Threat Description

Valentine

Details

Aliases: Valentine
Category: Malware
Type: Worm
Platform: VBS

Summary



VBS/Valentine is a mass mailing worm written in Visual Basic Script.

On February 19th 2001, this worm has been posted to several Usenet newsgroups. F-Secure Anti-Virus detects this worm with updates released February 13rd, 2001 or later.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details




Variant:Valentine.A@mm

The worm arrives in an infected message sent with Microsoft Outlook. When it is openend, it first drops "loveday14-b.hta" to the Windows Startup directory in both Spanish and English versions of Windows.

When the system is restarted, "loveday14-b.hta" will be executed and the following message box is shown.

The worm creates an infected "main.html" file to the Windows System directory and sets the Internet Explorer start page to point to a web page that contains another worm, VBS/San.A@m. Further information about VBS/San.A@m is available at: http://www.Europe.F-Secure.com/v-descs/san.shtml

VBS/Valentine.A sends itself to every recipient in each address book. The infected message has the following content:

  Subject:
    Body:       Que cosa mas tonta


Message does not have an attachment. The worm code is embedded into the HTML message itself on a similar way as VBS/BubbleBoy.

Like VBS/Timofon.A, this worm attempts to send messages to cellular phones using a SMS gateway at Movistar.net. These messages contain the following text:

  Feliz san valentin.


These messages are visible in Outlook Sent Items folder. They look as follows:

  Subject:    Feliz san valentin
    Body:       Feliz san valentin. Por favor visita (link to a web page)


where (link to a web page) is a link to the worm itself.

Next VBS/Valentine.A searcs all network and local drives for a mIRC installation, and if such is found, it replaces the "script.ini" file with its own causing that the "mail.html" from the Windows System directory will be sent when an user joins the same channel where an infected user is.

At 8th, 14th, 23rd and 29th of any month the worm activates its payload deleting all files from all drives, replacing deleted files with text files that has the same name but an additional ".txt" extension. These text files have the following content:

  Hola, me llamo Onel2 y voy a utilizar tus archivos para declararle mi amor
    a Davinia, la chica mas guapa del mundo.
    Feliz san Valentin Davinia. Eres la mas bonita y la mas simpatica.
    Todos los dias a todas horas pienso en ti y cada segundo que no te veo
    es un infierno.
    Quieres salir conmigo?
    En cuanto a ti usuario, debo decirte @ue tus ficheros
    no han sido contaminados por un virus,
    sino sacralizados por el amor que siento por Davinia.


This worm has been available on a public web page in the Internet and it has been posted to several Usenet newsgroups. Even after the infected web page has been removed from the Internet, the worm is able to spread via Outlook Express.

This worm uses the same security vulnerability as JS/Kak.A@m. A fix and futher information about this vulnerability is available from Microsoft: http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

Further information about JS/Kak.A@m is available at: http://www.F-Secure.com/v-descs/kak.shtml





Technical Details: Katrin Tocheva and Sami Rautiainen, F-Secure; February 2000


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More