SECURITY ALERT

Name:      VBS.LoveLetter.B-AC,Look! 2
Aliases:   Lithuania,Very Funny,BrainStorm,Susitikim,No Comments,
           Arab Air,German Resume,Variant Test,Look!,Yeah Yeah,
           Band-Aid,Bug and virus fix,Presente
Variants:  VBS.LoveLetter.A,Unix/LoveLetter.A
Type:      Worm
Platforms: Windows
Status:    in the wild
Threat:    High

The following has been derived from information provided by Computer Associates, McAfee, Symantec, Sophos, Command, Kaspersky Labs, eSafe, F-Secure, Norman, and Trend.

VBS/LoveLetter.B also known as VBS/LovLet-C, Susitikim, Lithuania

This variant uses another message subject when spreads:

Subject: Susitikim shi vakara kavos puodukui...
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

LoveLetter.B contains the following comments in its code:

Modified Lameris Tamoshius / Lithuania (Tovi systems)


VBS/LoveLetter.C also known as Very Funny, VBS/LovLet-B

VBS/LoveLetter.C is a variant of the VBS/LoveLetter.A worm. The two only differences are the subject of the arriving e-mail and the name of the attachment. The subject used by VBS/LoveLetter.C is

fwd: Joke or Joke

Instead of the original "ILOVEYOU" subject line, the name of the attachment is:

Very Funny.vbs or VeryFunny.vbs

Instead of LOVE-LETTER-FOR-YOU.TXT.vbs., the HTML file sent through IRC is called:

Very Funny.HTM


VBS/LoveLetter.D also known as VBS/LovLet-E

This variant is a slightly modified variant of VBS/LoveLetter.A and is reported to have a blank line inserted between each line of the original code.


VBS.LoveLetter.E also known as VBS/LovLet-D

The following information was derived from information received from Sophos and Norman.

Infected emails have the following:

Subject line: Mothers Day Order Confirmation
Message text: We have proceeded to charge your credit card for
the amount of $326.92 for the mothers day diamond
special. We have attached a detailed invoice to this
email. Please print out the attachment and keep it in
a safe place.Thanks Again and Have a Happy
Mothers Day! mothersday@subdimension.com
Attachment name: mothersday.vbs

Like VBS.LoveLetter.A, this variant also drops an HTM file which can spread the virus, and a mIRC script which tries to distribute it.

Any BAT or INI files are also overwritten by the virus but have the extension .VBS added to the existing filename. Please note that the original version made these changes to JPG or JPEG files.

Any MP2 or MP3 files are overwritten by the virus but are also copied to a new file that has the .VBS extension added. The original files are set as hidden.

If the virus determines that mIRC is installed on the system it will drop a mIRC script that will send the virus on via mIRC.

Please note that Norman is advising that you may experience that some infected files appear not to be detected (files with the *.jpg.vbs extention which are not reported infected). The cause is that the virus cannot infect WRITE protected files, but it will succeed in adding the .vbs extension to write protected files! So please note, deleting all files with the *.vbs extension might cause more damage.

The comment lines in the beginning of the code are changed.


VBS.LoveLetter.F

Subject line: Dangerous Virus Warning
Message text: There is a dangerous virus circulating.
Please click attached picture to view it and learn to avoid it.
Attachment name: virus_warning.jpg.vbs

This variant has changed the name of the dropped web page to Urgent_virus_warning.htm

The worm also replaces files with the following extensions:

CSS, DOC, GIF, HTA, HTM, HTML, JS, JSE, SCT, TXT, VBE, VBS, WAV, WSH, XLS, JPG, JPEG

with copies of itself except with a .VBS extension.

This virus makes MP2 and MP3 files hidden and copies itself as these filenames except with .VBS extension.

This virus modifies the Internet Explorer start page to download a program from Tucows.com called "E-Mail Remover" in a file named "SETUP24.EXE". This is a program and not a trojan.


VBS.LoveLetter.G

Subject line: Virus ALERT!!!
Message text: a long message regarding VBS.LoveLetter.A
Attachment name: protect.vbs

This variant pretends to be sent from support@symantec.com.


VBS.LoveLetter.H also known as No Comments

The only difference between this variant and the A variant is that the leading comments in the script are omitted.


