Message-ID: <000e01c0dae1$7e1e8500$0301000a@marvin>
From: "Alexander Lehmann" <lehmann AT nexgo DOT de>
To: <jmendez AT persystems DOT com>
Cc: <dj AT delorie DOT com>, <tony AT dictator DOT nt DOT tuwien DOT ac DOT at>, <jventer AT writeme DOT com>,
        <webmaster AT bloodshed DOT nu>, <salvador AT inti DOT gov DOT ar>, <set-soft AT usa DOT net>,
        <deef AT pobox DOT oleane DOT com>, <hsc AT techfak DOT uni-kiel DOT de>,
        <allegro AT canvaslink DOT com>, <listserv AT canvaslink DOT com>,
        <fsforder AT gnu DOT org>, <djgpp AT delorie DOT com>, <Ian AT shelob DOT force9 DOT co DOT uk>,
        <neldredge AT hmc DOT edu>, <brennan AT rt66 DOT com>, <mmastrac AT acs DOT ucalgary DOT ca>,
        <jan AT stack DOT nl>, <jules AT acris DOT demon DOT co DOT uk>, <hpa AT transmeta DOT com>,
        <gvelicha AT wam DOT umd DOT edu>, <mb002 AT hi DOT ft DOT hse DOT nl>, <george AT il DOT ft DOT hse DOT nl>,
        <sandmann AT clio DOT rice DOT edu>, <bill AT tanihwa DOT org DOT com>,
        <junaid AT barney DOT eng DOT monash DOT edu DOT au>, <turnbull AT shako DOT sk DOT tsukuba DOT ac DOT jp>,
        <rudd AT cyberoptics DOT com>, <alaric AT abwillms DOT demon DOT co DOT uk>,
        <listserv AT delorie DOT com>, <djgpp-request AT delorie DOT com>,
        <jhunter AT kendaco DOT telebyte DOT net>, <mar22 AT usa DOT net>, <indrek AT warp DOT edu DOT ee>,
        <richdawe AT bigfoot DOT com>, <orangy AT inetlab DOT com>, <acc AT asterix DOT inescn DOT pt>,
        <elf AT netcom DOT com>, <bowman AT montana DOT com>, <schultz AT ma DOT tum DOT de>,
        <nicolas AT bnp-eng DOT remcomp DOT com>, <jpdelprat AT teaser DOT fr>,
        <blp01 AT uow DOT edu DOT au>, <acmq AT coe DOT ufrj DOT br>, <Shawn AT talula DOT demon DOT co DOT uk>,
        <tntjpgriff AT tsnxt DOT co DOT uk>, <bg914 AT FreeNet DOT Carleton DOT CA>,
        <mrb8 AT waikato DOT ac DOT nz>, <snarfy AT goodnet DOT com>, <zager AT post DOT comstar DOT ru>,
        <blizzar AT hem DOT passagen DOT se>, <ppodsiad AT elka DOT pw DOT edu DOT pl>,
        <ST001906 AT HRZ1 DOT HRZ DOT TU-Darmstadt DOT De>, <jk55 AT cornell DOT edu>,
        <karuottu AT freenet DOT hut DOT fi>, <eliz AT is DOT elta DOT co DOT il>, <fighteer AT cs DOT net>,
        <grbhat AT unigoa DOT ernet DOT in>, <bodfish AT austen DOT notis DOT com>,
        <bdavidson AT ra DOT isisnet DOT com>, <Demmer AT LStM DOT Ruhr-Uni-Bochum DOT De>,
        <jae AT laden DOT ilk DOT de>, <x-aes AT telelogic DOT com>, <prime AT UDel DOT Edu>,
        <peter AT agnes DOT dida DOT physik DOT uni-essen DOT de>, <harbaum AT ibr DOT cs DOT tu-bs DOT de>,
        <Jim AT anolis DOT bnr DOT usu DOT edu>, <kheidens AT actrix DOT gen DOT nz>, <kvhk AT barco DOT com>,
        <ghogenso AT u DOT washington DOT edu>, <dbjh AT gmx DOT net>, <omega AT es DOT co DOT nz>,
        <kunst AT prl DOT philips DOT nl>, <yitzg AT idt DOT net>,
        <lehmann AT mathematik DOT tu-darmstadt DOT de>, <leisner AT sdsp DOT mc DOT xerox DOT com>,
        <randym AT acm DOT org>, <mallory AT wcug DOT vwu DOT edu>, <csmiller AT iname DOT com>,
        <naderr AT topaz DOT cqu DOT edu DOT au>, <nicolas AT JUPITER DOT saclay DOT cea DOT fr>,
        <ash AT cinf DOT usm DOT md>, <bpaddock AT execpc DOT com>, <peuha AT cc DOT helsinki DOT fi>,
        <prashant_tr AT yahoo DOT com>, <prins AT quark DOT cs DOT sun DOT ac DOT za>,
        <salters AT admin DOT fanshawec DOT on DOT ca>, <Shumw001 AT Cerritos DOT edu>,
        <ams AT ludd DOT luth DOT se>, <aes AT solia DOT gsfc DOT nasa DOT gov>, <ljt AT sierrasemi DOT com>,
        <nedu AT ee DOT washington DOT edu>, <waider AT waider DOT ie>, <terra AT diku DOT dk>,
        <awesley AT galaxy DOT anutech DOT com DOT au>, <Kbwms AT aol DOT com>,
        <mwood AT mhw DOT OIT DOT IUPUI DOT EDU>, <lehmann AT usa DOT net>
Subject: Fw: Computer Virus Information from a Friend!
Date: Sat, 12 May 2001 14:42:56 +0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Reply-To: djgpp AT delorie DOT com

