Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Help

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

Help has the following main effects:

  • It modifies files with the following extensions: HTM, HTM, ASP, VBS and HTT.
  • It looks for and deletes files with a DLL or EXE extension.

Infection strategy 

Help creates the following files:

  • HELP.HTA and HELP.VBS, in the first folder found on the C: drive.

    These files contain the virus code and are used to infect the system.

  • HELP.HTM, in the Windows directory.

    If the desktop is configured to be viewed as a Web page, Help will use this file to run automatically on every system start-up.

  • UNTITLED.HTM. The worm sets this file as the default stationary of every message that is sent out, in order to infect other computers.

Help modifies the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\Control Panel\Desktop\wallPaper=

    "C:\WINDOWS\Help.htm”

    With this modification, the virus sets the HELP.HTM file as the Desktop wallpaper.

  • HKEY_CURRENT_USER\Identities\{USERID}\Software\Microsoft\Outlook Express\5.0\Mail\Message Send HTML="1"
  • HKEY_CURRENT_USER\Identities\{USERID}\Software\Microsoft\Outlook Express\5.0\Mail\Compose Use Stationery="1"
  • HKEY_CURRENT_USER\Identities\{USERID}\Software\Microsoft\Outlook Express\5.0\Mail\Stationery Name="C:\WINDOWS\Untitled.htm".

    With the las three modifications, the worm sets the UNTITLED.HTM file as the stationary of every message that is sent out through Outlook Express.

The {USERID} value depends on the currently active user. This value is obtained from the following registry entry:

  • HKEY_CURRENT_USER\Identities\Default User ID="{USERID}"
  • HKEY_CURRENT_USER\Software\Help\Count="x".

This is a counter that indicates the number of times that the virus has run.

  • HKEY_CURRENT_USER\Software\Help\FileName="filename".

    Where "filename" is a value that refers to the name and path of the file the worm is currently infecting.

  • HKEY_CURRENT_USER\Software\Help\wallPaper="C:\WINDOWS\Help.htm".

    Through this entry, the worm ensures it is run every time the system is started up (if the desktop is configured to be viewed as a Web page).  

Help also carries out the following actions:

  • It runs automatically and infects files with the following extensions: HTML, HTM, ASP, VBS and HTT. The code in these files is modified so that the text “Rem I am sorry! Happy time” is added to their original content.   
  • Once activated, Help checks the system date stamp, and if the sum of the day plus the month value equals 13, the worm tries to look for and delete files with the DLL and EXE extensions.

Means of transmission 

Help uses the Outlook Express program to spread, in the following way:

  • Help reaches computers hidden in an e-mail message, the infection code is in the HTML file that serves as stationery for the message.
  • Help goes into action when the content of the message is viewed (through Outlook’s Preview Pane), even if there is no attached file. Help will also run if the message is opened.
  • Once activated, Help creates two files , HELP.HTA and HELP.VBS, in the computer. These files contain the virus code.
  • If the option that allows the Desktop to be viewed as a Web page is enabled, Help will copy the HELP.HTM file to the system and runs it. As a result, this file is set as the Desktop wallpaper.
  • Help searches for and infects every file with an HTT extension that it finds in the Windows Web directory. This directory stores the HTML views of System folders.         
  • Every time the affected user sends a message from Outlook Express, the body of the message contains the Help code.

Further Details  

Help is written in the Visual Basic Script programming language.