F-Secure Virus Descriptions : Loveletter.CN
| NAME: | Loveletter.CN |
| ALIAS: | VBS/Anjulie.gen@MM, Jennifer Lopez |
| ALIAS: | VBS.Loveletter.CM@mm, VBS.Lopez.A@mm |
Loveletter.CN is a worm written in Visual Basic Script that also
drops and runs a file Cih_14.exe. This file is infected with CIH
virus variant. More information on CIH virus you can find here:
Europe: http://www.europe.f-secure.com/v-descs/cih.shtml
USA: http://www.f-secure.com/v-descs/cih.shtml
Loveletter.CN is an e-mail worm (mass mailer) that propagates
using Microsoft Outlook application. The worm spreads to all
recipients listed in Outlook address book in messages that look
as follow:
Subject: Where are you?
Body: This is my pic in the beach!
Attachment: JENNIFERLOPEZ_NAKED.JPG.vbs
The worm adds a run key in the registry, so it will execute on
Windows startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
WORM=<Windows folder>\JENNIFERLOPEZ_NAKED.JPG.vbs
To mass mail only once, the worm uses as a marker another
registry key:
HKCU\software\JENNIFFERLOPEZ_NAKED\mailed
Once executed, the virus searches trough all drives and infects
files with the following extensions (by overwriting them): VBS,
VBE, JS, JSE, WSH, HTA, JPG, JPEG, MP2, MP3, SCT and CSS. Then
the virus changes CSS, HTA, JS, JSE, SCT, and WSH extensions to
VBS. Also Loveletter.CN adds VBS as a second extension to JPG,
JPEG, MP2 and MP3 files.
[Analysis: Katrin Tocheva, F-Secure; May 31, 2001]
|
![](/images/pixel.gif"){kind=tracking}
