-----BEGIN PGP SIGNED MESSAGE-----
I am sure many of you have heard of this new variant of the Love
virus. However, as there is currently no detection, I felt it was
important enough to forward this ALERT to the list.
=== Tim
- -----------------------------------------------------------------
| Tim Winders, CNE, MCSE | Email: [EMAIL PROTECTED] |
| Network Administrator | Phone: 806-894-9611 x 2369 |
| South Plains College | Fax: 806-897-4711 |
| Levelland, TX 79336 | |
- -----------------------------------------------------------------
- ---------- Forwarded message ----------
Date: Fri, 19 May 2000 04:24:22 +0000 (GMT)
From: Sophos Alert System <[EMAIL PROTECTED]>
Reply-To: Sophos Support <[EMAIL PROTECTED]>
To: Sophos Webmaster <[EMAIL PROTECTED]>
Subject: Sophos Anti-Virus: ALERT
- ---------------------------------------------------------------
Please note: The subject line of these alerts will change to
'Sophos Anti-Virus IDE alert: virusname' on 12th June 2000.
- ---------------------------------------------------------------
*** Virus Alert! ***
Name: VBS/NewLove-A
Aliases: VBS/Loveletter.ed, VBS/Loveletter.Gen, VBS_SPAMMER,
VBS.Loveletter.FW.A, NEWLOVE.A, VBS/Spammer.A,
VBS.Loveletter.FW, Spammer, Newlove
Type: Visual Basic Script worm
Date: 19 May 2000
Sophos has issued an alert about a new polymorphic email-aware
worm which has been reported in the wild.
The worm, called VBS/NewLove-A is a Visual Basic Script virus
that mutates its appearance in an attempt to avoid detection by
anti-virus products.
If you are infected by the virus it will do the following:
The virus chooses a random filename and attempts to forward a
mutated version of itself to everybody in your Microsoft Outlook
address book. The name of the file it forwards is determined by
randomly choosing one of the filenames in your Windows\Recent
folder, appended with ".Vbs" (for instance, EXPENSES.XLS becomes
EXPENSES.XLS.Vbs).
The filename attached will have one of the following extensions:
Doc.Vbs
Xls.Vbs
Mdb.Vbs
Bmp.Vbs
Mp3.Vbs
Txt.Vbs
Jpg.Vbs
Gif.Vbs
Mov.Vbs
Url.Vbs
Htm.Vbs
The message has the subject line: "FW: <filename>" where filename
is the name of the file it is forwarding, with the extension
".Vbs" removed. So, if the attached infected file is
README.DOC.Vbs then the subject line will be "FW: README.DOC".
Because of this VBS/NewLove-A does not use the same filename or
subject line on different infections.
The email message has no message text.
The virus attempts to reduce all files on local and remote drives
to zero. This means that Windows may stop working correctly, and
that your system will not start up properly upon reboot.
Users who have disabled Windows Scripting Host (WSH) on their
computers will not be infected by this virus. Details on how to
disable WSH are published at:
http://www.sophos.com/support/faqs/wsh.html
Users who are blocking any Visual Basic Script filename (the
infected message always arrives with end suffix of ".Vbs" on the
filename) will not be affected.
Due to the way in which the virus mutates it rapidly increases in
size on each infection. This means that your mail server may
become increasingly slowed down by larger and larger amounts of
email.
Sophos researchers are working on a method of detecting this
virus, and will be issuing an update later today.
To unsubscribe from this service please visit
http://www.sophos.com/virusinfo/notifications
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBOSTbA7qa7cl66v8xAQGt5gP/YGSkMSoFjiMiix2Mpm8Ighrm6P8bbonA
XV3Xn6arkXUwyMtY63sktX77g1NIRh+NodCk5JYPTsJo6uW3pKIQ8nNitrDuB0+N
0Rbof8G95mrAnKUPTG7cxIFGxST74ie2NwmMqaDcKbPz7IIZW8nRtbwAjSCNAIu3
HPz26USEkIk=
=ptdN
-----END PGP SIGNATURE-----
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
