***********************************************************
R U S H: W2KnewsFlash-'I Love You' Killer Virus in the Wild
***********************************************************
Hi Everybody,
I may be too late as this thing is multiplying like... er, a virus.
But this is the 'New Melissa'. It's a nasty critter indeed and a smart
one. Time to update your firewalls and virus scanner signature files!
We got hit from all sides, and Europe before us. This is the real
thing unfortunately. I'm sure it will hit CNN today too.
The following is data on the LoveLetter virus we pulled off the
TrendMicro site. Other virus protection vendors have published the
same data. Check your own virus protection vendor A S A P!
NOTE: An additional piece of data we discovered not covered in this
data is that the virus also seems to reassociate jpg, jpeg, mpeg,
mpg, mp3 files to the Windows Scripting host. If these files are
opened after being infected, it will rerun the virus.
TECH DETAILS:
VBS_LOVELETTER
Risk rating:
Destructive: Y
Aliases:
LOVELETTER
Description:
Note: This virus is currently in the wild and is spreading rapidly.
Once executed this computer worm modifies registry and drops files
for it to spread. It replicates via Microsoft Outlook by sending
an email with an attachment file 'LOVE-LETTER-FOR-YOU.TXT.vbs' to
all email addresses listed in the address list. It also propagates
using mIRC by modifying the 'script.ini.' After connecting to a
chat server using mIRC, the virus initiates a DCC send to all the
users in the current channel and sends a copy of itself. It is
also capable of infecting files with specific extensions.
Solution:
Trend pattern file #693 can detect and clean this virus. All Trend
customers are advised to download the latest pattern file.
Technical details:
VBS_LOVELETTER (continued from profile page)
In the wild: Yes
Trigger date 1: Any Day
Payload 1: Others (spreads via email and mIRC)
Detected by pattern file#: 693
Detected by scan engine#: 5.12
Language:
English
Platform: Windows
Encrypted: No
Size of virus: 10,307 Bytes
Details:
Once executed, this virus drops the following files:
\windows\Win32DLL.vbs
\system\MSKernel32.vbs
\system\LOVE-LETTER-FOR-YOU.TXT.vbs.
It also modifies the following registry entries so that the virus
is run at each Windows starts up:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\MSKernel32",
<root>:\windows\system \MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Win32DLL,
<root>:\windows\\Win32DLL.vbs.
It searches for a file named WinFAT32.exe in the
<root>:\windows\system folder. If the file exists, then it
modifies Internet Explorer’s startup page with one of the following sites:
http://www.skyinet.net/~young1s/
HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/
WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIy
qwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/
WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/
jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/
WIN-BUGSFIX.exe
http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBh
AFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw
237461234iuy7thjg/WIN-BUGSFIX.exe
It also searches for a file named WIN-BUGSFIX.exe in the
<root>:\windows\system folder. If the file does not exists, then it
modifies Internet Explorer’s startup page with 'about:blank'
page and modifies the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\WIN-BUGSFIX, \WIN-BUGSFIX.exe
This worm primarily propagates using Microsoft Outlook by sending
an email with an attachment file 'LOVE-LETTER-FOR-YOU.TXT.vbs'
to all email addresses listed in the address list with the
Subject: ILOVEYOU
Other than this, it starts modifying the mIRC’s script.ini file by
overwriting the script.ini. After connecting to a chat server using
mIRC, the virus initiates a DCC send to all the users in the current
channel and sends a copy of itself, 'LOVE-LETTER-FOR-YOU.HTM'
That's all for now.
Warm regards,
Stu
[archive@jab.org] This is a posting from the
nt-list, To unsubscribe, send a blank email
to [EMAIL PROTECTED]
