The following has been derived from information provided by Computer Associates, Norman Data Defense, and Network Associates.

Virus Characteristics

This is a VBScript Internet worm which was based loosely on the original VBS/Loveletter worm. This worm does not damage files, however does contain another mechanism of downloading a password stealing agent and launching this silently in the background. This worm distributes itself via MAPI email with the resume.txt.vbs file attached with the subject of "Resume".

The worm creates a legitimate copy of a TXT file named Resume.txt and displays it in Notepad. The first few lines are as follows:

"Knowledge Engineer, Zürich"
"Intelligente Agenten im Internet sammeln Informationen, erklären Sachverhalte im Customer Service, navigieren im Web, beantworten Email Anfragen oder verkaufen Produkte. Unsere Mandantin entwickelt und vermarktet solche Software-Bots:..."

The worm checks for the registry entry HKEY_CURRENT_USER\Software\ACH0\ which is a marker to indicate the worm has already affected the machine. If not, it immediately sends emails to every recipient in the users Outlook address book (including those on mailing lists) with the subject 'Resume', and the body of the worm attached. It then sets the above registry entry so that it will not spread from this machine again. The worm also checks for the existence of the following registry entry: HKEY_CURRENT_USER\Software\UBS\UBSPIN\Options\Datapath. If the entry is present, it attempts to download a Trojan component via an FTP shell instruction coupled with a script file. This Trojan file is (HCHECK.EXE otherwise known as hooker.2.4.trojan).

This script requires Windows Scripting Host in order to execute.


Payload

There is some confusion among the descriptions of what exactly the Trojan is doing. The script may be stealing Swiss banking usernames & passwords and emailing them to 3 different email addresses. The trojan may be logging keystrokes for network passwords and sending them to the same email addresses. Should the email be sent it may or may not contain a subject of CONTRACT and the email addresses are located in the BCC field.


Manual Removal

Deletion of the attached file resume.txt.vbs


Detection

Network Associates - detected by engine 4.0.50, DAT 4092, DAT release date: 08/23/2000 - www.nai.com

Computer Associates - InoculateIT signature release 15.01 includes detection for VBS/Resume.A.Worm and Hooker 2.4.Trojan. Note that extension "vbs" should be in the specified extensions list to ensure detection when specified extensions are scanned.

Norman Data Defense - Norman Virus Control 4.70 or later combined with the 16 August 2000 or later update of the definition files.