Vulnerability Development mailing list archives

Re: New worm?

From: 3APA3A () SECURITY NNOV RU (3APA3A)
Date: Thu, 4 May 2000 18:53:01 +0400

Hello Blue,

I've got it too few hours ago. This is a very easy worm, but it can be
dangerous. The problem is this worm infects local files (.vbs, .vbe,
js, jse and others) and destroys them, makes "copies" of .jpg, jpeg,
.mp3, mp2 files with ".vbs" extension and installs one of the files:

http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe
http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe

I can't download one of this files because www.skyinet.net seems to be
dead (may be because of huge number of requests) so I can say nothing
about what is it. I have reported this to abuse () skyinet net, got
nothing but a autoreply.

To remove it:
remove all .vbs, .vba files (even if you had ones they are destroyed by worm)
remove LOVE-LETTER-FOR-YOU.HTM file
remove registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
Set correct Download directory and Start Page for IE.

Kaspersky Lab just reported about this worm, it's classified as
I-Worm.LoveLetter and included in daily update of AVP bases.

Thursday, May 04, 2000, 6:07:11 PM, you wrote:

BB> I received two copies of this worm-looking thing this morning. I don't
BB> have time to look myself before I head out, but I thought the list
BB> might be interested. The second copy looks like someone who got it
BB> themselves and wants to know what it is.

BB> Attached is a zip, and inside it is another zip of the two files
BB> wrapped in their original mail headers.. so it should be pretty
BB> safe unless you go out of your way to run them. In which case,
BB> caveat subscriber.

BB> It looks like VBScript, and has a .vbs extension, and diddles
BB> with reg keys, so I assume it's after windows boxen with WSH
BB> installed.

BB> BB

--
Best regards,
3APA3A

Current thread:

Re: IL0VEY0U worm, (continued)
- - - Re: IL0VEY0U worm Elias Levy (May 04)
    - Re: IL0VEY0U worm Elias Levy (May 04)
    - Re: IL0VEY0U worm Elias Levy (May 05)
    - New worm? Blue Boar (May 04)
    - Re: New worm? Andri Saar (May 04)
    - Re: New worm? A.T.Z. (May 04)
    - Re: New worm? Sander Smeenk (CistroN Medewerker) (May 04)
    - Re: New worm? M J (May 04)
    - Re: New worm? Erik Kooijman (May 04)
    - email worm, NOT iloveyou Hinken, Brian (May 04)
    - Re: New worm? 3APA3A (May 04)
    - I Love you virus cure for exchange server NT sven (May 04)
    - "I Love You" worm Voodoo Chile (May 04)
    - Re: New worm? Ron DuFresne (May 04)
    - Re: New worm? Bluefish (May 04)
    - lovethingy spread analyses Roelof Temmingh (May 04)
    - I love you. Blue Boar (May 04)
    - Re: ethernet cards & promisc mode C.J. Oster (May 04)
    - Re: ethernet cards & promisc mode Stuart Henderson (May 04)
    - Re: ethernet cards & promisc mode Granquist, Lamont (May 04)
    - Help me audit a mail filter in C, please? Bennett Todd (May 04)

(Thread continues...)