![](/images/pixel.gif") |
|
|
|
|
|  |
F-Secure Virus Descriptions : Lovsan.E
|
|
|
| NAME: | Lovsan.E |
| ALIAS: | W32/Msblast.E, Worm.Win32.Lovesan, W32.Blaster.E.Worm, MSLaugh |
Another new variant of Lovsan worm - Lovsan.E was found on August 29th, 2003.
This variant is functionally identical to Lovsan.A with a few minor differences:
- it uses the file name mslaugh.exe instead of MSBLAST.EXE.
- uses a different MUTEX name: 'SILLY'
- DDoS targer has been changed to kimble.org which already points
to 127.0.0.1, effectively causing the infected hosts to attack
themselves
- registry value has been changed to
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Automation'
- has a different hidden message:
'I dedicate this particular strain to me ANG3L -
hope yer enj oying yerself and dont forget the promise for me B/DAY !!!!'
Disinfection
For full 8-step list of how to get rid of Lovsan please check:
http://www.europe.f-secure.com/v-descs/msblast.shtml
F-Secure's special removal tool will remove A, B, C and E variants of Lovsan.
The tool can be downloaded from:
http://www.f-secure.com/tools/f-lovsan.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-lovsan.zip
Documentation on the tool is available from:
http://www.f-secure.com/tools/f-lovsan.txt
ftp://ftp.f-secure.com/anti-virus/tools/f-lovsan.txt
System administrators who are using F-Secure Policy Manager, can distribute the
F-LOVSAN tool as a JAR package automatically to all workstations.
System administrators can download the JAR version from:
http://www.f-secure.com/tools/f-lovsan.jar
ftp://ftp.Europe.F-Secure.com/anti-virus/tools/f-lovsan.jar
Detection
F-Secure Anti-Virus detects this variant of the worm with database
versions starting from:
[FSAV_Database_Version]
Version=2003-08-14_02
[Analysis: Gergely Erdelyi; F-Secure Corp.; August 29th, 2003]
|
|
|
|
|
|
