Vulnerability Development mailing list archives
Re: New worm?
From: 3APA3A () SECURITY NNOV RU (3APA3A)
Date: Thu, 4 May 2000 18:53:01 +0400
Hello Blue, I've got it too few hours ago. This is a very easy worm, but it can be dangerous. The problem is this worm infects local files (.vbs, .vbe, js, jse and others) and destroys them, makes "copies" of .jpg, jpeg, .mp3, mp2 files with ".vbs" extension and installs one of the files: http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe I can't download one of this files because www.skyinet.net seems to be dead (may be because of huge number of requests) so I can say nothing about what is it. I have reported this to abuse () skyinet net, got nothing but a autoreply. To remove it: remove all .vbs, .vba files (even if you had ones they are destroyed by worm) remove LOVE-LETTER-FOR-YOU.HTM file remove registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL Set correct Download directory and Start Page for IE. Kaspersky Lab just reported about this worm, it's classified as I-Worm.LoveLetter and included in daily update of AVP bases. Thursday, May 04, 2000, 6:07:11 PM, you wrote: BB> I received two copies of this worm-looking thing this morning. I don't BB> have time to look myself before I head out, but I thought the list BB> might be interested. The second copy looks like someone who got it BB> themselves and wants to know what it is. BB> Attached is a zip, and inside it is another zip of the two files BB> wrapped in their original mail headers.. so it should be pretty BB> safe unless you go out of your way to run them. In which case, BB> caveat subscriber. BB> It looks like VBScript, and has a .vbs extension, and diddles BB> with reg keys, so I assume it's after windows boxen with WSH BB> installed. BB> BB -- Best regards, 3APA3A
Current thread:
- Re: IL0VEY0U worm, (continued)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 05)
- New worm? Blue Boar (May 04)
- Re: New worm? Andri Saar (May 04)
- Re: New worm? A.T.Z. (May 04)
- Re: New worm? Sander Smeenk (CistroN Medewerker) (May 04)
- Re: New worm? M J (May 04)
- Re: New worm? Erik Kooijman (May 04)
- email worm, NOT iloveyou Hinken, Brian (May 04)
- Re: New worm? 3APA3A (May 04)
- I Love you virus cure for exchange server NT sven (May 04)
- "I Love You" worm Voodoo Chile (May 04)
- Re: New worm? Ron DuFresne (May 04)
- Re: New worm? Bluefish (May 04)
- lovethingy spread analyses Roelof Temmingh (May 04)
- I love you. Blue Boar (May 04)
- Re: ethernet cards & promisc mode C.J. Oster (May 04)
- Re: ethernet cards & promisc mode Stuart Henderson (May 04)
- Re: ethernet cards & promisc mode Granquist, Lamont (May 04)
- Help me audit a mail filter in C, please? Bennett Todd (May 04)