Internet security company Symantec SA has released a warning regarding a new polymorphic variation of the Love Letter worm that recently brought many major corporate networks to their knees.
VBS.NewLove.A spreads by sending itself to all addressees in the Outlook address book when it is activated. Each time the virus spreads, it mutates itself to evade detection.
The potential threat is deemed considerably high, with more than 1 000 infections reported across the US West Coast, Europe and Israel since detection of the worm in the US, according to Robyn Weeda, marketing communications manager, Symantec SA.
However, she says VBS.NewLove.A is not spreading as fast as the Love Letter worm, due mainly to an increased defensive approach adopted by companies in the wake of the Love Letter worm.
What makes this variant particularly hard to pin down, Weeda confirms, is that the .vbs attachment name is randomly chosen from the user's Recently Opened Documents list. The subject header will begin with "FW: " and will include the name of the randomly chosen attachment (excluding the .VBS extension). The attachment size is variable.
If no documents have been used recently, the attachment name is randomly generated. If the message has been generated by a system running Windows NT or Windows 2000, then the filename will be omitted and the subject of the message will be "FW: EXT" and the attachment name will be ".EXT.VBS" (again, the file extension will vary depending on the recently opened documents list of infected machines).
Upon each infection, the worm introduces up to 10 new lines of randomly generated comments in order to prevent detection. Also known as VBS/Loveletter.ed, VBS/Loveletter.Gen, VBS_SPAMMER and VBS.Loveletter.FW.A, once executed, the worm's payload overwrites and modifies every inactive file on the system, including all files on mapped local drives, effectively rendering the infected PC inoperable.
The contents of all files will be replaced by the worm's source code, thus destroying the original contents. The worm will also append the extension ".vbs" to each of these files. For example, the file calc.exe will become calc.exe.vbs. Since this worm overwrites all files regardless of extension, proper removal can only be achieved by restoring the infected files from known clean backups. Files in the root directory of any drive will not be affected.
Potential damage to networks includes degraded performance through clogged e-mail servers, system instability and overwriting of critical system files.
As a first line of defence, administrators are advised to filter for e-mails with a subject line containing the word "FW" along with an attachment with a .vbs extension. Virus definitions will soon be available from the Symantec Anti-virus Research Centre. Trend Micro users can protect themselves using the new virus pattern file available from www.sd.co.za.
Related stories:
Share
