Virus Profile:
Virus
Name
VBS/Newlove.a
Date Added
5/18/00
Virus Characteristics This is a VBScript worm.
When the worm is first run it drops a copy of itself in the Windows folder as
either a name from the Recent Documents folder or a random Name and has a random extension chosen from Doc, Xls, Mdb, Bmp, Mp3, Txt, Jpg, Gif, Mov, Url, Htm, Txt and the real extension, ".vbs" The worm will modify that copy by adding random comments to its body.
It modifies the registry keys:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\" and
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\"
to run the copy in the Windows folder.
This worm will arrive in an email message with this format:
Subject: Starts with "FW: " and is either a name from the Recent Documents folder or a random name
If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not normally present on Windows 95 or Windows NT unless Internet Explorer 5 is installed.
The worm uses Microsoft Outlook to send copies of itself to all entries in the address book.
This worm searches all drives connected to the host
system and replaces all files with copies of itself and it adds the
extension .VBS to the original filename. So PICT.JPG would be replaced
with PICT.JPG.VBS and this would contain the worm. The original file is
then deleted. It does not replace all the files with itself - due to a bug, the files it creates instead of the originals are 0-bytes long. It fails to write itself there.
*Note: After applying the applicable EXTRA.DAT or 40?? DAT, ensure that the extension .VB? is included when scanning.*
Message: Empty
Attachment: Is the randomly-selected VBS filename from the Windows folder
Indications Of Infection
Existence of files mentioned above, replacement of files as mentioned above. Email propagation as described above.
Method Of Infection
This virus will run if Windows Scripting Host is installed. Running the email attachment received either accidentally or intentionally will install to the local system
Removal Instructions
Note- It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.
PE,Trojan,Internet Worm and memory resident:
Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and removal.
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use an emergency boot diskette and use the command line scanner such as "SCANPM C: /CLEAN /ALL"
Virus Information
| Discovery Date: | 5/18/00 | |
| Origin: | Unknown | |
| Type: | Virus | |
| SubType: | VbScript | |
| Risk Assessment: | High |
VirusScan 4x:
VirusScan 4x:
Use this file to automatically install the extra.dat to the correct location on your system.
This can also be pushed across a network in a login script. The size is very small so the impact of the push will be minimal to the user, if noticed at all
download here.
Unzip the file, use the manual process to put the extra.dat in place download here.
Dr Solomon's 8x:
Unzip the file use the manual process to put the extra.drv in place download here.
Minimum Dat
4080
Minimum Engine
4.0.35