RootsWeb: VAHENRIC-L [VAHENRIC] Fw: [virus-alert] RE: HIGH RISK VIRUS ALERT

VAHENRIC-L Archives

Archiver > VAHENRIC > 2000-05 > 0957900759

From: "Mike Simmons" <>
Subject: [VAHENRIC] Fw: [virus-alert] RE: HIGH RISK VIRUS ALERT
Date: Tue, 9 May 2000 14:32:39 -0500

This is the only alert I will post. Mike ----- Original Message ----- From: AVERT ALERT <> To: <> Sent: Thursday, May 04, 2000 6:13 PM Subject: [virus-alert] RE: HIGH RISK VIRUS ALERT > This is an update to the original message and alert > > AVERT is issuing an additional alert for two variants/copycats of the > Loveletter worm. > > The b variant has the subject "Susitikim shi vakara kavos puodukui..." The > DOC is the same. > > The c variant has the subject "Joke" and the DOC is called VeryFunny.vbs. > > We are posting updated extra.dat, and exrta.drv to the NAI/McAfeeB2B/AVERT > websites. > > http://vil.nai.com/villib/dispvirus.asp?virus_k=98617 > > Regards, > > AVERT > > -----Original Message----- > From: AVERT ALERT > Sent: Thursday, May 04, 2000 10:53 AM > To: '' > Subject: HIGH RISK VIRUS ALERT > > > Approved: modempool.posting > > AVERT would like to update you on a High Risk Worm as it is at Outbreak > status. > > The worm is called VBS/Loveletter. Below is a description of the worm, an > extra.dat - for McAfee VirusScan users, and the extra.drv - for DrSolomon > Toolkit/FindVirus customers. > > This worm has become more widespread than Melissa. If you receive and with > the subject I love you DELETE IT! > > Virus Name: VBS/LoveLetter.worm > Aliases: none known > > Characteristics: > > This is a VBScript worm with virus qualities. This worm will arrive in an > email message with this format: > > Subject "ILOVEYOU" > Message "kindly check the attached LOVELETTER coming from me." > Attachment "LOVE-LETTER-FOR-YOU.TXT.vbs" > > If the user runs the attachment the worm runs using the Windows Scripting > Host program. This is not normally present on Windows 9x or Windows NT > unless Internet Explorer 5 is installed. > > When the worm is first run it drops copies of itself in the following places > : > > C:\WINDOWS\SYSTEM\MSKERNEL32.VBS > C:\WINDOWS\WIN32DLL.VBS > C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS > > It also adds the registry keys : > > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ > MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs > > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ > > Win32DLL=C:\WINDOWS\Win32DLL.vbs > > in order to run the worm at system startup. > > The worm replaces the following files: > > *.JPG > *.JPEG > *.MP3 > *.MP2 > > with copies of itself and it adds the extension .VBS to the original > filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would > contain the worm. > > The worm also overwrites the following files: > > *.VBS > *.VBE > *.JS > *.JSE > *.CSS > *.WSH > *.SCT > *.HTA > > with copies of itself and renames the files to *.VBS. > > The worm creates a file "LOVE-LETTER-FOR-YOU.HTM" which contains the worm > and this is then sent to the IRC channels if the mIRC client is installed. > This is accomplished by the worm replacing the file SCRIPT.INI. > > After a short delay the worm uses Microsoft Outlook to send copies of itself > to all entries in the address book. > The mails will be of the same format as the original mail. > > This worm also has onother trick up it's sleeve in that it tries to download > and install an executable file called WIN-BUGSFIX.EXE from the Internet. > This exe file is a password stealing program that will email any cached > passwords to the mail address > > In order to facilitate this download the worm sets the start-up page of > Microsoft Internet Explorer to point to the web-page containing the password > stealing trojan. > > The email sent by this program is as follows : > > -------------copy of email sent----------- > From: : > Subject: Barok... email.passwords.sender.trojan > X-Mailer: Barok... email.passwords.sender. > trojan---by: spyder > Host: [machine name] > Username: [user name] > IP Address: [victim IP address] > > RAS Passwords:...[victim password info] > Cache Passwords:...[victim password info] > -------------copy of email sent----------- > > The password stealing trojan is also installed via the following registry > key: > > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX > > > to autorun at system startup. After it has been run the password stealing > trojan copies itself to WINDOWS\SYSTEM\WinFAT32.EXE and replaces the > registry key with > > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ > WinFAT32=WinFAT32.EXE > > > > Date Discovered:Thursday May 4th 2000 > DAT included: 4077 > Risk: High > > > > > Regards, > > AVERT > >

This thread:

[VAHENRIC] Fw: [virus-alert] RE: HIGH RISK VIRUS ALERT by "Mike Simmons" <>