The VBS.NewLove.A is a worm, and spreads by sending itself to all adressees in the Outlook address book when it is activated. The attachment name is randomly chosen, but will always have a .Vbs extension. The subject header will begin with "FW: " and will include the name of the randomly chosen attachment (excluding the .VBS extension) Upon each infection, the worm introduces up to 10 new lines of randomly generated comments in order to prevent detection.
Also known as: VBS/Loveletter.ed, VBS/Loveletter.Gen, VBS_SPAMMER, VBS.Loveletter.FW.A
Category: Worm
Infection length: Variable
Virus definitions: 05/18/2000 (release time pending)
Threat assessment:
Damage: High
Distribution: High
Wildness: Medium
Wild:
- Number of infections: More than 1000
- Number of sites: 3-9
- Geographic distribution: Medium
- Threat containment: Moderate
- Removal: Difficult
Damage:
- Payload: Overwrites files
- Payload trigger: .VBS email attachment is executed
- Large scale e-mailing: Sends itself to all addresses in Microsoft Outlook Address Book
- Modifies files: Overwrites every file on the system that is not currently in use including mapped local drives. Files in the root directory of any drive will not be affected.
- Degrades performance: Could clog email servers * Causes system instability: Overwrites critical system files
Distribution:
- Subject of e-mail: Variable; "FW: filename.ext" (where filename.ext is derived from the user's recently opened documents list)
- Name of attachment: Variable; "filename.ext.vbs" (where filename.ext is derived from the user's recently opened documents list)
- Size of attachment: Variable
- Target of infection: Overwrites all files that are not currently in use regardless of extension.
- Shared drives: Will overwrite files on all mapped local drives (with the exception of files in root directories)
Technical Description
This polymorphic Loveletter variant will overwrite ALL files that are not currently in use regardless of extension. It arrives as an email message with a subject of "FW: FILENAME.EXT" and an attachment named "FILENAME.EXT.VBS" (where FILENAME.EXT is derived from the infected user's recently opened documents list.) If no documents have been used recently, this name is randomly generated. If the message has been generated by a system running Windows NT or Windows 2000, then the filename will be omitted and the subject of the message will be "FW: EXT" and the attachment name will be ".EXT.VBS" (again, the file extension will vary depending on the recently opened documents list of infected machines.)
Removal
The contents of all files will be replaced with the source code of the worm, thus destroying the original contents. The worm will also append the extension '.vbs' to each of these files. For example, the file calc.exe will become calc.exe.vbs. Since this worm overwrites all files regardless of extension, proper removal can only be achieved by restoring the affected files from known clean backups.
Share
Symantec
Symantec is a world leader in Internet security technology and technology solutions that help companies manage and support workforces that use laptop computers and other mobile devices. The company is a leading provider of software products for the consumer market and is rapidly growing its presence as a provider of solutions to enterprise organisations.
If you would like additional information on Symantec Corporation and its products, view the Symantec Press Centre at www.symantec.com/PressCenter/ on Symantec's Website.