- 0 Talk
-
Homepage
| Homepage | |
| Type | Email worm |
|---|---|
| Creator | |
| Date Discovered | 2001.05.09 |
| Place of Origin | |
| Source Language | Visual Basic |
| Platform | Windows Scripting Host |
| File type(s) | .vbs |
| Infection length | |
| Reported costs | |
Homepage is an encrypted VBS worm. It runs on the Windows Scripting Host, which is installed in Windows 2000 and 98 by default.
Behavior
Edit
Homepage arrives in an email message with a subject line of "Homepage". The message body says "Hi! You've got to see this page! It's really cool ;O)". When the attachment is executed, it decrypts and copies itself to a temporary folder. It checks the MS Outlook address book for email addresses and sends a copy of its email to them with a copy of itself.
When it is finished, it creates the registry key HKCU\software\An\mailed and adds the value of 1 to it. When the worm is run a second time, it will not mail itself and will delete all messages in the inbox with "Homepage" as a subject line. It also displays one of the following pages:
- http://hardcore.pornbillboard.net/shannon/1.htm
- http://members.nbci.com/_XMCM/prinzje/1.htm
- http://www2.sexcropolis.com/amateur/sheila/1.htm
- http://sheila.issexy.tv/1.htm
SourcesEdit
Eset Antivirus, VBS/Homepage.A.
Kaspersky Lab. Securelist.com, Email-Worm.VBS.Homepage.
