VBS/Valentin-A

Please follow the instructions for disinfecting macro viruses.

VBS/Valentin-A is a Visual Basic Script worm.

The worm exploits the Scriptlet Typelib and Eyedog vulnerability in some versions of Microsoft Outlook Express and Microsoft Internet Explorer to automatically execute when the email message is viewed. This is a similar attack as that used by the commonly encountered VBS/Kakworm virus.

Sophos recommends users apply the patch available from Microsoft to close this vulnerability. For more details, please view Microsoft Security Bulletin MS99-032.

If the patch is not applied the computer can be infected either by visiting an infected web page or by opening or previewing an infected email message.

When the viral code runs, it drops the file LOVEDAY14-A.HTA into the Windows StartUp directory so that it runs automatically whenever Windows is started. When the dropped HTA file runs, it drops the file INDEX.HTML into the Windows system directory and changes the Registry settings of Outlook Express so that every Outlook Express user automatically includes INDEX.HTML as their email signature file. There are no visible signs of the worm's presence in the infected email message unless the message source is examined in text mode.

The worm also changes the Internet Explorer home page settings so that it points to a website which contains a dropper for the VBS/San-A worm. However, the website has now been shut down.

On the 8th, 14th, 23rd or 29th day of the month the worm attempts to delete all files from drive C: and to rename every folder so that it appends the text "happysanvalentin" (e.g. C:\My Programs becomes C:\My Programshappysanvalentin).

Note: If full scanning is used to detect the worm in email, Sophos Anti-Virus will report it as Mid/Valentin-A. This is due to the infection technique used by the worm.