The following has been derived from information provided by Sophos, Computer Associates, Trend, Network Associates, Symantec, and ICSA.

Virus Characteristics

VBS.NewLove.A is a new polymorphic mass mailer worm which is being reported in the wild. The worm is a Visual Basic Script virus that mutates its appearance in an attempt to avoid detection by anti-virus products. The virus spreads by sending itself to all addresses in the Outlook address book when activated. Unlike VBS.LoveLetter.a, which limited damage to graphic and music files, the VBS.NewLove.A worm infects all files on both local and mapped network drives. This worm is not a variant of LoveLetter, although the VBS.LoveLetter mass mailing code appears to have been used. Windows Scripting Host is required in order for the virus to activate, this is not normally present on Windows 95 or Windows NT unless Internet Explorer 5 is installed.

The virus chooses a random filename and attempts to forward a mutated version of itself to everybody in your Microsoft Outlook address book. The name of the file it forwards is determined by randomly choosing one of the filenames in your Windows\Recent folder, appended with ".Vbs" (for instance, EXPENSES.XLS becomes EXPENSES.XLS.Vbs).

Upon each infection, the worm introduces up to 10 new lines of randomly generated comments in order to prevent detection.

The worm installs itself by copying its code to Windows and System directories and modifying two registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

When the worm is first run it drops a copy of itself in the Windows folder as either a name from the Recent Documents folder or a random Name and has a random extension chosen from Doc, Xls, Mdb, Bmp, Mp3, Txt, Jpg, Gif, Mov, Url, Htm, Txt and the real extension, ".vbs" The worm will modify that copy by adding random comments to its body.

A sample of the email is as follows:

SUBJECT: FW: <filename>
(The <filename> is the name of the newly created file, without the
.vbs extension)
BODY: none
ATTACHMENT: The newly created file

If the message has been generated by a system running Windows NT or Windows 2000, then the filename will be omitted and the subject of the message will be "FW: .EXT" and the attachment name will be ".EXT.VBS" (again, the file extension will vary depending on the recently opened documents list of infected machines.)

VBS.NewLove.A does not use the same filename or subject line on different infections.


Payload

The virus attempts to overwrite all files that are not currently in use regardless of extension. Instead of being overwritten, a glitch in the virus causes all files to be reduced to 0 bytes. This means that Windows may stop working correctly, and that your system will not start up properly upon reboot. Files in the root of any drive are not affected.

Users who have disabled Windows Scripting Host (WSH) on their computers will not be infected by this virus.

Users who are blocking any Visual Basic Script filename (the infected message always arrives with end suffix of ".Vbs" on the filename) will not be affected.

Due to the way in which the virus mutates it rapidly increases in size on each infection. This means that your mail server may become increasingly slowed down by larger and larger amounts of email.


Removal

The contents of all files will be replaced with the source code of the worm, thus destroying the original contents. The worm will also append the extension '.vbs' to each of these files. For example, the file calc.exe will become calc.exe.vbs. Since this worm overwrites all files regardless of extension, proper removal can only be achieved by restoring the affected files from known clean backups.


Prevention

Corporations and Organizations should disable e-mail gateways until effective filtering / quarantine of all email containing *.VBS attachments can be accomplished. Users should not open Forwarded messages containing attachments of any type.