VBS.NewLove.A

Last updated 5/19/00 6:00am PDT

SARC, in conjunction with other anti-virus vendors, has renamed this worm from VBS.LoveLetter.FW.A to VBS.NewLove.A.

The VBS.NewLove.A is a worm, and spreads by sending itself to all addresses in the Outlook address book when it is activated. The attachment name is randomly chosen, but will always have a .Vbs extension. The subject header will begin with "FW: " and will include the name of the randomly chosen attachment (excluding the .VBS extension) Upon each infection, the worm introduces up to 10 new lines of randomly generated comments in order to prevent detection.

Also known as: VBS/Loveletter.ed, VBS/Loveletter.Gen, VBS_SPAMMER, VBS.Loveletter.FW.A

Category: Worm

Infection length: Variable

Virus definitions: May 18, 2000 (available)

Threat assessment:

Wild

• Number of infections: More than 1000
• Number of sites: 3-9
• Geographic distribution: Medium
• Threat containment: Moderate
• Removal: Difficult

Damage

• Payload: Overwrites files
• Payload trigger: .VBS email attachment is executed
  
  • Large scale e-mailing: Sends itself to all addresses in Microsoft Outlook Address Book
  • Modifies files: Overwrites every file on the system that is not currently in use including mapped local drives. Files in the root directory of any drive will not be affected.
  • Degrades performance: Could clog email servers
  • Causes system instability: Overwrites critical system files

Distribution

• Subject of e-mail: Variable; "FW: filename.ext" (where filename.ext is dervied from the user's recently opened documents list)
• Name of attachment: Variable; "filename.ext.vbs" (where filename.ext is dervied from the user's recently opened documents list)
• Size of attachment: Variable
• Target of infection: Overwrites all files that are not currently in use regardless of extension.
• Shared drives: Will overwrite files on all mapped local drives (with the exception of files in root directories)

Technical description:

This polymorphic Loveletter variant will overwrite ALL files that are not currently in use regardless of extension. It arrives as an email message with a subject of "FW: FILENAME.EXT" and an attachment named "FILENAME.EXT.VBS" (where FILENAME.EXT is derived from the infected user's recently opened documents list.) The body of the email is empty. If no documents have been used recently, this name is randomly generated. If the message has been generated by a system running Windows NT or Windows 2000, then the filename will be omitted and the subject of the message will be "FW: .EXT" and the attachment name will be ".EXT.VBS" (again, the file extension will vary depending on the recently opened documents list of infected machines.)

Registry entries modified: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\

The actual key name will be the filename that is attached to the email. However for the Run key, it will be
randomname = WindowsSystemDir \ randomname.ext.VBS

and the RunServices will be
randomname = WindowsDir \ randomname.ext.VBS

Please also be aware it will create the files:

WindowsSysDir\randomname.Ext.VBS WindowsDir\randomname.Ext.VBS

in addition to: WindowsSystemDir\RecentUsedFile.Ext.VBS

The term 'randomname' is the name of the file attachment of the email.

Removal:

The contents of all files will be deleted, leaving the affected files with a byte length of zero. The worm will also append the extension '.vbs' to each of these files. For example, the file calc.exe will become calc.exe.vbs. Since this worm overwrites all files regardless of extension, proper removal can only be achieved by restoring the affected files from known clean backups. The user may need to reinstall the operating system as well since system files may have been destroyed.

Write-up by: Andy C.
Updated: 05/18/2000

sales@njaccess.com            .