VBS.LoveLetter.I also known as Brainstorm

Subject line: Important ! Read carefully !!
Message text: Check the attached IMPORTANT coming from me !
Attachment name: IMPORTANT.TXT.vbs

The first two commented lines have been changed to:

rem brain -Important(vbe) <What da fuck ?!>
rem by: BrainStorm / @ElectronicSouls Crew /

Instead of using the files:

"MSKernel32.vbs", "Win32DLL.vbs" and "LOVE-LETTER-FOR-YOU.TXT.vbs",

it uses the following file names:

"ESKernel32.vbs", "ES32DLL.vbs", and "Important.TXT.vbs".

Registry changes were made accordingly to point to the new filenames.

Script.ini file has been changed from:

";Khaled Mardam-Bey"
";http://www.mirc.com"

to

"BrainStorm"
";http://www.ElectronicSouls.8m.com"

it uses the file "Important.HTM".


VBS.LoveLetter.J

This variant is a slightly modified version of VBS.LoveLetter.G


VBS.LoveLetter.K

This variant is functionally identical with VBS/LoveLetter.A. However, the email message and the attachment name has been modified.

VBS/LoveLetter.K sends messages with the following content:

Subject line: How to protect yourself from the IL0VEY0U bug!
Message text: Here's the easy way to fix the love virus.
Attachment name: Virus-Protection-Instructions.vbs


VBS.LoveLetter.L

This variant replaces files with the extensions GIF & BMP instead of JPG & JPEG. The virus also hides files with the extensions of WAV & MID instead of MP3 & MP2. This variant has no IRC routine, and will not infect chat room users. The following files are copied to the hard disk: KILER.HTM, KILLER2.VBS, KILLER1.VBS. The following e-mail is used to propagate:

Subject line: I Cant Believe This!!!
Message text: I Cant Believe I have Just Recieved This Hate Email .. Take A Look!
Attachment name: KillEmAll.TXT.VBS


VBS.LoveLetter.M also known as Arab Air

This variant replaces files with extensions of DLL and EXE rather than JPG and JPEG and hides SYS and DLL files instead of MP3 and MP2. The file no-hate-FOR-YOU.HTM is copied to the hard disk. The e-mail used to propagate this variant is as follows:

Subject line: Thank You For Flying With Arab Airlines
Message text: Please check if the bill is correct, by opening the attached file
Attachment name: ArabAir.TXT.vbs


VBS.LoveLetter.N also known as Variant Test

This variant copies itself as sndvol32.vbs and IEAKDLL.vbs. Internet Explorer start page changed to http://altalavista.box.sk. It does not download the password stealing trojan. Files with the following extensions are overwritten:

vbs, vbe, mpg, mpeg, avi, qt, qtm

The file important.htm is sent into Internet chat rooms via mIRC. The e-mail used to propagate the virus contains the following:

Subject line: Variant Test
Message text: This is a variant to the vbs virus.
Attachment name: IMPORTANT.TXT.vbs


VBS.LoveLetter.O

This is variant is identical to the VBS.Loveletter.a virus, except that the SCRIPT.INI contains the comment "Bla Bla Bla".


VBS.LoveLetter.P also known as Yeah Yeah

This variant sets the Internet Explorer start page to http://www.yahoo.com/Vir-Killer.exe. VBS.LoveLetter.P does not download the password stealing trojan. Instead of overwriting files with the extensions of JPG and JPEG, this variant overwrites ZIP and RAR files. PAS and ASM files are hidden instead of MP3 and MP2 files. The e-mail is propagated with the following e-mail:

Subject line: Yeah, Yeah another time to DEATH...
Message text: This is the Killer for VBS.LOVE-LETTER.WORM.
Attachment name: Vir-Killer.vbs


VBS.LoveLetter.Q also known as LOOK!, LOOK.vbs, VBS/LoveLetter.J, VBS.Loveletter.n

This variant of VBS.LoveLetter.A is distributed in the following e-mail:

Subject line: LOOK!
Message text: hehe...check this out.
Attachment name: look.vbs

When the worm is first run it drops copies of itself and writes an .HTM file in the following places:

WINDOWS\User32DLL.vbs
WINDOWS\SYSTEM\MSUser32.vbs
WINDOWS\SYSTEM\look.vbs
WINDOWS\SYSTEM\look.htm

It also adds the registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32=WINDOWS\SYSTEM\MSUser32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=WINDOWS\User32DLL.vbs

in order to run the worm at system startup. Instead of overwriting files with the extensions of JPG and JPEG, this variant overwrites XLS and MDB files. EXE and LNK files are hidden instead of MP3 and MP2 files.


