My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

VBS.HappyTime.A@mm

MEDIUM
HIGH
(N/A)

Symptoms

The presence of any of the following files in the root directory: C:\Help.vbs, C:\Help.htm or C:\Help.hta.

Removal instructions:

BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.

  1. If you don't have BitDefender installed click here to download an evaluation version;

  2. Make sure that you have the latest updates using BitDefender Live!;

  3. Make the following changes in the windows registry:

    Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

    1. Select Run... from Start, then type regedit and press Enter;

    2. Delete the following keys:
      HKCU\Software\Help\FileName
      HKCU\Software\Help\Count

  4. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with VBS.HappyTime.A@mm.

Analyzed By

Mihaela StoianBitDefender Virus Researcher

Technical Description:

The virus copies itself in C:\Windows\Untitled.htm file.

If the virus is contained in a .vbs file, it copies itself in C:\Help.vbs, and executes this script every 10 seconds.

If the virus is contained in a .htm or .html file, it copies itself in C:\Help.htm file. If the virus is contained in a "text_info" file, it copies itself in C:\Help.hta file. In that case the document title is I am sorry!.

In the registry key HKCU\Software\Help\Count it counts the number of virus executions. It creates and infects a .htm file with the same name as the current wallpaper. This file will be displayed as wallpaper at the system restart and the script will be executes.

If the number of the current day plus the number of the current date is 13, it deletes all the .exe and .dll files.

The worm infects .vbs, .htm, .html, and .asp files, from all the drives of the system. In order to do that, it memories the last file infected in registry key:

HKCU\Software\Help\FileName.

It sends an email to every address from MS Outlook folders. The subject of the email is Help. It sends its copy as an attachment named Untitled.htm . It sends an email to every address contained in .html files, from all the drives of the system, with the same subject and attachment. It looks for "mailto: address" in .html files.

It sends an email to every address of received mails. The subject of the email is Fw: followed by original subject. It sends its copy as an attachment named Untitled.htm. It sends an email to every address contained in .html files as mailto: address too.