high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | June 2000 (3.34) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing worms.
More Information
VBS/LoveLet-C is a variant of VBS/LoveLet-A.
Infected emails have the subject line:
The message text is:
The attachment is called LOVE-LETTER-FOR-YOU.TXT.vbs, which has a double-extension. Mailers which suppress well-known extensions such as .vbs may present this file as LOVE-LETTER-FOR-YOU.TXT, which appears more innocent.
Because the worm arrives in a VBS file, it requires the Windows Scripting Host (WSH) in order to work. If you disable WSH, the viral attachment will be rendered harmless.
The worm also drops an HTM file which can spread the worm, and a mIRC script which tries to distribute it.
The worm checks the Internet Explorer Download Directory for the presence of the file WinFAT32.exe. If that file does not exist the worm randomly picks one of four websites and changes the registry to set it as the Start Page for Internet Explorer. The websites point to an EXE file, WIN-BUGSFIX.exe, which is then downloaded and the registry is modified to run the file on reboot. This file is detected as Troj/LoveLet-A.
The Internet Explore Start Page is also set to blank.
The worm copies itself to two places in the system directory where they are executed each time the computer reboots.
The email component of the worm requires Microsoft Outlook to work. If you are using Outlook it will try to send itself to each entry in your Windows Address Book.
The worm also searches all local and networked drives for files that end with the extensions VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA. These files are overwritten with the worm and their extension is renamed to .VBS.
Any JPG or JPEG files are also overwritten by the worm but have the extension .VBS added to the existing filename.
Any MP2 or MP3 files are overwritten by the worm but are also copied to a new file that has the .VBS extension added. The original files are set as hidden.
If the worm determines that mIRC is installed on the system it will drop a mIRC script that will send the worm on via mIRC.
Note that following the Sophos Guidelines for Safe Hex will render you almost immune to this attack. If you do not read unusual or unlikely emails and if you have disabled the WSH, then you are unlikely to become infected.
VBS/LoveLet-C attempts to send itself as an email attachment to contacts in the Outlook
Express address book. The worm is sent with filename LOVE-LETTER-FOR-YOU.TXT.VBS, with
subject line "ILOVEYOU" and message text "kindly check the attached LOVELETTER coming from
me."
VBS/LoveLet-C copies itself to the Windows system folder as MSKERNEL32.VBS and
LOVE-LETTER-FOR-YOU.TXT.VBS. The worm may also spread to local and network drives.
VBS/LoveLet-C overwrites with itself files with any of the following extensions:
CSS
JS
JSE
HTA
SCT
WSH
VBS/LoveLet-C deletes files with any of the following extensions, creating instead a copy of
itself with '.VBS' appended to the name:
MP2
MP3
JPEG
JPG
VBS/LoveLet-C creates the following registry entries in order to run itself on system
startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MSKernel32
<system>\MSKernel32.vbs
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Win32DLL
<system>\Win32DLL.vbs
VBS/LoveLet-C may create the following further registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WIN-BUGSFIX
VBS/LoveLet-C may change the Internet Explorer Start Page to point to an EXE file at a
randomly chosen web address.
|
