Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/LoveLetter.AS@mm

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload
Detection files published 04 May 2000 03:00:00
Description created 18 Oct 2000 03:00:00
Description updated 09 Nov 2001 02:15:00
Malware type VIRUS
Alias VBS/LoveLetter_based
VBS/Plan.A
VBS_Colombia
Spreading mechanism EMAIL
NETWORK
Summary None

VBS/LoveLetter.AS@mm

Spreading

VBS/LoveLetter.AS will arrive in an e-mail with random subject, body and name of the attachment. In some cases the e-mail will look like the one below, in other cases the subject will be blank, the body will be ten randomly selected letters, and name of the attachment six random letters.

(Image not available)


The attachment always has a double extension randomly selected from these three:

Jpg.vbs Bmp.vbs Gif.vbs The worm itself is not polymorphic, just the message sent by it. When an infected file is executed, it will use MS Outlook to send messages to all entries in all address lists.

It will drop two infected files to the hard disk and create two Registry entries to load itself each time Windows is started (keys are wrapped to be shown better in most display resolutions):


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run\LINUX32, C:\[Systemfolder]\LINUX32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices\reload, c:\[WindowsFolder]\reload.vbs The worm searches after WinFAT32.exe in Windows' System folder. If that file does not exist, the worm will change Internet Explorer's Start Page to one of three URL’s to download files. All these URL’s are to files named *.zip, but one of these files is plain text and the two others are Bitmap files. If one of these have been downloaded, Internet Explorer's Start Page will be changed back to “about:blank". The two bitmap files are copied to the Windows folder as logos.sys and logow.sys and the last one is copied to the Windows folder as important_note.txt and a registry key to run this .txt file at Windows startup is created.

The virus searches all local drives and network drives for files with certain extensions. It overwrites the following files with copies of itself and renames the files to originalfilename.VBS
*.VBS *.VBE *.JS *.JSE *.CSS *.WSH *.SCT *.HTA Further it will create copies of *.JPG and *.JPEG files and add an extra extension (.vbs).

For example, if you have a file, mypicture.jpg, it will create a new file, mypicture.jpg.vbs with the virus code and delete the original file. If the file is write protected the virus will not succeed in deleting the original file, only to create the companion file with the .vbs extension.

The virus also searches for *.MP3 and *.MP2 files; It will create a new file, add an extra extension .VBS (myfile.mp3.vbs) and write its own viral code to this file. Then it changes the file attribute to the original *.MP3 file to hidden. The original *.MP3 file will not be overwritten.

It also drops a .htm file to Windows' System folder:


C:\[SystemFolder]\US-PRESIDENT-AND-FBI-SECRETS.HTM) Finally it will try to disconnect all network drives from Z-F.

Payload Details

If the date is 17. September, a message will pop up:

(Image not available)


(the five letters after "Att" are randomly selected. In this case "YEHID".)

Analysis

n/a

Removal

The Visual Basic Script viruses rely on the association between .VBS files and Windows Scripting Host to execute.


Last Updated: 12 Nov 2015 11:06:10