VBS.LoveLetter.R also known as German Resume

This variant uses an HTML file named BEWERBUNG.HTM, drops MSKERNEL32.VBS, WIN32DLL.VBS, and WINFAT32.EXE. Like VBS.LoveLetter.A, this variant downloads WIN-BUGSFIX.EXE and overwrites the same files which variant A overwrites. The e-mail used to propagate the virus is as follows:

Subject line: Bewerbung Kreolina
Message text: Sehr geehrte Damen und Herren!
Attachment name: BEWERBUNG.TXT.vbs


VBS.LoveLetter.S

VBS.LoveLetter.S is a variant of VBS.LoveLetter.A to which several comment lines have been added.


VBS.LoveLetter.T also known as BAND-AID

This variant spreads using the following e-mail:

Subject line: Recent Virus Attacks - Fix
Body text: Attached is a copy of a script that will reverse the efects of the LOVE-LETTER-TO-YOU.TXT.vbs as well as the FW:JOKE, ...
Attachment name: BAND-AID.DOC.vbs

Files with the following extensions are targeted by this variant: js, jse, css, wsh, sct, hta, jpg, jpeg, gif, tif, tiff, wav, mp2, mp3, lnk, bak, doc, xts, rtf, txt, htm, html, xml, mny, zip, bmp, cab, inf


VBS.LoveLetter.U also known as Presente

This variant spreads using the following e-mail:

Subject line: PresenteUOL
Body text: O UOL tem um grande presente para voce, e eh exclusivo. Veja o arquivo em anexo. http://www.uol.com.br
Attachment name: UOL.TXT.vbs

Files with the following extensions are targeted by this variant: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2, exe, com, ini

The HTML file used to transmit this virus via mIRC is named UOL.HTM.


VBS.LoveLetter.V

This is a minor variant of VBS.LoveLetter.A containing additional comments.


VBS.LoveLetter.W also known as Bug and virus fix

This variant spreads using the following e-mail:

Subject line: IMPORTANT: Official virus and bug fix
Body text: This is an official virus and bug fix. I got it from our system admin. It may take a short while to update your system files after you run the attachment.
Attachment name: Bug and virus fix.vbs

Files with the following extensions are targeted by this variant: js, jse, css, wsh, sct, hta, exe, com, dll, sys, pwl, txt


VBS.LoveLetter.X

Subject line: NEUE ANTI-VIRUS-LISTE
Message text: Hiermit senden wir Ihnen/Dir eine neue Liste mit LOVE-LETTER-VIRUS Namen, die nicht geoeffnet werden sollten, bitte sofort lesen, danke.
Attachment name: ANTI-VIRUS-LISTE.TXT.vbs

The following files are replaced with copies of the virus with a VBS extension:

DOT, HTA, JS, MDB, PDF, WSH, VBE, VBS

DRV and INI files are overwritten with the virus with a VBS extension.


VBS.LoveLetter.Y

This is a major variant of VBS/Loveletter.a. This variant uses the same file replacement techniques however a new technique is introduced in how files are infected and used by the system. Instead of using the default extension for Windows Scripting Host, the file extension .GIF and .JPG is forced to interface and run as a script file.

This worm will arrive in an email message of the following format:

Subject line: Image of the Millenium
Message text: Hi, my name is Nelma Marisa, and I'm here to present the Image of the Millenium. Just unzip Nelma.zip and read the readme file included first. Then open the image called Millenium.gif. Thanks...
Attachment name: nelma.zip

The contents of the .ZIP are the following files:

MILLENNIUM.GIF [5,537 bytes]
NELMA.DLL [64,512 bytes - hidden attributes]
README.BAT [548 bytes]

The file MILLENNIUM.GIF is actually a VBScript file with a .GIF extension. The file NELMA.DLL is really an executable while the file README.BAT contains a batch script. If the user executes README.BAT, it will display the following to the screen:

Image Of The Millenium
Hello guys, my name is Nelma Marisa and I'm here to present the image of the millenium. Don't you know me??? Sure you know...

