high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting macro viruses.
More Information
VBS/LoveLet-CM is an email-aware worm. The worm copies itself to a file called JENNIFERLOPEZ_NAKED.JPG.vbs in the Windows directory. It then forwards itself via email to every contact in the Microsoft Outlook address book with the following characteristics:
Subject: Where are you?
Body text: This is my pic in the beach!
Attached file: JENNIFERLOPEZ_NAKED.JPG.vbs
When the attached file is opened the worm searches all fixed and network drives for files with extensions .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, JPG, .JPEG, .MP2 and .MP3. All found files are overwritten by the worm.
Original extensions .JS, .JSE, .CSS, .WSH, .SCT and HTA are changed to .VBS. Original extensions .JPG and .JPEG are converted to double extension .JPG.VBS and .JPEG.VBS respectively. Attributes of the original files with .MP2 and .MP3 extension are changed so that the original file is hidden and a new file with the identical name and VBS extension is created by the worm.
The worm also creates the Registry keys HKCU\software\JENNIFERLOPEZ_NAKED\ so that it contains the text "Worm made in algeria" and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, so that it contains the name of the worm file. The worm then sends itself to all contacts found in the Microsoft Outlook address book.
Finally it drops and runs a file infected with a variant of the highly destructive W95/CIH virus (also known as Chernobyl). The dropped file is detected by SAV as W95/CIH-10xx.
|
