SC - LOVEBUG redux - yet another one!
Michael Newton
melcnewt at netins.net
Fri May 19 08:01:19 PDT 2000
- --------------53EDA4815CCFE4C7097E5968
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sieggy,
thanks for the information you've been sending out. One question,
however. I understood from the blurbs on TV news this morning that it
only affects those with MS Outlook as their mail server. I have MS
Outlook on my machine, but never use it...it's only there because of
that infernal packaging thing that MS does. Is there any possibility I
could get this virus?
Kiri
Siegfried Heydrich wrote:
>
>
Please read! This one is extremely difficult to detect, as it picks
up a title from the infected senders document list and makes it appear as
though it's simply a fowarded document. This program also alters itself
each time it replicates, so as to avoid detection by anti virus
packages. If you get an e-mail with FW: ANYTHING.EXT and an
attachment, delete it immediately. DO NOT OPEN IT! This one kills every
file on your drive, and THERE IS NO RECOVERY!!!! Everything goes to that
Big Bit Bucket in the Sky. Sieggy
VBS.NewLove.A
Last updated 5/18/00 5:34pm PST
SARC, in conjunction with other anti-virus vendors, has renamed this worm
from VBS.LoveLetter.FW.A to VBS.NewLove.A.
The VBS.NewLove.A is a worm, and spreads by sending itself to all
adressees in the Outlook address book when it is activated. The attachment
name is randomly chosen, but will always have a .Vbs extension. The
subject header will begin with "FW: " and will include the name of the
randomly chosen attachment (excluding the .VBS extension) Upon each
infection, the worm introduces up to 10 new lines of randomly generated
comments in order to prevent detection.
Also known as: VBS/Loveletter.ed, VBS/Loveletter.Gen, VBS_SPAMMER,
VBS.Loveletter.FW.A
Category: Worm
Infection length: Variable
Virus definitions: 05/18/2000 (release time pending)
Threat assessment:
[Image] [Image] [Image]
Damage: Distribution: Wildness:
High Medium
High
[Image]
Wild
* Number of infections: More than 1000
* Number of sites: 3-9
* Geographic distribution: Medium
* Threat containment: Moderate
* Removal: Difficult
Damage
* Payload: Overwrites files
* Payload trigger: .VBS email attachment is executed
o Large scale e-mailing: Sends itself to all addresses in
Microsoft Outlook Address Book
o Modifies files: Overwrites every file on the system that is not
currently in use including mapped local drives. Files in the
root directory of any drive will not be affected.
o Degrades performance: Could clog email servers
o Causes system instability: Overwrites critical system files
Distribution
* Subject of e-mail: Variable; "FW: filename.ext" (where filename.ext
is dervied from the user's recently opened documents list)
* Name of attachment: Variable; "filename.ext.vbs" (where filename.ext
is dervied from the user's recently opened documents list)
* Size of attachment: Variable
* Target of infection: Overwrites all files that are not currently in
use regardless of extension.
* Shared drives: Will overwrite files on all mapped local drives (with
the exception of files in root directories)
Technical description:
This polymorphic Loveletter variant will overwrite ALL files that are not
currently in use regardless of extension. It arrives as an email message
with a subject of "FW: FILENAME.EXT" and an attachment named
"FILENAME.EXT.VBS" (where FILENAME.EXT is derived from the infected user's
recently opened documents list.) The body of the email is empty. If no
documents have been used recently, this name is randomly generated. If the
message has been generated by a system running Windows NT or Windows 2000,
then the filename will be omitted and the subject of the message will be
"FW: .EXT" and the attachment name will be ".EXT.VBS" (again, the file
extension will vary depending on the recently opened documents list of
infected machines.)
Removal:
The contents of all files will be deleted, leaving the affected files with
a byte length of zero. The worm will also append the extension '.vbs' to
each of these files. For example, the file calc.exe will become
calc.exe.vbs. Since this worm overwrites all files regardless of
extension, proper removal can only be achieved by restoring the affected
files from known clean backups.
[Image]
Write-up by: Andy C.
Updated: 05/18/2000
>
- --------------53EDA4815CCFE4C7097E5968
Content-Type: multipart/related;
boundary="------------873AC422774E21764DEC1617"
- --------------873AC422774E21764DEC1617
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<body bgcolor="#FFFFFF">
Sieggy,
<br>thanks for the information you've been sending out. One question,
however. I understood from the blurbs on TV news this morning that
it only affects those with MS Outlook as their mail server. I have
MS Outlook on my machine, but never use it...it's only there because of
that infernal packaging thing that MS does. Is there any possibility
I could get this virus?
