Sophos has issued an alert about a new polymorphic email-aware
worm which has been reported in the wild.
The worm, called VBS/NewLove-A is a Visual Basic Script virus
that mutates its appearance in an attempt to avoid detection by
If you are infected by the virus it will do the following:
The virus chooses a random filename and attempts to forward a
mutated version of itself to everybody in your Microsoft Outlook
address book. The name of the file it forwards is determined by
randomly choosing one of the filenames in your Windows\Recent
folder, appended with ".Vbs" (for instance, EXPENSES.XLS becomes
The filename attached will have one of the following
The message has the subject line: "FW: <filename>" where
filename is the name of the file it is forwarding, with the
extension ".Vbs" removed. So, if the attached infected file is
README.DOC.Vbs then the subject line will be "FW: README.DOC".
Because of this VBS/NewLove-A does not use the same filename or
subject line on different infections.
The email message has no message text.
The virus attempts to reduce all files on local and remote
drives to zero. This means that Windows may stop working correctly,
and that your system will not start up properly upon reboot.
Users who have disabled Windows Scripting Host (WSH) on their
computers will not be infected by this virus. Sophos recommends
users consider disabling Windows
Users who are blocking any Visual Basic Script filename (the
infected message always arrives with end suffix of ".Vbs" on the
filename) will not be affected.
Due to the way in which the virus mutates it rapidly increases
in size on each infection. This means that your mail server may
become increasingly slowed down by larger and larger amounts of
Sophos researchers have produced a virus identity file (IDE) which can be used
with Sophos Anti-Virus on desktops, networks and email gateways to
protect against this virus.