high
Summary
Summary
Action- More Information
| Included in our products from | July 2002 (3.59) |
|---|---|
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing worms.
Windows NT/2000/XP
In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and delete any references to any files you deleted.
Close the registry editor.
More Information
VBS/LoveLet-AS is a Visual Basic Script worm.
The worm forwards itself as an email attachment with the subject line:
'US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.COM)<='
or a random 6 letter string.
The message body will either be
'VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURE..'
or a random 10 letter string.
Running the attached file infects your computer.
On the 17 September the worm displays a message box containing the text
"Dedicated to my best brother=>Christiam Julian(C.J.G.S.) Att. TEGIF (M.H.M. Team)"
where 'TEGIF' can be any random 5 letters. 
It then attempts to disconnect drives Z: through to E:.
The worm attempts to download the files MACROMEDIA32.ZIP, LINUX321.ZIP and LINUX322.ZIP via Internet Explorer. Despite their filenames these files are not true ZIP files but rather a text file and two bitmap graphic files. 
MACROMEDIA32.ZIP is copied to the Windows directory with the filename important_note.txt and set to run on startup with the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
The two other files are copied to the Windows directory as logos.sys and logow.sys respectively.
The worm makes copies of itself (using the filenames LINUX32.VBS and reload.vbs) and sets them to run at startup.
It creates a copy of itself in the System directory with a filename of 5 to 8 characters with either the extension .GIF.VBS or .JPG.VBS - it is this file which is mailed out to all addresses in your Outlook address book.
|