Hi,

the Mail sent by Javier Mendez to the list contains the Happy Time Virus:


bye, Alexander

----- Original Message ----- 
From: <lehmann AT usa DOT net>
To: <lehmann AT nexgo DOT de>
Sent: Saturday, May 12, 2001 2:33 PM
Subject: Computer Virus Information from a Friend!


> Greetings, lehmann AT nexgo DOT de
> 
> I thought you would be interested in knowing about this computer Virus...
> 
> Name: VBS/Haptime AT MM
> 
> Characteristics:
> This Visual Basic Script virus will append itself to files, delete files,
> and can spread via embedded VBScript, contained in the body of HTML
> formatted email messages.
> When the script is permitted to run, the virus inserts itself at the end
> of .ASP, .HTM, .HTML, .HTT, and .VBS files. If the current day plus the
> current month is equal to 13, the virus attempts to delete .DLL and .EXE
> files on local and network drives.
> The virus saves its viral code to HELP.HTA and HELP.VBS in the first
> directory found on the C: drive, and to HELP.HTM and UNTITLED.HTM in the
> WINDOWS directory.
> A registry key value is created to set the HELP.HTM file to the current
> wallpaper which results in the execution of the virus at system startup,
> if active desktop is enabled:
> HKCU\Control Panel\Desktop\wallPaper=%WinDir%\HELP.HTM
> In a similar fashion to JS/Kak AT M, this virus configures the default
> stationary used by Microsoft Outlook Express to an external file,
> %WinDir%\UNTITLED.HTM. This causes each message sent from Outlook Express
> to contain hidden viral code. These setting are modified in the registry
> to accomplish this task:
> HKCU\Identities\(User ID)\Software\Microsoft\Outlook
> Express\5.0\Mail\Message Send HTML="1"
> HKCU\Identities\(User ID)\Software\Microsoft\Outlook
> Express\5.0\Mail\Compose Use Stationery="1"
> HKCU\Identities\(User ID)\Software\Microsoft\Outlook
> Express\5.0\Mail\Stationery Name="%WinDir%\Untitled.htm"
> Additionally, the .HTT files in the %WinDir%\WEB directory are infected,
> which results in the virus getting executed each time a folder is viewed
> as a web page.
> The virus keeps track of the number of times that it has been executed by
> creating a new registry key and incrementing a key value in this key:
> HKCU\Software\Help\
> Once the counter reaches a multiple of 366, the virus will unsuccessfully
> attempt to attach UNTITLED.HTM to the email message which it sends.
> 
> To check your system for this Virus, and to learn how to protect yourself
> from computer viruses, visit the McAfee.com Clinic at
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2103.
> 
> For complete information on this Virus, view McAfee.com's Virus
> Information Library listing at
> http://vil.mcafee.com/dispVirus.asp?virus_k=99080.
> 
> This email was sent to you by Alexander Lehmann
> 
>