Return to index: [Subject] [Thread] [Date] [Author]

From our IT group

[Subject Prev][Subject Next][Thread Prev][Thread Next]
This is an alert regarding another virus along the lines of the "Love Bug."  Technical details follow for those who are interested.

It was announced late last evening that a new strain of the "Love Bug" virus has been released.  The subject line will begin with "FW:" but anything after this could be different, as the virus will change itself to avoid detection. This virus is much more destructive than the previous virus: if the attachment on this e-mail is opened, your computer will need a complete rebuild.

Please use extra caution in opening any e-mail with an attachment.  If the e-mail is from someone you do not know, or if it is not something you are expecting, be sure you check it thoroughly before opening it.  If the mail comes from someone you do know, but are not expecting anything from, please call and check to be sure they sent you something before opening the attachment.

For more information, please see the following websites regarding news on this virus.

http://www.zdnet.com/zdhelp/stories/main/0,5594,2572365,00.html 
http://www.cnn.com/2000/TECH/computing/05/19/computer.virus.01/index.html
http://news.cnet.com/news/0-1005-200-1899852.html?tag=st.ne.1002.thed.ni
http://www.msnbc.com/news/409559.asp 

http://www.symantec.com/avcenter/venc/data/vbs.loveletter.fw.a.html 


*** Begin Technical Jargon ***

The primary differences between this virus and the LoveLetter/LoveBug Virus are destructive power and the ability to change, or morph, to avoid detection.

(From Symantec.com)

The VBS.NewLove.A is a worm, and spreads by sending itself to all addressees in the Outlook address book when it is activated. The attachment name is randomly chosen, but will always have a .Vbs extension. The subject header will begin with "FW: " and will include the name of the randomly chosen attachment (excluding
the .VBS extension) Upon each infection, the worm introduces up to 10 new lines of randomly generated comments in order to prevent detection. 

This polymorphic Loveletter variant will overwrite ALL files that are not currently in use regardless of extension. It arrives as an email message with a subject of "FW: FILENAME.EXT" and an attachment named "FILENAME.EXT.VBS" (where FILENAME.EXT is derived from the infected user's recently opened documents list.) The body of the email is empty. If no documents have been used recently, this name is randomly generated. If the message has been generated by a system running Windows NT or Windows 2000, then the filename will be omitted and the subject of the message will be "FW: .EXT" and the attachment name will be ".EXT.VBS" (again, the file extension will vary depending on the recently opened documents list of                 infected machines.) 

The contents of all files will be deleted, leaving the affected files with a byte length of zero. The worm will also append the extension '.vbs' to each of these files. For example, the file calc.exe will become calc.exe.vbs. Since this worm overwrites all files regardless of extension, proper removal can only be achieved by restoring the affected files from known clean backups.