<p>Kiri
<p>Siegfried Heydrich wrote:
<blockquote TYPE=CITE><style></style>
<table BORDER=0 CELLSPACING=0 CELLPADDING=0 WIDTH="610" >
<caption><TBODY>
<br></TBODY></caption>
<tr>
<td WIDTH="10"></td>
<td VALIGN=TOP WIDTH="380">
<table BORDER=0 CELLSPACING=0 CELLPADDING=0 >
<caption><TBODY>
<br></TBODY></caption>
<tr>
<td><!-- BEGIN THE VIRUS WRITEUP AREA HERE --><!-- VID_XREF=4867 -->
<font size=+0>Please read! This one is extremely difficult to detect, as
it picks up a title from the infected senders document list and makes it
appear as though it's simply a fowarded document. This program also alters
itself each time it replicates, so as to avoid detection by anti virus
packages. </font> If you get an e-mail with FW:
<i><u>ANYTHING</u></i>.EXT and an attachment, delete it immediately. DO
NOT OPEN IT! This one kills every file on your drive, and THERE IS NO RECOVERY!!!!
Everything goes to that Big Bit Bucket in the Sky.
Sieggy
<h1>
VBS.NewLove.A</h1>
<i>Last updated 5/18/00 5:34pm PST</i>
<p>SARC, in conjunction with other anti-virus vendors, has renamed this
worm from VBS.LoveLetter.FW.A to VBS.NewLove.A.
<p>The VBS.NewLove.A is a worm, and spreads by sending itself to all adressees
in the Outlook address book when it is activated. The attachment name is
randomly chosen, but will always have a .Vbs extension. The subject header
will begin with "FW: " and will include the name of the randomly chosen
attachment (excluding the .VBS extension) Upon each infection, the worm
introduces up to 10 new lines of randomly generated comments in order to
prevent detection.
<p><b><a href="http://www.symantec.com/avcenter/refa.html#aka">Also known
as</a></b>: VBS/Loveletter.ed, VBS/Loveletter.Gen, VBS_SPAMMER, VBS.Loveletter.FW.A
<p><b><a href="http://www.symantec.com/avcenter/refa.html#worm">Category</a></b>:
Worm
<p><b><a href="http://www.symantec.com/avcenter/refa.html#length">Infection
length</a></b>: Variable
<p><b><a href="http://www.symantec.com/avcenter/refa.html#defs">Virus definitions</a></b>:
05/18/2000 (release time pending)
<p><b><a href="http://www.symantec.com/avcenter/refa.html#assessment">Threat
assessment</a></b>:
<p><!--SARCTHREATASSESSMENT-->
<table BORDER=0 CELLSPACING=0 CELLPADDING=0 BACKGROUND="cid:part3.39255651.FD0F44F3 at chesapeake.net" >
<caption><TBODY>
<br></TBODY></caption>
<tr height="100">
<td ALIGN=CENTER VALIGN=BOTTOM WIDTH="90"><img SRC="cid:part1.39255651.FD0F44F3 at chesapeake.net" height=90 width=15></td>
<td ALIGN=CENTER VALIGN=BOTTOM WIDTH="90"><img SRC="cid:part1.39255651.FD0F44F3 at chesapeake.net" height=90 width=15></td>
<td ALIGN=CENTER VALIGN=BOTTOM WIDTH="90"><img SRC="cid:part1.39255651.FD0F44F3 at chesapeake.net" height=60 width=15></td>
</tr>
</table>
<table BORDER=0 CELLPADDING=0 >
<caption><TBODY>
<br></TBODY></caption>
<tr>
<td ALIGN=CENTER VALIGN=TOP WIDTH="90"><a href="http://www.symantec.com/avcenter/refa.html#damage">Damage</a>:
<br>High</td>
<td ALIGN=CENTER VALIGN=TOP WIDTH="90"><a href="http://www.symantec.com/avcenter/refa.html#distribution">Distribution</a>:
<br>High</td>
<td ALIGN=CENTER VALIGN=TOP WIDTH="90"><a href="http://www.symantec.com/avcenter/refa.html#wild">Wildness</a>:
<br>Medium</td>
</tr>
</table>
<img SRC="cid:part2.39255651.FD0F44F3 at chesapeake.net" >
<p><b><a href="http://www.symantec.com/avcenter/refa.html#wild">Wild</a></b>
<ul>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#infect">Number of infections</a>:
More than 1000 </li>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#sites">Number of sites</a>:
3-9 </li>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#geo_distribution">Geographic
distribution</a>: Medium </li>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#containment">Threat
containment</a>: Moderate </li>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#removal">Removal</a>:
Difficult </li>
</ul>
<b><a href="http://www.symantec.com/avcenter/refa.html#damage">Damage</a></b>
<ul>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#payload">Payload</a>:
Overwrites files </li>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#trigger">Payload trigger</a>:
