VBS/Horty.a@MM

User solutions

Corporate solutions

Featured product

VIRUS NAME : VBS/Horty.a@MM

Virus Characteristics

This threat is detected as VBS/Pica.worm.gen. The virus may arrive as an email attachment JENNA-JAMESON-FREE-SUPERFUCK.TXT.vbs and will send an email using Outlook to all recipients in the Contact Folder in the following format:

Subject: Jenna Jameson pornostar free superfuck+photo addresses
Body: Do you wanna see super pornostar,Jenna Jameson,in a special superfuck? Double click on the attachment of this mail,and get also some interesting sex-sex-sex addreses... "
Attachment: JENNA-JAMESON-FREE-SUPERFUCK.TXT.vbs

If the virus was executed from the A:\ or B:\ drive, it will copy itself to c:\x-FUCK.TXT.vbs. It then copies the following infected files to the Windows Directory: kernel32.vbs and JENNA-JAMESON-FREE-SUPERFUCK.TXT.vbs, ALEXIA.TXT.vbs to the Windows System Directory, and Natasa.TXT.vbs to the Windows Temp Directory. The following infected files can be created on A: or B: drive:

KISSme.TXT.vbs
PUSSY.TXT.vbs
x-FUCK.TXT.vbs
2TITS.TXT.vbs
myDICK.TXT.vbs
PORN.TXT.vbs
UFOxxx.TXT.vbs
ALIENS.TXT.vbs
theBAR.TXT.vbs
DrDICK.TXT.vbs

The following registry key is added so that the virus will run on the next boot up of the system:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUpdate kernel32.vbs

A text file JENNA-JAMESON-FREE-SUPERFUCK.txt is created in the Windows Directory and then opened in Notepad. VBS/Horty.a@MM also uses an infection counter in HKLM\SOFTWARE\WUpdate, and will send emails out 4 times from an infected machine. If the day is 13th of May, the virus will delete the Windows directory. If the day is 12th of May, the following message will be displayed:

Symptoms

The above message displayed on the 12th of May. The deletion of the Windows directory on the 13th of May. The above registry change and the presence of some the following files: