Press Releases

Browse our press release archive

19 May 2000

VBS/NewLove-A alert

Sophos has issued an alert about a new polymorphic email-aware worm which has been reported in the wild.

The worm, called VBS/NewLove-A is a Visual Basic Script virus that mutates its appearance in an attempt to avoid detection by anti-virus products.

If you are infected by the virus it will do the following:

The virus chooses a random filename and attempts to forward a mutated version of itself to everybody in your Microsoft Outlook address book. The name of the file it forwards is determined by randomly choosing one of the filenames in your Windows\Recent folder, appended with ".Vbs" (for instance, EXPENSES.XLS becomes EXPENSES.XLS.Vbs).

The filename attached will have one of the following extensions:

Doc.Vbs
Xls.Vbs
Mdb.Vbs
Bmp.Vbs
Mp3.Vbs
Txt.Vbs
Jpg.Vbs
Gif.Vbs
Mov.Vbs
Url.Vbs
Htm.Vbs

The message has the subject line: "FW: <filename>" where filename is the name of the file it is forwarding, with the extension ".Vbs" removed. So, if the attached infected file is README.DOC.Vbs then the subject line will be "FW: README.DOC".

Because of this VBS/NewLove-A does not use the same filename or subject line on different infections.

The email message has no message text.

The virus attempts to reduce all files on local and remote drives to zero. This means that Windows may stop working correctly, and that your system will not start up properly upon reboot.

Users who have disabled Windows Scripting Host (WSH) on their computers will not be infected by this virus. Sophos recommends users consider disabling Windows Scripting Host.

Users who are blocking any Visual Basic Script filename (the infected message always arrives with end suffix of ".Vbs" on the filename) will not be affected.

Due to the way in which the virus mutates it rapidly increases in size on each infection. This means that your mail server may become increasingly slowed down by larger and larger amounts of email.

Sophos researchers have produced a virus identity file (IDE) which can be used with Sophos Anti-Virus on desktops, networks and email gateways to protect against this virus.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy