high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
VBS/NewLove-A is a polymorphic Visual Basic Script worm that mutates its appearance in an attempt to avoid detection.
The worm randomly chooses a filename in your Windows\Recent folder and attempts to forward a mutated version of itself to everybody in your Microsoft Outlook address book. The name of the file it forwards remains the same but the worm appends a further extension, ".Vbs" (for instance, EXPENSES.XLS becomes EXPENSES.XLS.Vbs).
The filename attached will have one of the following extensions:
Doc.Vbs
Xls.Vbs
Mdb.Vbs
Bmp.Vbs
Mp3.Vbs
Txt.Vbs
Jpg.Vbs
Gif.Vbs
Mov.Vbs
Url.Vbs
Htm.Vbs
The message has the subject line: "FW: <filename>" where filename is the name of the file it is forwarding, with the extension ".Vbs" removed. So, if the attached infected file is README.DOC.Vbs then the subject line will be "FW: README.DOC".
Because of this VBS/NewLove-A does not use the same filename or subject line on different infections.
The email message has no message text.
The worm attempts to reduce all files on local and remote drives to zero. This means that Windows may stop working correctly, and that your system will not start up properly upon reboot.
Sophos recommends that if users discover an infection of VBS/NewLove-A on their machine that they re-sweep their systems in "full" mode. VBS/NewLove-A is a polymorphic Visual Basic Script worm that mutates its appearance in an attempt to avoid detection.
The worm randomly chooses a filename in your Windows\Recent folder and attempts to forward a mutated version of itself to everybody in your Microsoft Outlook address book. The name of the file it forwards remains the same but the worm appends a further extension, ".Vbs" (for instance, EXPENSES.XLS becomes EXPENSES.XLS.Vbs).
The filename attached will have one of the following extensions:
Doc.Vbs
Xls.Vbs
Mdb.Vbs
Bmp.Vbs
Mp3.Vbs
Txt.Vbs
Jpg.Vbs
Gif.Vbs
Mov.Vbs
Url.Vbs
Htm.Vbs
The message has the subject line: "FW: <filename>" where filename is the name of the file it is forwarding, with the extension ".Vbs" removed. So, if the attached infected file is README.DOC.Vbs then the subject line will be "FW: README.DOC".
Because of this VBS/NewLove-A does not use the same filename or subject line on different infections.
The email message has no message text.
The worm attempts to reduce all files on local and remote drives to zero. This means that Windows may stop working correctly, and that your system will not start up properly upon reboot.
Users who have disabled Windows Scripting Host (WSH) on their computers will not be infected by this worm.
Users who are blocking any Visual Basic Script filename (the infected message always arrives with end suffix of ".Vbs" on the filename) will not be affected.
Due to the way in which the worm mutates it rapidly increases in size on each infection. This means that your mail server may become increasingly slowed down by larger and larger amounts of email.
Sophos recommends that if users discover an infection of VBS/NewLove-A on their machine that they re-sweep their systems in "full" mode.
|
