Welcome to the Virus Encyclopedia of Panda Security.
|Alias:||San.A, San.A-m, VBS/San.A-m, HERNOBYL, SPACEFI, San Valentín, Happy San Valentín|
It modifies names of directories, deletes files in the root directory of the hard disk, sends messages to mobile phones chosen at random and changes the Internet Explorer homepage. It spreads via e-mail and IRC.
|Detection updated on:||Dec. 26, 2003|
San is a worm that changes the browser Internet Explorer homepage.
San modifies the name of directories by adding the text string happysanvalentin at the end. It also deletes files in the root directory of the hard disk and sends messages to mobile phones chosen at random.
In addition, San spreads via e-mail, hidden in the HTML code of the AutoSignature of messages sent from the affected computer. It can also spread just by automatically sending itself out through IRC chat channels.
It is very easy to become affected by San, as it is automatically activated when the message is viewed through Outlook Preview Pane. It does this by exploiting a vulnerability in Internet Explorer (versions 5.01 and 5.5), which allows files attached to e-mail messages to be automatically run.
San exploits the Scriptlet.TypeLib vulneravility, which is critical for Microsoft Internet Explorer 4.0 and 5.0. If you have Microsoft Internet Explorer 4.0 and 5.0 program, it is highly recommendable to download the security patches for this vulnerability from the Microsoft website.
San is easy to recognize, as it displays the following MS-DOS windows on screen once it has been executed:
Then, San carries out several actions on the background, and displays the following window: