Happytime

Classification

Malware

Worm

VBS

Happytime, VBS/Help, VBS/Haptime@MM

Summary

VBS/Happytime is a VBS worm that propagates in two different ways - as a slow worm similar to JS/Kak, and as a fast worm - mass mailer.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Variant:Happytime.A

Happytime first drops following files that contain the virus code:

help.hta

 help.htm

 help.vbs

Then it executes its payload, that activates if the sum of the day and the month is 13. At this time it deletes all files with extension ".dll" or ".exe".

Happytime.A uses a counter, and when it reaches number 366, then the worm sends itself replying to all messages listed in Outlook Inbox with a following message:

  Subject:    Fw:      Attachment: Untitled.htm  

or

Subject:

Fw:Attachment: Untitled.htm

where "Untitled.htm" is another file where the virus saves its code.

Next the worm replaces the current wallpaper with "Help.htm" via registry.

Happytime.A then prepares the system to send itself as a slow worm using Outlook Express 5.0. To do this, it creates a stationary that contains the worm code.

Finally the worm infects all files with ".htt" extension in the "\WEB" directory located in the Windows installation directory. Therefore the worm is executed each time when a folder viewed as a web page.

On the top of its code, the worm contains the following commented line:

Subject:

Fw:Attachment: Untitled.htm