HTML Virus Info

this page last updated 11-20-98

HTML Viruses

These have been fairly high profile recently due to a press release saying they had discovered the first HTML virus. The bad news is however that the author has now written another two, so there are now 3 HTML viruses that we know about.


HTML/Internal

This was the first HTML virus discovered. It is a simple overwriting virus that will overwrite any HTM or HMTL files that are present in the same folder as the virus or the folder above it. This virus will only run if the HTML file is being viewed from a file stored on the computer locally, it will NOT run if it is downloaded from the web by the browser. Also the virus does not appear to run on Netscape, only Microsoft Internet Explorer 4. The default security settings of IE4 cause a popup message alerting the user that the page contains potentially harmful content and asking if it should be run. This virus is not really a major threat and there is no evidence of this in the field.


HTML/Prepend.1670

This virus is a true prepending parasitic virus. When viewed from a local drive it has a 1 in 6 chance of infecting other HTM or HTML files in the same folder. The virus does not appear to run on Netscape, only Microsoft Internet Explorer 4. The default security settings of IE4 cause a popup message alerting the user that the page contains potentially harmful content and asking if it should be run. This virus is repairable, not really a major threat and there is no evidence of this in the field.


HTML/ReDirect

This virus is a companion type virus. When viewed from a local drive it has a 1 in 6 chance of infecting other .HTM files in the same folder. This it does by copying the original .HTM file to a similarly named .HTML file. It then overwrites the original .HTM file with itself. In all cases the browser is redirected to the .HTML copy of the infected .HTM file. Also the virus does not appear to run on Netscape, only Microsoft Internet Explorer 4. It also uses some scripting functions that are only available in Windows98 or IE4. The default security settings of IE4 cause a popup message alerting the user that the page contains potentially harmful content and asking if it should be run. This virus is not really a major threat and there is no evidence of this in the field.


VBS Viruses

An optional part of the Windows 98 installation is a program called 'Windows Scripting Host'. This program allows Windows 98 to run VB script files, which are ASCII text files, as executable files.

This scripting language is a full blown high level language that offers comprehensive access to the Windows 98 operating system services, allowing such operations as file access, registry manipulation, running other programs, Email and Internet access, etc. Example programs are installed in the folder WINDOWS\SAMPLES\WSH as part of the installation of the Windows Scripting Host program.

Given the features of this language and the popularity of the Windows 98, it was only a matter of time before we saw the first Virus/Trojan written in this language, and sure enough earlier this month the first one arrived.

There are currently 8 viruses and variants of this type. They are detailed below.

VBS/FWSV

This is a fairly simple overwriting virus which replaces any other script files in the same folder as itself, with copies of itself. The virus however evolved as the author learned new techniques and to date we have 3 variants of this virus (VBS/FWSV.a, VBS/FWSV.b and VBS/FWSV.c). This is not much of a threat as it has no payloadbut a nuisance as the files are not repairable. No evidence of this in the field.

VBS/Cbabm

This virus is a true parasitic virus. It non-destructivly infects other script files by copying itself at the start of any script file in either; · The same folder as the virus script file, · The Windows folder, · Windows\Profiles\All Users\Desktop · Windows\Profiles\Administrator\Desktop · Windows\Desktop

This virus also has a payload in that on a certain day and time it will place an ASCII text picture at the start of any .TXT or .DOC files it find on all drives and folders. This virus is quite easy to repair, but the damage it could do to users text and document files makes this virus quite dangerous.

VBS/Happy

This virus is a true parasitic infector. It appends itself to then end of any script files in either ; · The same folder as the virus · The root directory · Windows\Desktop · Windows\Start Menu\Programs\Startup · Windows\My Documents

It also creates a copy of itself in the Windows folder called avm.vbs and inserts an entry in the registry so that this is run automatically at startup. This virus has no payload, is easily repairable, but could be quite dangerous due to it's installing itself into the registry. It is dropped by the W97M/ColdApe virus.

VBS/ColdApe

A W97 macro virus (W97M/ColdApe) drops this VBS script file. When run, it performs 2 actions; · Obtains the victim's IP address and then sends it to the virus author via Email. This renders the victim open to Internet attacks such as WinNuke, SSPING, etc. · Sends a rude message via Email to the editor of an Anti-Virus magazine.

The script file does not replicate, however the W97M virus also drops VBS/Happy onto the users system and this does replicate.

VBS/Break

This virus is the first virus to be able to infect both DOC files and VBS files. It exists in 2 variants.

The first variant (VBS/Break..3507) infects DOC files via NORMAL.DOT and will jump across to any VBS files in the same directory, by overwriting them with a copy of itself. It also replicates to other DOC files as a normal macro virus. When a document infected by this variant is closed it searches all of the C: drive for VBS files and overwrites any it finds with copies of itself. A limitation of this variant means that the DOC file must not contain any lines in the ThisDocument section of the NORMAL.DOC template for the virus to function correctly.

The second variant (VBS/Break.2291) is more advanced. It is smaller and shares some common area's of code between the macro and script sections of the virus. It's will only search the C:\ drive on the 15th day of the month. It is also more intelligent in that it will delete any lines in the ThisDocument section of the NORMAL.DOC template when infecting a DOC from a VBS.

The VBS script incarnations of this virus are note repairable and the macro incarnation of the second variant is also not repairable due to the deletion of any lines in the NORMAL.DOC template.

VBS/Mutate

This is a true parasitic virus. It non-destructivly infects other script files by copying a mutated copy of itself at the start of any script file in the same directory as itself. This virus is repairable and contains no destructive payload.

INF Viruses

This category is very new an so far we only have one example. INF files are used by Windows 95/98 and NT 4.0 to provide information about hardware devices to provide the plug and play capability of the operating system.


INF/Vxer

This is the first (and sofar, only) example of a virus that uses Windows .INF files to spread. When the user installs an infected .INF file, it makes a copy of itself in C:\VXER.TXT and appends some code onto the end of AUTOEXEC.BAT. Then whenever the user starts the system the code in AUTOEXEC.BAT will replace the newest .INF (not already infected) file in WINDOWS\INF folder with a copy of the virus from VXER.TXT. This will result in the gradual destruction of the plug and play capability of Windows 95/98. Any .INF files infected are not repairable but the AUTOEXEC.BAT is repairable.