CSS Internet News Virus Update
NewLove virus not nearly as widespread as LoveLetter
New computer virus is dangerous but has not caused much real- world
problems
ESPOO, Finland, May 19th, 2000 - F-Secure Corporation (formerly Data
Fellows) [HEX: FSC], a leading provider of security for mobile,
distributed enterprises, is warning e-mail users of a new version of
the VBS/LoveLetter virus. The new version is known as NewLove, and it
carries much more dangerous payload than LoveLetter. However, NewLove
is not widespread at all. F-Secure Anti-Virus detects and disinfects
the virus, with the latest update available from www.F-Secure.com
This worm spreads by e-mail, much like LoveLetter. However, the
subject field of the e-mail and the name of the attached file are
random. NewLove operates under Windows operating system and needs
Microsoft Outlook to spread itself further via e-mail. F-Secure
Anti-Virus detects and disinfects the virus, with the latest update
available from www.F- Secure.com
"This worm is too destructive to go very far," comments Mikko
Hypponen, Manager of Anti-Virus Research at F-Secure Corporation.
"When people were hit by LoveLetter, they didn't notice it until they
were contacted by people who they had sent the virus to. With
NewLove, your computer crashes immediatly and you loose your files.
It's difficult to miss that."
The spreading technique of the virus is tricky; it picks up a
filename from the list of recently used files. This name could be,
for example "Comments from Bob.txt". Then the virus would copy itself
to a similar name: "Comments from Bob.txt.vbs" and e-mails that file
as an attachment to people found from the address book. Subject of
the e-mail would be "FW: Comments from Bob.txt". The result is quite
realistic looking e- mail, which might be opened even by careful
users.
With default settings Windows would hide the ".vbs" extension of the
attachment. If the user would open the file, the worm would
immediatly e-mail itself further and then start to delete all
accessible files on the local hard drive and in the company network.
As a result, the computer crashes and won't boot.
Currently, there's no information on where the virus may have
originated from. There's no obvious clues in the source code of the
virus.
"The virus is programmed so that it keeps changing its code by adding
random junk text," comments Mikko Hypponen. "This makes the virus
larger and larger as it spreads - eventually making it so large it
can't be e-mailed as an attachment any more. This is another factor
that limits the spreading of this virus."
"After all, technology is not all that matters for a virus to
spread. It also needs to get lucky."
A technical description of the virus is available in the F-Secure
virus description database at:
http://www.F-Secure.com/v-descs/newlove.htm
Sample pictures of the code of the VBS/LoveLetter worm is available
in the F-Secure virus screenshots center at:
http://www.F-Secure.com/virus-info/v-pics/
NAME:NewLove
VBS/NewLove is a destructive and polymorpic VBScript worm similar to
VBS/LoveLetter. Futher information about VBS/LoveLetter is available at
http://www.F-Secure.com/v-descs/love.htm
VARIANT:NewLove.A
VBS/NewLove.A propagates in email messages using Microsoft Outlook. The
message that it sends looks as follows:
From: name-of-the-infected-user
To: random-name-from-address-book
Subject: FW: (random_file_name.ext)
Body:
Attachment: (random_file_name.ext).vbs
The worm replicates with a attachment with a random file name that has
".vbs" added to it. For example, "REPORT.DOC.vbs" or "Information on
Jacks Birthday.txt.vbs". VBS/NewLove takes the random name from recently
open files directory. If there is no files in that directory, it
generates the name.
If the attachment is opened with the Notepad, the code of the worm can
be seen:
Then the worm sends itself to the each recipient in each Outlook address
book - just like VBS/LoveLetter.
VBS/NewLove.A copies itself to the Windows System and the Windows
directory with a random name. It adds itself to the registry with a
random key to the following registry hives:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Next the worm will go through all drives and all subdirectories. For
each file, the worm creates a new file using the same name with
additional extension ".vbs" and deletes the original file.
After this the machine can not boot any longer.
VBS/NewLove.A was reported to be somewhat in-the-wild on 19th of May,
2000. Detection of this worm was added for F-Secure Anti-Virus on 11:00
GMT 19th of May, 2000.
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]
On-line Learning Series of Courses
http://www.bestnet.org/~jwalker/course.htm
Member: Association for International Business
-------------------------------
Excerpt from CSS Internet News (tm) ,-~~-.____
For subscription details email / | ' \
[log in to unmask] with ( ) 0
SUBINFO CSSINEWS in the \_/-, ,----'
subject line. ==== //
/ \-'~; /~~~(O)
"On the Internet no one / __/~| / |
knows you're a dog" =( _____| (_________|
http://www.bestnet.org/~jwalker
-------------------------------
