F-Secure Virus Descriptions : LoveLetter.AS
Information about the original VBS/LoveLetter.A is available at:
http://www.F-Secure.com/v-descs/love.shtml
VBS/LoveLetter.AS spreads in messages with the following
characteristics:
Subject: US PRESIDENT AND FBI SECRETS
=PLEASE VISIT =>(http://WWW.2600.COM)<=
Body: VERY JOKE..! SEE PRESIDENT AND FBI TOP
SECRET PICTURES..
Attachment: (random_name.ext).vbs
Subject or body - or both - might contain only a string of random
upper case characters. The length of the random subject is 6
characters, and the length of the random body is 10 characters.
The attachment name is also random and the length is from 4 to 8
characters. The extension is chosen from one of the following:
.GIF.vbs
.BMP.vbs
.JPG.vbs
When the worm is executed, it replaces all files from every drive in
the same way the VBS/LoveLetter.A virus does. The worm also copies
itself to Windows System directory as "linux32.vbs". This file is
added to the registry and executed in every system startup.
This variant has an additional payload. It activates in September
17th, when the worm shows a message box with the following text:
Dedicated to my best brother=>Christiam Julian(C.J.G.S.)
Att. (random_string) (M.H.M. TEAM)
After the message box has been shown, the worm disconnects all network
drives from E: to Z:.
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]
|
