VBS/LoveLet-CL is a variant of the VBS/LoveLet-A (also known as the Love Bug) email-aware worm.
The worm makes two copies of itself, using the filenames command.vbs and WinVXD.vbs. These files are executed each time the computer boots up.
The email component of the worm requires Microsoft Outlook to work. If you are using Microsoft Outlook it will try to send itself to each entry in your address book. The email will have the following characteristics:
Subject: !!!
Body: :-) MuCuX...
Attached file: echelon.vbs
The worm also searches all local and networked drives for files that end with the extensions VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA. These files are overwritten with the worm and their extension is renamed to .VBS.
Any JPG or JPEG graphic files are also overwritten by the worm but have the extension .VBS added to the existing filename. For instance, PAMELA.JPG would become PAMELA.JPG.VBS
Any MP2 or MP3 music files are overwritten by the worm but are also copied to a new file that has the .VBS extension added. The original files have their attributes set to "hidden".
If the worm determines that mIRC (Internet Relay Chat) is installed on the system it will drop a mIRC script that will send the worm on via mIRC.
The worm contains a large number of comments inside its code which do not get displayed. It is possible these have been chosen in an attempt to overload the Echelon email monitoring system should the worm become widespread.
The comments are as follows:
Written By Extirpater and beyin. (i am NOT from iraq, and not protecting iraq/islamic anyway) Stop Violence Pentagon. Why are you testing your new weapons on iraq? You are trying to protect children from porn but you are also killing them and other innocent people in iraq... ...and another thing... why are you using echelon type stupid things to listen around...?<< Hey others, lets fl00d the echelon... .gov @ NSA national security agency code PGP GPG satellite cia yemen toxin botulinum mi5 mi6 mit kgb .mil mil base64 us defence intelligence agency admiral diplomat alert! begin pgp message cert HQ password secret information Shamil Basaev BATF Tactical information broadcasting service netsec DEA Ayman Al Zawahiri RADINT ETA Fort Meade explosive gun conspiracy primer detonator initiator unicos al amn al-askari cray arpanet node backdoor mi-6 mi-5 terrorism SSCI sairi islamic revolution assembly not for public private korea diplomat wiretap Usame bin Laden DF ZARK SERT VIP ARC S.E.T set ssl hezbollah hizbullah afiwc compusec M51 phsical security division MOSSAD DDos denial of sevice don't try to contact me astel DH breaking machine Xu Yongyue agent agents national infrastructure air command control facility nm info Lieutenant tactical defcon mortars rpg7 propellants defensive evasion boobytraps secure internet rsa uzi buy hrt hk33ke aks-74 galil arm detcord pmk40 silencers timing devices information security naval yard sao reno jics computer terrorism NAIA SAPM ASU ECHELON ASTS RSP ISS JDF NAAP RSO encryption ASWS USDOJ SAMU COSMOS DATTA e99ll bill clinton george bush nash asis seal team 3 MSEE M.P.R.I top secret mossberg sursat 5926 telint fraud analyzer b61-7 sbu err SO13 reojdykarna airframe 510 EuroFed Avi shelter Cryto AG IDP RHL MP5K-SD sniper gign exon shell masuda eada shs NSWF sabotage nitrate Counter terrorism RCMP CTU CQB CONUS BOP CID thief NCSA ISACA ASVC spook words flashbangs magnum resta 777 666 MD2 MD4 MDA 747 boing domestic disruption smuggle Z-200 Security Consulting Keyhole NABS Kilderkin covert video pathfinders oscor merlin ntt sl-1 sr-71 sr71 f117 f-117 cornflower TNT rdx amfo hmtd lead azide styphante ddnp nitrostarch mines grenades rockets fuses nitrocellulose c4 ambush sniping spoof sniff sniffing sniffer motorcade assassination jtf-6 psyops privacy