."
"HELLO........"
"Www.Friendster.net"
"www.VirtualGirl.net"
"where is the love?"
"Ni virus ke hapa? apola.. try a tgk..."
"Free WebCam for you.."
"FWD: Bounty Hunter.. $12000 for you.."
"ReUnion of Myvwa"
"Aya... sorry... hope you don't mind.."

Message body: empty unless ActiveX scripting is disabled, in which case:

This e-mail contain a animation graphic which required the ActiveX enabled.
Please open this message again then please accept the ActiveX by click at yes
Microsoft OutLook

VBS/Triny-J sends itself to addresses from the MAPI address book.

The worm displays the following two messages:

This page contain a graphic which required the AxtiveX.Please accept
the ActiveX by click at yes

Your computer had been infected by HTML.Atira... Please refer to the
AntiVirus company for the remover...Send this sample to them or i'll
infect another hi hi hi ;p
Greets:Fait Accompli,Melhacker,Philet0ast3r,Anua,Nije,Dehe,ise,pa'an,
Pakcik and all who know me... be a better man.... Made in Malaysia 2004 for
newbies...HTML.ATiRa By -Lasiaf-

VBS/Triny-J copies itself to the file C:\Friends.htm

The worm attempts to append itself to files with the extension HTT, ASP, HTM, HTA, HTX or HTML.

VBS/Triny-J modifies the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\
1201 = 0

HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\
1201 = 0