SC - What to look for - new virus
Siegfried Heydrich
baronsig at peganet.com
Fri May 19 07:21:44 PDT 2000
This is a multi-part message in MIME format.
- ------=_NextPart_000_0155_01BFC17C.07CDDA60
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0156_01BFC17C.07CDDA60"
- ------=_NextPart_001_0156_01BFC17C.07CDDA60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Please read! This one is extremely difficult to detect, as it =
picks up a title from the infected senders document list and makes it =
appear as though it's simply a fowarded document. This program also =
alters itself each time it replicates, so as to avoid detection by anti =
virus packages.=20
If you get an e-mail with=20
FW: ANYTHING.EXT and an attachment, delete it immediately. =
DO NOT OPEN IT! This one kills every file on your drive, and THERE IS NO =
RECOVERY!!!! Everything goes to that Big Bit Bucket in the Sky.
Sieggy
VBS.NewLove.A
Last updated 5/18/00 5:34pm PST=20
SARC, in conjunction with other anti-virus vendors, has =
renamed this worm from VBS.LoveLetter.FW.A to VBS.NewLove.A.=20
The VBS.NewLove.A is a worm, and spreads by sending itself =
to all adressees in the Outlook address book when it is activated. The =
attachment name is randomly chosen, but will always have a .Vbs =
extension. The subject header will begin with "FW: " and will include =
the name of the randomly chosen attachment (excluding the .VBS =
extension) Upon each infection, the worm introduces up to 10 new lines =
of randomly generated comments in order to prevent detection.=20
Also known as: VBS/Loveletter.ed, VBS/Loveletter.Gen, =
VBS_SPAMMER, VBS.Loveletter.FW.A=20
Category: Worm=20
Infection length: Variable=20
Virus definitions: 05/18/2000 (release time pending)=20
Threat assessment:=20
=20
Damage:=20
High Distribution:=20
High Wildness:=20
Medium=20
=20
Wild=20
a.. Number of infections: More than 1000=20
b.. Number of sites: 3-9=20
c.. Geographic distribution: Medium=20
d.. Threat containment: Moderate=20
e.. Removal: Difficult=20
Damage=20
a.. Payload: Overwrites files=20
b.. Payload trigger: .VBS email attachment is executed
a.. Large scale e-mailing: Sends itself to all addresses =
in Microsoft Outlook Address Book=20
b.. Modifies files: Overwrites every file on the system =
that is not currently in use including mapped local drives. Files in the =
root directory of any drive will not be affected.=20
c.. Degrades performance: Could clog email servers=20
d.. Causes system instability: Overwrites critical =
system files
Distribution=20
a.. Subject of e-mail: Variable; "FW: filename.ext" (where =
filename.ext is dervied from the user's recently opened documents list)=20
b.. Name of attachment: Variable; "filename.ext.vbs" =
(where filename.ext is dervied from the user's recently opened documents =
list)=20
c.. Size of attachment: Variable=20
d.. Target of infection: Overwrites all files that are not =
currently in use regardless of extension.=20
e.. Shared drives: Will overwrite files on all mapped =
local drives (with the exception of files in root directories)
Technical description:=20
This polymorphic Loveletter variant will overwrite ALL files =
that are not currently in use regardless of extension. It arrives as an =
email message with a subject of "FW: FILENAME.EXT" and an attachment =
named "FILENAME.EXT.VBS" (where FILENAME.EXT is derived from the =
infected user's recently opened documents list.) The body of the email =
is empty. If no documents have been used recently, this name is randomly =
generated. If the message has been generated by a system running Windows =
NT or Windows 2000, then the filename will be omitted and the subject of =
the message will be "FW: .EXT" and the attachment name will be =
".EXT.VBS" (again, the file extension will vary depending on the =
recently opened documents list of infected machines.)=20
Removal:=20
The contents of all files will be deleted, leaving the =
affected files with a byte length of zero. The worm will also append the =
extension '.vbs' to each of these files. For example, the file calc.exe =
will become calc.exe.vbs. Since this worm overwrites all files =
regardless of extension, proper removal can only be achieved by =
restoring the affected files from known clean backups.=20
=20
Write-up by: Andy C.
