Administrivia - Variant of the ILOVEYOU Worm
Paul Cowley
pcowley at TERPSNET.COM
Fri May 19 17:20:26 UTC 2000
Greetings.
Apologies to those receiving multiple copies of this message
The following is in plain vanilla text format. There is no attachment
associated with this message. No fear of infection.
Once again folks; get into the habit of practising safe computing.
Below is a recent update regarding the latest worm. Please read. Be
careful out there!
_____
Last updated 5/18/00 5:34pm PST
SARC, in conjunction with other anti-virus vendors, has renamed this
worm from VBS.LoveLetter.FW.A to VBS.NewLove.A.
The VBS.NewLove.A is a worm, and spreads by sending itself to all
adressees in the Outlook address book when it is activated. The
attachment name is randomly chosen, but will always have a .Vbs
extension. The subject header will begin with "FW: " and will include
the name of the randomly chosen attachment (excluding the .VBS
extension) Upon each infection, the worm introduces up to 10 new lines
of randomly generated comments in order to prevent detection.
Damage
Payload: Overwrites files
Payload trigger: .VBS email attachment is executed
Large scale e-mailing: Sends itself to all addresses in
Microsoft Outlook Address Book
Modifies files: Overwrites every file on the system that is not
currently in use including mapped local drives. Files in the root
directory of any drive will not be affected.
Degrades performance: Could clog email servers
Causes system instability: Overwrites critical system files
Distribution
Subject of e-mail: Variable; "FW: filename.ext" (where filename.ext
is dervied from the user's recently opened documents list)
Name of attachment: Variable; "filename.ext.vbs" (where
filename.ext is dervied from the user's recently opened documents list)
Size of attachment: Variable
Target of infection: Overwrites all files that are not currently in
use regardless of extension.
Shared drives: Will overwrite files on all mapped local drives
(with the exception of files in root directories)
Technical description:
This polymorphic Loveletter variant will overwrite ALL files that are
not currently in use regardless of extension. It arrives as an email
message with a subject of "FW: FILENAME.EXT" and an attachment named
"FILENAME.EXT.VBS" (where FILENAME.EXT is derived from the infected
user's recently opened documents list.)
The body of the email is empty. If no documents have been used
recently, this name is randomly generated. If the message has been
generated by a system running Windows NT or Windows 2000, then the
filename will be omitted and the subject of the message will be "FW:
..EXT" and the attachment name will be ".EXT.VBS" (again, the file
extension will vary depending on the recently opened documents list of
infected machines.)
_____
--
Up thumb, Paul Cowley
mailto:PCowley at terpsnet.com
More information about the Slling-l
mailing list