Threat Descriptions

Happytime

Classification

Category :

Malware

Type :

Worm

Platform :

VBS

Aliases :

Happytime, VBS/Help, VBS/Haptime@MM

Summary

VBS/Happytime is a VBS worm that propagates in two different ways - as a slow worm similar to JS/Kak, and as a fast worm - mass mailer.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:Happytime.A

Happytime first drops following files that contain the virus code: 

help.hta

 help.htm

 help.vbs

Then it executes its payload, that activates if the sum of the day and the month is 13. At this time it deletes all files with extension ".dll" or ".exe".

Happytime.A uses a counter, and when it reaches number 366, then the worm sends itself replying to all messages listed in Outlook Inbox with a following message: 

  Subject:    Fw:      Attachment: Untitled.htm

or

Subject:

Fw:Attachment: Untitled.htm

where "Untitled.htm" is another file where the virus saves its code.

Next the worm replaces the current wallpaper with "Help.htm" via registry.

Happytime.A then prepares the system to send itself as a slow worm using Outlook Express 5.0. To do this, it creates a stationary that contains the worm code.

Finally the worm infects all files with ".htt" extension in the "\WEB" directory located in the Windows installation directory. Therefore the worm is executed each time when a folder viewed as a web page.

On the top of its code, the worm contains the following commented line: 

Subject:

Fw:Attachment: Untitled.htm