Email-Worm.VBS.Newlove

Class Email-Worm
Platform VBS
Description

Technical Details

This is an extremely dangerous variant of the “LoveLetter” Internet worm. Just as with its forerunner “LoveLetter”, the “NewLove” worm is written in Visual Basic Script language
and spreads as a VBS file with a random name. The worm installs itself into
the system, gains access to the MS Outlook address book, and sends itself to all
addresses listed in there.

The infected message subject begins with “FW:” and is completed with a random
text up to 30 characters in length and random extension from the following list:

Doc, Xls, Mdb, Bmp, Mp3, Txt, Jpg, Gif, Mov, Url, Htm, Txt

���������� ������

This also serves as the name of the attached file, for example:

FW: VPAVQXCUUNGUFLTJSLNAUTQZXJUG.Bmp
FW: QKUPLSXOOIBPAGNENGIVPN.Mp3
FW: TNXSOVARRLESDJQHQJLYSQNWV.Mdb
FW: HBLHCJOFFZS.Mdb
FW: MGQMHOTKKEXLWCJAJ.Doc
FW: SMXSNUZRRKDRCJQGPIKXRQNWU.Mdb
FW: CWGCXE.Mp3

The message body is empty, and there is a VBS file attached with the same
file name that is in the subject line, but with an added “.VBS” extension. Depending on the system settings, a real extension of the attached file (“.vbs”) may not be shown.
In this case, the filename of an attached file is displayed as shown above (with no
“FW:”).

When the attached file is activated (by double clicking, for example), the worm
sends its copies to all addresses from the MS Outlook address base.

The worm then destroys the computer. It scans all local and mapped disk
drives and replaces all files with its copy, and adds the “.VBS”
extension to file names (for example COMMAND.COM becomes COMMAND.COM.VBS).
As a result, all files on all accessable drives are totally destroyed.

Because of this, the worm is able to spread just once – it sends its copy to
all availabe addresses and then destroys the computer.

The worm is able to spread only in the instance that MS Outlook is installed in the
system. The worm payload routine is activated independent of the e-mail system
installed on the computer. In the case that there is another e-mail system
installed, the worm does not send infected e-mails, instead destroying all files
on the computer.

The worm is polymorphic. Upon each infection, it inserts random comments into
its code. The worm does this each time it spreads, and as a result, its size
grows depending on its generation (about 60% of the current size), for example:

1st generation: 110Kb
2st generation: 248Kb
3st generation: 403Kb
4st generation: 585Kb
5st generation: 805Kb
6st generation: 1040Kb
e.t.c.

The “pure” worm code is just about 5Kb in size.

Protection for this type of worms has already been released by Kaspersky. The “AVP Script Checker” protects the system against the new worm and
prevents infection. We strongly recommend you download “AVP Script
Checker” from our Kasperky Lab Web sites.