Panda Software Reports on New Variants of VBS/LoveLetter

Business Wire, May 6, 2000

Business Editors/High Tech Writers

MADRID--(BUSINESS WIRE)--May 6, 2000

Panda Software has reported on more new variants of the worm VBS/LoveLetter. Some of the differences between these variants and the original version include: their names, the message carried, the webpages they connect to, the file extensions they affect and the fact that they do not carry a trojan (except VBS/LoveLetter.H).

Users can download the updated version of Panda Antivirus from the corporate website (http://www.pandasoftware.com), for effective protection against the variants. The innovative technology incorporated into the Panda solutions is capable of fully neutralizing all mutations of VBS/LoveLetter unless the latter are developed in such a way that the entire program is altered.

The names of these new variants and their different characteristics include:

-- VBS/LoveLetter.F

Differences:

1.   The electronic mail message in which the virus is sent out
presents the following features:

Subject : "Dangerous Virus Warning"

Text: "There ia a dangerous virus circulating. Please click attached
picture to view it and learn to avoid it"

2. The attached file in the e-mail message in which it is sent is
called VIRUS_WARNING.JPG.VBS . When it is sent through an IRC channel,
the file sent out is called URGENT_VIRUS_WARNING.HTM.

3. The virus tries to connect itself to the following URLs:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page, with the
URL: http://www.skycable.tucows.com/files2/setup24.exe

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page, with the
URL: http://www.skycable.tucows.com/files2/setup24.exe

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page, with the
URL: http://www.skycable.tucows.com/files2/setup24.exe

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page, with the
URL: http://www.skycable.tucows.com/files2/setup24.exe

The worm does not attempt to download any trojan from the above
addresses

4. The variant also affects files with the following extensions:
WAV, TXT, GIF, DOC, HTM, HTML and XLS


-- VBS/LoveLetter.G

Differences:

1. The e - mail message in which the virus is sent out presents the
following features:
From: support@symantec.com
Subject: "Virus ALERT!!!"

      Text: "Symantec's AntiVirus Research Center began receiving
reports regarding VBS.LoveLetter.A virus early morning on May 4, 2000
GMT. This worm appears to originate from the Asia Pacific region.
Distribution of the virus is widespread and hundreds of thousands of
machines are reported infected.
      The VBS.LoveLetter.A is an Internet worm that uses Microsoft
Outlook to e-mail itself as an attachment. The subject line of the
e-mail reads ILOVEYOU, with the attachment titled
LOVE-LETTER-FOR-YOU.TXT.VBS. Once the attachment is opened, the virus
replicates and sends an e-mail to all e-mail addresses listed in the
address book.
      The virus also spreads itself via Internet relay chat and infects
files on local and remote drives including files with extensions vbs,
vbe, js, sje, css, wsh, sct, hta, jpg, jpeg, mp3, mp2. Users should
exercise caution when opening e-mails with this subject line, even if
the e-mail is from someone they know, as that is how the virus is
spread.
      Symantec Corp. today announced availability of the virus
definition to detect, repair and protect users against the
VBS.LoveLetter.A virus.
      This definition is available now via Symantec's LiveUpdate and can
also be downloaded from the following web sites:
http://www.symantecstore.com/AF74211/promo/loveletter
http://www.digitalriver.com/symantec
      Also as a quick solution Symantec Corp. offers Visual Basic Script
to protect your PC against this worm. (See attached.) Note! When
executed, this script will protect Your PC from being INFECTED by
VBS.LoveLetter.A virus. To cure already infected PC's download Norton
Antivirus Updates mentioned above.
      Symantec Corporation - a world leader in internet security
technology."

2.  The attached file in the e-mail message in which it is mailed out
is called PROTECT.VBS. When sent via IRC, it is called PROTECT.HTM

3. The web addresses it tries to connect to are:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page, with
the URL: http://3doc.dailypussy.com/gallery/bunny.html

HKLM\Software\Microsoft\Internet Explorer\Main\Start Page, with
the URL: http://3doc.dailypussy.com/gallery/bunny.html

HKLM\Software\Microsoft\Internet Explorer\Main\Search Page, with the
URL: :http://astalavista.box.sk

HKLM\Software\Microsoft\Internet Explorer\Main\Search Page, with the
URL: http://astalavista.box.sk

HKLM\Software\Microsoft\Internet Explorer\Main\Defaul_Page_URL, with
the URL: http://www.persiankitty.com

HKLM\Software\Microsoft\Internet Explorer\Main\Local Page, assigning
it the value of PROTECT.HTM,  which is the file it has copied in the
Windows SYSTEM folder

      The worm does not attempt to download any trojan from the above
addresses.

4.  The variant also affects files with the extensions COM and BAT.


-- VBS/LoveLetter.H

      Differences: The comment lines at the beginning of its code have
been eliminated.