VBS/Soraci

Date Discovered: 5/9/2003
Date Added: 2/25/2004
Origin: Unknown
Length: Varies
Type: Virus
SubType: VbScript

This is a file infecting VBScript virus that infects files with extension HTT, HTM, and HTML. When run, the virus will create or modify the following registry keys to change the Internet Explorer start page:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Page_URL" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local Page" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main "Default_Page_URL" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main "Local Page" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main "Start Page" = http://www.(address neutered) .com/hedda_marie_tolentino/index.htm
The virus creates the following files:

%SysDir%\icarOs.dll (2,824 bytes)
%SysDir%\icarOs2.dll (3,748 bytes)
%SysDir%\scanregw.vbe (3,718 bytes)
(Where %SysDir% is the Windows System directory on the system, for example c:\WINDOWS\SYSTEM.)

A registry entry is also created to run the virus on Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "ScanRegistry " = %SysDir%\scanregw.vbe
This virus has a malicious payload to restart Windows continuously if the date is September 26.

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101049