This is a new one, that is starting to wreak havoc. It attacks all your files,
not just JPEGs, MP3s, etc., as LoveBug did. Plus, it randomly produces
subject lines and a few lines of text, so you can't look for a trademark
phrase. The key is looking at your attachment. Never open .VBS files. I've
never seen a good one. Also, be cautious with .exe files.
Here is what Symantec had to say:
http://www.symantec.com/avcenter/venc/data/vbs.loveletter.fw.a.html
VBS.NewLove.A
Last updated 5/18/00 5:34pm PST
SARC, in conjunction with other anti-virus vendors, has renamed this worm
from VBS.LoveLetter.FW.A to VBS.NewLove.A.
The VBS.NewLove.A is a worm, and spreads by sending itself to all adressees in
the Outlook address book when it is activated. The attachment name is
randomly chosen, but will always have a .Vbs extension. The subject header
will begin with "FW: " and will include the name of the randomly chosen
attachment (excluding the .VBS extension) Upon each infection, the worm
introduces up to 10 new lines of randomly generated comments in order to
prevent detection.
Also known as: VBS/Loveletter.ed, VBS/Loveletter.Gen, VBS_SPAMMER,
VBS.Loveletter.FW.A
Category: Worm
Infection length: Variable
Virus definitions: 05/18/2000 (release time pending)
Threat assessment:
Damage:
High
Distribution:
High
Wildness:
Medium
Wild
Number of infections: More than 1000
Number of sites: 3-9
Geographic distribution: Medium
Threat containment: Moderate
Removal: Difficult
Damage
Payload: Overwrites files
Payload trigger: .VBS email attachment is executed
Large scale e-mailing: Sends itself to all
addresses in
Microsoft Outlook Address Book
Modifies files: Overwrites every file on
the system that is not
currently in use including mapped local
drives. Files in the
root directory of any drive will not be
affected.
Degrades performance: Could clog email
servers
Causes system instability: Overwrites
critical system files
Distribution
Subject of e-mail: Variable; "FW: filename.ext"
(where filename.ext
is dervied from the user's recently opened
documents list)
Name of attachment: Variable; "filename.ext.vbs"
(where filename.ext
is dervied from the user's recently opened
documents list)
Size of attachment: Variable
Target of infection: Overwrites all files that
are not currently in use
regardless of extension.
Shared drives: Will overwrite files on all mapped
local drives (with
the exception of files in root directories)
Technical description:
This polymorphic Loveletter variant will overwrite ALL
files that are not
currently in use regardless of extension. It arrives
as an email message with
a subject of "FW: FILENAME.EXT" and an attachment named
"FILENAME.EXT.VBS" (where FILENAME.EXT is derived from
the infected
user's recently opened documents list.) The body of
the email is empty. If no
documents have been used recently, this name is
randomly generated. If the
message has been generated by a system running Windows
NT or Windows
2000, then the filename will be omitted and the
subject of the message will be
"FW: .EXT" and the attachment name will be ".EXT.VBS"
(again, the file
extension will vary depending on the recently opened
documents list of
infected machines.)
Removal:
The contents of all files will be deleted, leaving the
affected files with a byte
length of zero. The worm will also append the
extension '.vbs' to each of these
files. For example, the file calc.exe will become
calc.exe.vbs. Since this worm
overwrites all files regardless of extension, proper
removal can only be
achieved by restoring the affected files from known
clean backups.
Write-up by: Andy C.
Updated: 05/18/2000
--
Renee Cordrey, MSPT, CWS
---
"Sometimes I do get to places just when God's ready to have somebody click the shutter."
Ansel Adams
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|