Updated: 05/18/2000
=20
=20
- ------=_NextPart_001_0156_01BFC17C.07CDDA60
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2722.2800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>
<TABLE border=3D0 cellPadding=3D0 cellSpacing=3D0 width=3D610>
<TBODY>
<TR>
<TD width=3D10></TD>
<TD vAlign=3Dtop width=3D380>
<TABLE border=3D0 cellPadding=3D0 cellSpacing=3D0>
<TBODY>
<TR>
<TD>
<DIV><!-- BEGIN THE VIRUS WRITEUP AREA HERE --><!-- =
VID_XREF=3D4867 --> =20
<FONT size=3D3>Please read! This one is extremely difficult =
to detect,=20
as it picks up a title from the infected senders document =
list and=20
makes it appear as though it's simply a fowarded document. =
This=20
program also alters itself each time it replicates, so as to =
avoid=20
detection by anti virus packages. </FONT></DIV>
<DIV> If you get an e-mail with </DIV>
<DIV>FW: <EM><U>ANYTHING</U></EM>.EXT and an attachment, =
delete it=20
immediately. DO NOT OPEN IT! This one kills every file on =
your=20
drive, and THERE IS NO RECOVERY!!!! Everything goes to that =
Big Bit=20
Bucket in the Sky.</DIV>
<DIV> </DIV>
<DIV> Sieggy</DIV>
<H1>VBS.NewLove.A</H1>
<P><I>Last updated 5/18/00 5:34pm PST</I>=20
<P>SARC, in conjunction with other anti-virus vendors, has =
renamed=20
this worm from VBS.LoveLetter.FW.A to VBS.NewLove.A.=20
<P>The VBS.NewLove.A is a worm, and spreads by sending =
itself to all=20
adressees in the Outlook address book when it is activated. =
The=20
attachment name is randomly chosen, but will always have a =
.Vbs=20
extension. The subject header will begin with "FW: " and =
will=20
include the name of the randomly chosen attachment =
(excluding the=20
.VBS extension) Upon each infection, the worm introduces up =
to 10=20
new lines of randomly generated comments in order to prevent =
detection.=20
<P><B><A =
href=3D"http://www.symantec.com/avcenter/refa.html#aka">Also=20
known as</A></B>: VBS/Loveletter.ed, VBS/Loveletter.Gen,=20
VBS_SPAMMER, VBS.Loveletter.FW.A=20
<P><B><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#worm">Category</A></B>=
:=20
Worm=20
<P><B><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#length">Infection=20
length</A></B>: Variable=20
<P><B><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#defs">Virus=20
definitions</A></B>: 05/18/2000 (release time pending)=20
<P><B><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#assessment">Threat=20
assessment</A></B>:=20
<P><!--SARCTHREATASSESSMENT-->
<TABLE=20
=
background=3Dhttp://www.symantec.com/avcenter/graphics/graph2.gif=20
border=3D0 cellPadding=3D0 cellSpacing=3D0>
<TBODY>
<TR height=3D100>
<TD align=3Dmiddle vAlign=3Dbottom width=3D90><IMG =
height=3D90=20
=
src=3D"http://www.symantec.com/avcenter/graphics/red.gif"=20
width=3D15></TD>
<TD align=3Dmiddle vAlign=3Dbottom width=3D90><IMG =
height=3D90=20
=
src=3D"http://www.symantec.com/avcenter/graphics/red.gif"=20
width=3D15></TD>
<TD align=3Dmiddle vAlign=3Dbottom width=3D90><IMG =
height=3D60=20
=
src=3D"http://www.symantec.com/avcenter/graphics/red.gif"=20
width=3D15></TD></TR></TBODY></TABLE>
<TABLE border=3D0 cellPadding=3D0>
<TBODY>
<TR>
<TD align=3Dmiddle vAlign=3Dtop width=3D90><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#damage">Damage</A>:=20
<BR>High</TD>
<TD align=3Dmiddle vAlign=3Dtop width=3D90><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#distribution">Distribu=
tion</A>:=20
<BR>High</TD>
<TD align=3Dmiddle vAlign=3Dtop width=3D90><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#wild">Wildness</A>:=20
<BR>Medium</TD></TR></TBODY></TABLE><IMG=20
src=3D"http://www.symantec.com/avcenter/graphics/black.gif" =
width=3D380>=20
<P><B><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#wild">Wild</A></B>=20
<UL>
<LI><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#infect">Number of=20
infections</A>: More than 1000=20
<LI><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#sites">Number of=20
sites</A>: 3-9=20
<LI><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#geo_distribution">Geog=
raphic=20
distribution</A>: Medium=20
<LI><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#containment">Threat=20
containment</A>: Moderate=20
<LI><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#removal">Removal</A>: =
Difficult </LI></UL>
<P><B><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#damage">Damage</A></B>=