.VBS email attachment is executed</li>
<ul>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#email">Large scale
e-mailing</a>: Sends itself to all addresses in Microsoft Outlook Address
Book </li>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#modify">Modifies files</a>:
Overwrites every file on the system that is not currently in use including
mapped local drives. Files in the root directory of any drive will not
be affected. </li>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#performance">Degrades
performance</a>: Could clog email servers </li>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#unstable">Causes system
instability</a>: Overwrites critical system files</li>
</ul>
</ul>
<b><a href="http://www.symantec.com/avcenter/refa.html#distribution">Distribution</a></b>
<ul>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#subject">Subject of
e-mail</a>: Variable; "FW: filename.ext" (where filename.ext is dervied
from the user's recently opened documents list) </li>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#name">Name of attachment</a>:
Variable; "filename.ext.vbs" (where filename.ext is dervied from the user's
recently opened documents list) </li>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#size">Size of attachment</a>:
Variable </li>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#target">Target of infection</a>:
Overwrites all files that are not currently in use regardless of extension. </li>
<li>
<a href="http://www.symantec.com/avcenter/refa.html#shared">Shared drives</a>:
Will overwrite files on all mapped local drives (with the exception of
files in root directories)</li>
</ul>
<b><a href="http://www.symantec.com/avcenter/refa.html#tech">Technical
description</a></b>:
<p>This polymorphic Loveletter variant will overwrite ALL files that are
not currently in use regardless of extension. It arrives as an email message
with a subject of "FW: FILENAME.EXT" and an attachment named "FILENAME.EXT.VBS"
(where FILENAME.EXT is derived from the infected user's recently opened
documents list.) The body of the email is empty. If no documents have been
used recently, this name is randomly generated. If the message has been
generated by a system running Windows NT or Windows 2000, then the filename
will be omitted and the subject of the message will be "FW: .EXT" and the
attachment name will be ".EXT.VBS" (again, the file extension will vary
depending on the recently opened documents list of infected machines.)
<p><b><a href="http://www.symantec.com/avcenter/refa.html#removal">Removal</a></b>:
<p>The contents of all files will be deleted, leaving the affected files
with a byte length of zero. The worm will also append the extension '.vbs'
to each of these files. For example, the file calc.exe will become calc.exe.vbs.
Since this worm overwrites all files regardless of extension, proper removal
can only be achieved by restoring the affected files from known clean backups.
<p><img SRC="cid:part2.39255651.FD0F44F3 at chesapeake.net" >
<p><i>Write-up by: Andy C.</i>
<br><i>Updated: 05/18/2000</i></td>
</tr>
</table>
</td>
</tr>
</table>
</blockquote>
</body>
</html>
- --------------873AC422774E21764DEC1617
Content-Type: image/gif
Content-ID: <part1.39255651.FD0F44F3 at chesapeake.net>
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="red.gif"
R0lGODlhxQECAJH/AP////8AAAAAAAAAACH5BAEAAP8ALAAAAADFAQIAQAIdjI+py+0Po5y0
2ouz3rz7D4biSJbmiabqyrbuUQAAOw==
- --------------873AC422774E21764DEC1617
Content-Type: image/gif
Content-ID: <part2.39255651.FD0F44F3 at chesapeake.net>
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="black.gif"
R0lGODlhxQEBAIAAAAAAAAAAACwAAAAAxQEBAAACE4SPqcvtD6OctNqLs968+w+GVgEAOw==
- --------------873AC422774E21764DEC1617
Content-Type: image/gif
Content-ID: <part3.39255651.FD0F44F3 at chesapeake.net>
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="C:\WINDOWS\TEMP\nsmailO7.gif"
R0lGODlhCgAKAJEAAP///4CAgAAAAAAAACwAAAAACgAKAAACCoyPoMvtD6OclBYAOw==
- --------------873AC422774E21764DEC1617--
- --------------53EDA4815CCFE4C7097E5968--
More information about the Sca-cooks
mailing list