CSS Internet News Virus Update NewLove virus not nearly as widespread as LoveLetter New computer virus is dangerous but has not caused much real- world problems ESPOO, Finland, May 19th, 2000 - F-Secure Corporation (formerly Data Fellows) [HEX: FSC], a leading provider of security for mobile, distributed enterprises, is warning e-mail users of a new version of the VBS/LoveLetter virus. The new version is known as NewLove, and it carries much more dangerous payload than LoveLetter. However, NewLove is not widespread at all. F-Secure Anti-Virus detects and disinfects the virus, with the latest update available from www.F-Secure.com This worm spreads by e-mail, much like LoveLetter. However, the subject field of the e-mail and the name of the attached file are random. NewLove operates under Windows operating system and needs Microsoft Outlook to spread itself further via e-mail. F-Secure Anti-Virus detects and disinfects the virus, with the latest update available from www.F- Secure.com "This worm is too destructive to go very far," comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. "When people were hit by LoveLetter, they didn't notice it until they were contacted by people who they had sent the virus to. With NewLove, your computer crashes immediatly and you loose your files. It's difficult to miss that." The spreading technique of the virus is tricky; it picks up a filename from the list of recently used files. This name could be, for example "Comments from Bob.txt". Then the virus would copy itself to a similar name: "Comments from Bob.txt.vbs" and e-mails that file as an attachment to people found from the address book. Subject of the e-mail would be "FW: Comments from Bob.txt". The result is quite realistic looking e- mail, which might be opened even by careful users. With default settings Windows would hide the ".vbs" extension of the attachment. If the user would open the file, the worm would immediatly e-mail itself further and then start to delete all accessible files on the local hard drive and in the company network. As a result, the computer crashes and won't boot. Currently, there's no information on where the virus may have originated from. There's no obvious clues in the source code of the virus. "The virus is programmed so that it keeps changing its code by adding random junk text," comments Mikko Hypponen. "This makes the virus larger and larger as it spreads - eventually making it so large it can't be e-mailed as an attachment any more. This is another factor that limits the spreading of this virus." "After all, technology is not all that matters for a virus to spread. It also needs to get lucky." A technical description of the virus is available in the F-Secure virus description database at: http://www.F-Secure.com/v-descs/newlove.htm Sample pictures of the code of the VBS/LoveLetter worm is available in the F-Secure virus screenshots center at: http://www.F-Secure.com/virus-info/v-pics/ NAME:NewLove VBS/NewLove is a destructive and polymorpic VBScript worm similar to VBS/LoveLetter. Futher information about VBS/LoveLetter is available at http://www.F-Secure.com/v-descs/love.htm VARIANT:NewLove.A VBS/NewLove.A propagates in email messages using Microsoft Outlook. The message that it sends looks as follows: From: name-of-the-infected-user To: random-name-from-address-book Subject: FW: (random_file_name.ext) Body: Attachment: (random_file_name.ext).vbs The worm replicates with a attachment with a random file name that has ".vbs" added to it. For example, "REPORT.DOC.vbs" or "Information on Jacks Birthday.txt.vbs". VBS/NewLove takes the random name from recently open files directory. If there is no files in that directory, it generates the name. If the attachment is opened with the Notepad, the code of the worm can be seen: Then the worm sends itself to the each recipient in each Outlook address book - just like VBS/LoveLetter. VBS/NewLove.A copies itself to the Windows System and the Windows directory with a random name. It adds itself to the registry with a random key to the following registry hives: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ Next the worm will go through all drives and all subdirectories. For each file, the worm creates a new file using the same name with additional extension ".vbs" and deletes the original file. After this the machine can not boot any longer. VBS/NewLove.A was reported to be somewhat in-the-wild on 19th of May, 2000. Detection of this worm was added for F-Secure Anti-Virus on 11:00 GMT 19th of May, 2000. [Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure] On-line Learning Series of Courses http://www.bestnet.org/~jwalker/course.htm Member: Association for International Business ------------------------------- Excerpt from CSS Internet News (tm) ,-~~-.____ For subscription details email / | ' \ [log in to unmask] with ( ) 0 SUBINFO CSSINEWS in the \_/-, ,----' subject line. ==== // / \-'~; /~~~(O) "On the Internet no one / __/~| / | knows you're a dog" =( _____| (_________| http://www.bestnet.org/~jwalker -------------------------------