=20
<UL>
<LI><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#payload">Payload</A>: =
Overwrites files=20
<LI><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#trigger">Payload=20
trigger</A>: .VBS email attachment is executed<BR>
<UL>
<LI><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#email">Large=20
scale e-mailing</A>: Sends itself to all addresses in =
Microsoft=20
Outlook Address Book=20
<LI><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#modify">Modifies=20
files</A>: Overwrites every file on the system that is =
not=20
currently in use including mapped local drives. Files in =
the=20
root directory of any drive will not be affected.=20
<LI><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#performance">Degrades =
performance</A>: Could clog email servers=20
<LI><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#unstable">Causes=20
system instability</A>: Overwrites critical system=20
files</LI></UL></LI></UL>
<P><B><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#distribution">Distribu=
tion</A></B>=20
<UL>
<LI><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#subject">Subject=20
of e-mail</A>: Variable; "FW: filename.ext" (where =
filename.ext is=20
dervied from the user's recently opened documents list)=20
<LI><A =
href=3D"http://www.symantec.com/avcenter/refa.html#name">Name=20
of attachment</A>: Variable; "filename.ext.vbs" (where=20
filename.ext is dervied from the user's recently opened =
documents=20
list)=20
<LI><A =
href=3D"http://www.symantec.com/avcenter/refa.html#size">Size=20
of attachment</A>: Variable=20
<LI><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#target">Target of=20
infection</A>: Overwrites all files that are not currently =
in use=20
regardless of extension.=20
<LI><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#shared">Shared=20
drives</A>: Will overwrite files on all mapped local =
drives (with=20
the exception of files in root directories)</LI></UL>
<P><B><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#tech">Technical=20
description</B></A>:=20
<P>This polymorphic Loveletter variant will overwrite ALL =
files that=20
are not currently in use regardless of extension. It arrives =
as an=20
email message with a subject of "FW: FILENAME.EXT" and an =
attachment=20
named "FILENAME.EXT.VBS" (where FILENAME.EXT is derived from =
the=20
infected user's recently opened documents list.) The body of =
the=20
email is empty. If no documents have been used recently, =
this name=20
is randomly generated. If the message has been generated by =
a system=20
running Windows NT or Windows 2000, then the filename will =
be=20
omitted and the subject of the message will be "FW: .EXT" =
and the=20
attachment name will be ".EXT.VBS" (again, the file =
extension will=20
vary depending on the recently opened documents list of =
infected=20
machines.)=20
<P><B><A=20
=
href=3D"http://www.symantec.com/avcenter/refa.html#removal">Removal</B></=
A>:=20
<P>The contents of all files will be deleted, leaving the =
affected=20
files with a byte length of zero. The worm will also append =
the=20
extension '.vbs' to each of these files. For example, the =
file=20
calc.exe will become calc.exe.vbs. Since this worm =
overwrites all=20
files regardless of extension, proper removal can only be =
achieved=20
by restoring the affected files from known clean backups.=20
<P><IMG =
src=3D"http://www.symantec.com/avcenter/graphics/black.gif"=20
width=3D380>=20
<P><I>Write-up by: Andy C.</I><BR><I>Updated:=20
=
05/18/2000</I></P></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></D=
IV></BODY></HTML>
- ------=_NextPart_001_0156_01BFC17C.07CDDA60--
- ------=_NextPart_000_0155_01BFC17C.07CDDA60
Content-Type: image/gif;
name="red.gif"
Content-Transfer-Encoding: base64
Content-Location: http://www.symantec.com/avcenter/graphics/red.gif
R0lGODlhxQECAJH/AP////8AAAAAAAAAACH5BAEAAP8ALAAAAADFAQIAQAIdjI+py+0Po5y02ouz
3rz7D4biSJbmiabqyrbuUQAAOw==
- ------=_NextPart_000_0155_01BFC17C.07CDDA60
Content-Type: image/gif;
name="black.gif"
Content-Transfer-Encoding: base64
Content-Location: http://www.symantec.com/avcenter/graphics/black.gif
R0lGODlhxQEBAIAAAAAAAAAAACwAAAAAxQEBAAACE4SPqcvtD6OctNqLs968+w+GVgEAOw==
- ------=_NextPart_000_0155_01BFC17C.07CDDA60--
More information about the Sca-cooks
mailing list