Business Services Industry
Panda Software Reports on New Variants of VBS/LoveLetter
Business Wire, May 6, 2000
Business Editors/High Tech Writers
MADRID--(BUSINESS WIRE)--May 6, 2000
Panda Software has reported on more new variants of the worm VBS/LoveLetter. Some of the differences between these variants and the original version include: their names, the message carried, the webpages they connect to, the file extensions they affect and the fact that they do not carry a trojan (except VBS/LoveLetter.H).
Users can download the updated version of Panda Antivirus from the corporate website (http://www.pandasoftware.com), for effective protection against the variants. The innovative technology incorporated into the Panda solutions is capable of fully neutralizing all mutations of VBS/LoveLetter unless the latter are developed in such a way that the entire program is altered.
The names of these new variants and their different characteristics include:
-- VBS/LoveLetter.F
Differences:
1. The electronic mail message in which the virus is sent out
presents the following features:
Subject : "Dangerous Virus Warning"
Text: "There ia a dangerous virus circulating. Please click attached
picture to view it and learn to avoid it"
2. The attached file in the e-mail message in which it is sent is
called VIRUS_WARNING.JPG.VBS . When it is sent through an IRC channel,
the file sent out is called URGENT_VIRUS_WARNING.HTM.
3. The virus tries to connect itself to the following URLs:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page, with the
URL: http://www.skycable.tucows.com/files2/setup24.exe
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page, with the
URL: http://www.skycable.tucows.com/files2/setup24.exe
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page, with the
URL: http://www.skycable.tucows.com/files2/setup24.exe
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page, with the
URL: http://www.skycable.tucows.com/files2/setup24.exe
The worm does not attempt to download any trojan from the above
addresses
4. The variant also affects files with the following extensions:
WAV, TXT, GIF, DOC, HTM, HTML and XLS
-- VBS/LoveLetter.G
Differences:
1. The e - mail message in which the virus is sent out presents the
following features:
From: support@symantec.com
Subject: "Virus ALERT!!!"
Text: "Symantec's AntiVirus Research Center began receiving
reports regarding VBS.LoveLetter.A virus early morning on May 4, 2000
GMT. This worm appears to originate from the Asia Pacific region.
Distribution of the virus is widespread and hundreds of thousands of
machines are reported infected.
The VBS.LoveLetter.A is an Internet worm that uses Microsoft
Outlook to e-mail itself as an attachment. The subject line of the
e-mail reads ILOVEYOU, with the attachment titled
LOVE-LETTER-FOR-YOU.TXT.VBS. Once the attachment is opened, the virus
replicates and sends an e-mail to all e-mail addresses listed in the
address book.
The virus also spreads itself via Internet relay chat and infects
files on local and remote drives including files with extensions vbs,
vbe, js, sje, css, wsh, sct, hta, jpg, jpeg, mp3, mp2. Users should
exercise caution when opening e-mails with this subject line, even if
the e-mail is from someone they know, as that is how the virus is
spread.
Symantec Corp. today announced availability of the virus
definition to detect, repair and protect users against the
VBS.LoveLetter.A virus.
This definition is available now via Symantec's LiveUpdate and can
also be downloaded from the following web sites:
http://www.symantecstore.com/AF74211/promo/loveletter
http://www.digitalriver.com/symantec
Also as a quick solution Symantec Corp. offers Visual Basic Script
to protect your PC against this worm. (See attached.) Note! When
executed, this script will protect Your PC from being INFECTED by
VBS.LoveLetter.A virus. To cure already infected PC's download Norton
Antivirus Updates mentioned above.
Symantec Corporation - a world leader in internet security
technology."
2. The attached file in the e-mail message in which it is mailed out
is called PROTECT.VBS. When sent via IRC, it is called PROTECT.HTM
3. The web addresses it tries to connect to are:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page, with
the URL: http://3doc.dailypussy.com/gallery/bunny.html
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page, with
the URL: http://3doc.dailypussy.com/gallery/bunny.html
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page, with the
URL: :http://astalavista.box.sk
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page, with the
URL: http://astalavista.box.sk
HKLM\Software\Microsoft\Internet Explorer\Main\Defaul_Page_URL, with
the URL: http://www.persiankitty.com
HKLM\Software\Microsoft\Internet Explorer\Main\Local Page, assigning
it the value of PROTECT.HTM, which is the file it has copied in the
Windows SYSTEM folder
The worm does not attempt to download any trojan from the above
addresses.
4. The variant also affects files with the extensions COM and BAT.
-- VBS/LoveLetter.H
Differences: The comment lines at the beginning of its code have
been eliminated.
Most Recent Business Articles
- How do I determine my retainer fee?
- Why fly solo when an executive assistant can accelerate your CLNC® business?
- The CLNC® mentors held the key to my first case and to my CLNC® success
- Atlanta CLNC® 6-day certification seminar photo galleryplus sign up today for spring 2009 to save $100.00
- Speak to a full-time practicing CLNC® consultant
Most Recent Business Publications
Most Popular Business Articles
- Using object-oriented analysis and design over traditional structured analysis and design
- Big Fish Games Migrates Upstream to Fisher Plaza; High Growth Online Gaming Firm Vaults Fisher Plaza Occupancy Rate Above 90%
- Top of the line: some of the world's most well-respected doctors practice in South Florida. A guide to choosing the best physician specialists - Top Doctors in South Florida
- Sand filter basics: high-rate sand filters can be confusing for those new to the business. Understanding valve modes is the key
- BEHR Paints Introduces a Colorful New Way to Paint and Prime All in One with BEHR Premium Plus Ultra™ Interior
Most Popular Business Publications
Content provided in partnership with http://findarticles.com/source//

