PPRuNe Forums - View Single Post - New strain of Love-Bug virus - Read this!
Thread: New strain of Love-Bug virus - Read this!
View Single Post
Old 17th August 2000 | 18:38
  #2 (permalink)  
What_does_this_button_do?
Guest
 
Posts: n/a
Unhappy
From Symantec:
http://www.symantec.com/avcenter/ven...letter.bd.html

This worm is a distant variant of VBS.LoveLetter.A. It attempts to email itself to everyone in the Microsoft Outlook address book. This worm comes as an email attachment named "resume.txt.vbs". It also contains the functionality to download a password stealer.

Also known as: Loveletter.AD, VBS/Contract

Category: Worm

Virus definitions: August 16, 2000

Threat assessment:


Wild: Medium
Damage: Low
Distribution: Medium


Wild

Number of infections: 50-999
Number of sites: 3-9
Geographical distribution: Medium
Threat containment: Easy
Removal: Easy

Damage Payload:
Large sale e-mailing: Attempts to email everyone in the Microsoft Outlook address book Distribution

Subject of e-mail: Resume
Name of attachment: resume.txt.vbs
Technical description:


When first executed, this worm will create a file in the current directory named resume.txt. This file is an actual resume, and after creating it, the worm will attempt to open the file in notepad. It appears as:

"Knowledge Engineer, Zurich"

"Intelligente Agenten im Internet sammeln Informationen, erklaren Sachverhalte im" "Customer Service, navigieren im Web, beantworten Email Anfragen oder verkaufen" "Produkte. Unsere Mandantin entwickelt und vermarktet solche Software-Bots: State of the" "Art des modernen E-Commerce. Auftraggeber sind fuhrende Unternehmen, die besonderen" "Wert auf ein effizientes Customer Care Management legen. Das weltweit aktive," "NASDAQ kotierte Unternehmen mit Sitz in Boston braucht zur Verstarkung seines" "explosiv wachsenden Teams in der Schweiz engagierte, hochmotivierte und kreative" "Spezialisten. Kurz: Sie haben es in der Hand, die Knowledge Facts fur aussergewohnliche" "Losungen im Internet zu realisieren und neue Schnittstellen zwischen Mensch und" "Datenautobahnen zu schaffen. Das Tor zur Welt steht Ihnen offen. Eine faszinierende" "Zukunft braucht Ihre Inspiration und Ihr Know-how.... "


While the resume.txt file is being displayed, the worm continues its malicious actions. It copies itself into the Windows\System folder. Once it has done so, this worm will attempt to email everyone in the Microsoft Outlook address book. After the attempt, it will set a registry key so that it does not perform this action multiple times.

Finally, this VBS worm will try to download a password stealer from the internet. The name of the file it attempts to download is hcheck.exe. If it succeds, this worm will execute the password stealer. Once this worm has performed all its malicious actions, it will attempt to delete all the temporary files that it has created.

Removal:

Delete all detected files.