A little update for the news: Aliases:VBS/VBSWG-X, VBS.HomePage, VBS.VBSWG2.D@mm, VBS/SST.gen@MM, I-Worm.Homepage, VBSWG.X, Home Page Variants: N/A Attachments: homepage.HTML.vbs Discovered: 05/08/2001 Distribution: High Severity: Moderate to Severe (may crash email servers) Vulnerable: Microsoft Windows; Microsoft Outlook Profile Updated: 06:15 PM GMT 05/09/2001 Symptoms One of four possible adult web sites is displayed as the default home page on the affected computer (omitted from description). Infection Once the infected attachment is executed Homepage drops a copy of itself into the Windows temporary directory as "HOMEPAGE.HTML.VBS." As part of it's mass mailing routine, HomePage checks the following registry entry to see if it has already performed a mass mailing on the affected machine: HKEY_CURRENT-USER\Software\An\Mailed If the above value is set to 1 the worm has already performed a mass mailing on the affected machine. If the above value is NOT set to 1, Homepage sets the value and attempts to mass mail addresses within the Outlook Address book on the local machine, with the data noted above in the Description field. Once the mass mailing is completed, Homepage searches Microsoft Outlook Journal and Sent folders to delete emails with the subject of "Homepage", in an attempt to conceal it's mass mailing and presence on the affected machine. If Microsoft Outlook or Windows Scripting Host (WSH) is not present on the system Homepage is unable to propagate. After the mass mailing, Homepage attempts to change the default home page of Internet Explorer to one of four possible adult commercial web sites (omitted from description). Payload Mass mails addresses within the Microsoft Outlook address book. May be prolific enough to cause email servers to crash. Default home page of Internet Explorer may be change to one of four possible adult web sites. Disinfection Use updated antivirus software to remove this malware from an infected machine. Esafe has provided a free cleaning utility for Homepage. While not recommended, users may attempt to manually remove this malware from their machine by doing the following: Remove any occurrence of "HOMEPAGE.HTML.VBS" from all media. Delete any emails with the subject "Homepage" or the "HOMEPAGE.HTML.VBS" attachment. Perform a backup of the registry and then remove the registry key from Homepage if present, HKEY_CURRENT-USER\Software\An\Mailed. Remove Windows Scripting Host from machines that do not require it for normal operations to lower the risk of infection from malware. --------------------------- Cheers Thunda _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. --membersozdat------------------------------------------------------- OZDAT Mailing List Please Note:- Send (un)subscribe requests to [EMAIL PROTECTED] Send submissions to [EMAIL PROTECTED] No unauthorised redistribution of this email http://www.ozdat.com/ozdatonline/index.htm http://www.ozdat.com/ozdatonline/listindex.html http://www.mail-archive.com/[email protected]/ ---------------------------------------------------------------------
