My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


(S/Fortnight-B, JS/FortNight.B)


  • File s.htm in Windows folder containing
  • File hosts in Windows folder containing and
  • Registry key:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\= ""
  • Removal instructions:

    1. If you don't have BitDefender installed click here to download an evaluation version.

    2. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;
      2. Delete the following key:
        [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\= ""]

    3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with JS.Fortnight.B@mm.

    Analyzed By

    Patrik Vicol BitDefender Virus Researcher

    Technical Description:

    The mass-mailer arrives in infected e-mails, that have the signature as a s.htm file, so when the infected e-mail is open, using IFRAME, the virus remotely executes its infector (another html) and infects the current user.

    Once run, the virus modifies the registry keys:

    HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab=1
    HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\AdvancedTab=1
    This way, any url entered in Internet Explorer will be redirected through the url above.

    It drops file s.htm in Windows folder and sets all Outlook signature files to s.htm.

    Creates file hosts in Windows folder thus subverting to two IP addresses: and any of the following URLs:
    as well as mt.??? where ??? is a number in the range 1..200