Fresh strain of Love Bug virus is out

A new strain of the LoveBug virus is apparently worming its way into Switzerland and Russia, targeting bank account details and passwords.

The virus masquerades as a resume file called RESUME.TXT.VBS attached to an email. It purports to be from a Swiss Internet company looking for an Internet programmer. If the attached file is opened, the virus runs the Notepad word processor and displays the following text:

Knowledge Engineer, Zurich

Intelligente Agenten im Internet sammeln Informationen, erkluren
Sachverhalte im
Customer Service, navigieren im Web, beantworten Email Anfragen oder
verkaufen Produkte

Once active in the system, the virus downloads a password-stealing program called Hooker from the Net which then copies online banking information from the infected computer.

The Russia based virus specialists, Kapersky Labs, has issued warnings about the virus, and has intimated that password-stealer was placed on computers at Michegan State University and the National Institutes of Health. ®

----

Scary stuff - this has been looked into by our IT dept, and is not a hoax...
Be aware.

From Symantec:
http://www.symantec.com/avcenter/venc/data/vbs.loveletter.bd.html

This worm is a distant variant of VBS.LoveLetter.A. It attempts to email itself to everyone in the Microsoft Outlook address book. This worm comes as an email attachment named "resume.txt.vbs". It also contains the functionality to download a password stealer.

Also known as: Loveletter.AD, VBS/Contract

Category: Worm

Virus definitions: August 16, 2000

Threat assessment:


Wild: Medium
Damage: Low
Distribution: Medium


Wild

Number of infections: 50-999
Number of sites: 3-9
Geographical distribution: Medium
Threat containment: Easy
Removal: Easy

Damage Payload:
Large sale e-mailing: Attempts to email everyone in the Microsoft Outlook address book Distribution

Subject of e-mail: Resume
Name of attachment: resume.txt.vbs
Technical description:


When first executed, this worm will create a file in the current directory named resume.txt. This file is an actual resume, and after creating it, the worm will attempt to open the file in notepad. It appears as:

"Knowledge Engineer, Zurich"

"Intelligente Agenten im Internet sammeln Informationen, erklaren Sachverhalte im" "Customer Service, navigieren im Web, beantworten Email Anfragen oder verkaufen" "Produkte. Unsere Mandantin entwickelt und vermarktet solche Software-Bots: State of the" "Art des modernen E-Commerce. Auftraggeber sind fuhrende Unternehmen, die besonderen" "Wert auf ein effizientes Customer Care Management legen. Das weltweit aktive," "NASDAQ kotierte Unternehmen mit Sitz in Boston braucht zur Verstarkung seines" "explosiv wachsenden Teams in der Schweiz engagierte, hochmotivierte und kreative" "Spezialisten. Kurz: Sie haben es in der Hand, die Knowledge Facts fur aussergewohnliche" "Losungen im Internet zu realisieren und neue Schnittstellen zwischen Mensch und" "Datenautobahnen zu schaffen. Das Tor zur Welt steht Ihnen offen. Eine faszinierende" "Zukunft braucht Ihre Inspiration und Ihr Know-how.... "


While the resume.txt file is being displayed, the worm continues its malicious actions. It copies itself into the Windows\System folder. Once it has done so, this worm will attempt to email everyone in the Microsoft Outlook address book. After the attempt, it will set a registry key so that it does not perform this action multiple times.

Finally, this VBS worm will try to download a password stealer from the internet. The name of the file it attempts to download is hcheck.exe. If it succeds, this worm will execute the password stealer. Once this worm has performed all its malicious actions, it will attempt to delete all the temporary files that it has created.

Removal:

Delete all detected files.

Sorry, this should be in the Computer Issues Forum, so that's where it is going.

PPRuNe Pop
Moderator