VBS/Horty-A

Category: Viruses and SpywareProtection available since:24 Apr 2003 00:00:00 (GMT)
Type: Visual Basic Script wormLast Updated:24 Apr 2003 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

VBS/Horty-A is an email worm that uses Microsoft Outlook to spread. The worm sends an email to all contacts in the user's Windows address book. The email has the following characteristics:

Subject line:
Jenna Jameson pornstar free superfuck+photo address

Message text:
Do you wanna see super pornostar,Jenna Jameson,in a special
superfuck?Double click on the attachment of this mail,and
get also some interesting sex-sex-sex addresses...

Attached file:
JENNA-JAMESON-FREE-SUPERFUCK.TXT.vbs

When first executed the worm will check to see if it is being executed from drive A: or B:. If this is the case then JENNA-JAMESON-FREE-SUPERFUCK.TXT.vbs will be copied to C:\x-FUCK.TXT.vbs and then executed. Otherwise the worm will create copies of itself as:

C:\<Windows folder>\JENNA-JAMESON-FREE-SUPERFUCK.TXT.vbs
C:\<Windows folder>\Kernel32.vbs
C:\<Windows system folder>\ALEXIA.TXT.vbs
C:\<Windows temporary folder>\Natasa.TXT.vbs

The worm will create the following registry entry to run Kernel32.vbs whenever Windows starts up:

HKLM\Software\Microsoft\Windows\CurrenVersion\
Run\WUpdate = C:\<Windows folder>kernel32.vbs

If the copy of the worm currently executing is not C:\<Windows folder>kernel32.vbs then the text file C:\<Windows folder>\JENNA-JAMESON-FREE-SUPERFUCK.txt will be created and opened up in Notepad. The text file contains addresses for pornographic websites.

At this stage in its execution the worm will run its mass mailing properties. A registry value is created at HKLM\Software\WUpdate and is initially set to one. The value is incremented on each execution of the worm and when it is equal to five the mass mailing part of the worm will no longer be run.

On the 12th of May a message box will be displayed containing the text "Your PC has been hacked by KaGra[ATZI virus ver 2.1]".

On the 13th of May the worm will attempt to delete all files in the Windows folder.

Every six minutes the worm will be copied to drives A: and B:. The copies will have the following names, KISSme, PUSSY, xFUCK, 2TITS, myDICK, PORN, UFOxxx, ALIENS, theBAR and DrDICK each with the double extension .TXT.vbs .