Kaspersky Lab announced today the discovery of another variation of the "LoveLetter" script-virus, which became infamous earlier this year in May. The virus, known under the technical name "I-Worm.LoveLetter.bd" is found in the wild. To date Kaspersky Lab has received several reports about infections in Switzerland and Russia.
The virus uses a well-known psychological trick to make the user open the infected file RESUME.TXT.VBS attached to an e-mail message by offering the opportunity to view the resume of a Swiss Internet company, which is looking for an Internet programmer. After the infected attachment is executed the virus automatically opens the Notepad word processor (bundled by default with all Windows versions) and shows the following text:
Knowledge Engineer, Zurich
Intelligente Agenten im Internet sammeln Informationen, erkluren Sachverhalte im Customer Service, navigieren im Web, beantworten Email Anfragen oder verkaufen Produkte.
[skipped]
Simultaneously the virus invisibly gains access to the Outlook mail program and, just like the original "LoveLetter", sends out copies of itself containing the attached infected "resume" file to all the entries in the Outlook address book.
The most distinctive feature of the virus is that it is able to download to the infected PC additional malicious components from the Internet. However this feature is active only if the user is running the software called USB PIN produced by the Union Bank of Switzerland for conducting online banking transactions.
Without the user's knowledge it tries to connect with one of three web sites in order to download the file HCHECK.EXE containing the Trojan program "Hooker". "Hooker" in turn collects from the infected PC all the user information including name, company, installed software, address, logins and passwords for the Internet access. Also, it intercepts the keyboard buffer and tracks all the keystrokes printed on the computer. Then the Trojan sends this information to the anonymous e-mail address obviously owned by the virus author.
It should be highlighted that the Trojan component is downloaded from web sites of several major governmental and educational establishments, which have no strict access policy to their content. Among these establishments are Michigan State University and U.S. National Institutes of Health. Inadvertently all users have full access to the public upload directory. It enables them not only to upload files but also to download them. It is this breach that is exploited by the virus to prevent the author's location from being revealed.
In order to prevent infection from this virus Kaspersky Lab recommends that under no circumstances should the attachment RESUME.TXT.VBS be opened and the same applies to other unexpected attachments received by e-mail both from unknown persons and colleagues and friends.
Also, Kaspersky Lab recommends that users install AVP Script Checker - an ultimate anti-virus plug-in to protect you against script-viruses including those from the "LoveLetter" family. It effectively blocks script-viruses without requiring any updates to the anti-virus database. "Script Checker utilises the unique technology of intercepting the script-viruses directly in the system memory. Additionally it is powered by the world's first heuristic code analyser to protect you even from unknown script-viruses.
This enables the program to successfully detect all variations of the "LoveLetter" virus," said Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab.
Procedures for removal of the virus have already been added to the daily update of AntiViral Toolkit Pro (AVP).
Share