If you don't, just try to find me :))
Let's get to the real stuff.
Processing image...
Process complete!
Now, you just have to open the Image called Millenium.Gif...
Good luck,
Nelma!

In the background, the script executed nelma.dll running a routine named "ProcessImage". NELMA.DLL contains instructions which modify the system registry with the following additions and changes:

--------Registry key values changed:-----
HKEY_LOCAL_MACHINE\Software\CLASSES\giffile\shell\open\command
from "@"=""C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome"
to "@"="C:\WINDOWS\WScript.exe "%1" %*"

HKEY_LOCAL_MACHINE\Software\CLASSES\jpegfile\shell\open\command
from "@"=""C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome"
to "@"="C:\WINDOWS\WScript.exe "%1" %*"

--------Registry key values added:-----
HKEY_LOCAL_MACHINE\Software\CLASSES\giffile\ScriptEngine\@="VBScript"
HKEY_LOCAL_MACHINE\Software\CLASSES\giffile\shell\open\DDEExec2\@=""file:%1",,-1,,,,,"
HKEY_LOCAL_MACHINE\Software\CLASSES\giffile\shell\open\DDEExec2\Application\@="IExplore"
HKEY_LOCAL_MACHINE\Software\CLASSES\giffile\shell\open\DDEExec2\Topic\@="WWW_OpenURL"
HKEY_LOCAL_MACHINE\Software\CLASSES\jpegfile\ScriptEngine\@="VBScript"
HKEY_LOCAL_MACHINE\Software\CLASSES\jpegfile\shell\open\DDEExec2\@=""file:%1",,-1,,,,,"
HKEY_LOCAL_MACHINE\Software\CLASSES\jpegfile\shell\open\DDEExec2\Application\@="IExplore"
HKEY_LOCAL_MACHINE\Software\CLASSES\jpegfile\shell\open\DDEExec2\Topic\@="WWW_OpenURL"

These changes basically instruct the computer to treat files of .GIF and .JPG type as VBScript direct executable, using dynamic data exchange and Wscript.exe.

Copies of the virus are made as follows:

NELMA.GIF
WINDOWS\W32DLL.DLL.GIF
WINDOWS\NELMA.GIF
WINDOWS\SYSTEM\NELMA.GIF
WINDOWS\SYSTEM\NELMA.HLP.GIF

The following registry keys are modified to load the virus at next Windows restart:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
WinHLP32=WINDOWS\SYSTEM\NELMA.HLP.GIF

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=WINDOWS\W32DLL.DLL.GIF

The following files are deleted, replacement files containing the virus are created with a GIF extension:

CSS, HTA, JS, JSE, WSH

The virus creates companion files with the extension of VBS of files with the extensions of JPG and JPEG. MP2 and MP3 files are hidden.


VBS.LoveLetter.Z also known as BUG & VIRUS FIX

Subject line: BUG & VIRUS FIX
Body text: I got this from our system admin. Run this to help prevent any recent or future bug & virus attack's. It may take a small while up update your files.
Attachment name: MAJOR BUG & VIRUS FIX.vbs

Files with the following extensions are targeted by this variant: vbs, vbe, dll, exe, com, sys, txt, bat, mp3, mp2


VBS.LoveLetter.AA

This variant is a minor variant of VBS.LoveLetter.A containing additional comments.


VBS.LoveLetter.AB

This variant is a minor variant of VBS.LoveLetter.A in which a few lines of comment and instructions have been removed.


VBS.LoveLetter.AC also known as antivirusupdate

This variant is spread with the following e-mail:

Subject line: New Variation on LOVEBUG Update Anti-Virus!!
Message text: There is now a newer variant of love bug. It was released at 8:37 PM Saturday Night. Please Download the following patch. We are trying to isolate the virus. Thanks Symantec.
Attachment name: antivirusupdate.vbs


LOOK! 2

This variant is similar to variant Q but hides MP2 and MP3 files.

< - Virus Information Index - >



CONTACT US

SITEMAP
PRIVACY POLICY