Virus Profile:

Virus Name
VBS/Newlove.a

Date Added
5/18/00

Virus Characteristics
*Note: After applying the applicable EXTRA.DAT or 40?? DAT, ensure that the extension .VB? is included when scanning.*

This is a VBScript worm.

When the worm is first run it drops a copy of itself in the Windows folder as either a name from the Recent Documents folder or a random Name and has a random extension chosen from Doc, Xls, Mdb, Bmp, Mp3, Txt, Jpg, Gif, Mov, Url, Htm, Txt and the real extension, ".vbs" The worm will modify that copy by adding random comments to its body.

It modifies the registry keys: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\" and "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\" to run the copy in the Windows folder.

This worm will arrive in an email message with this format:

Subject: Starts with "FW: " and is either a name from the Recent Documents folder or a random name
Message: Empty
Attachment: Is the randomly-selected VBS filename from the Windows folder

If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not normally present on Windows 95 or Windows NT unless Internet Explorer 5 is installed.

The worm uses Microsoft Outlook to send copies of itself to all entries in the address book.

This worm searches all drives connected to the host system and replaces all files with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm. The original file is then deleted.

It does not replace all the files with itself - due to a bug, the files it creates instead of the originals are 0-bytes long. It fails to write itself there.

Indications Of Infection
Existence of files mentioned above, replacement of files as mentioned above. Email propagation as described above.

Method Of Infection
This virus will run if Windows Scripting Host is installed. Running the email attachment received either accidentally or intentionally will install to the local system

Removal Instructions
Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and removal.

Note- It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

PE,Trojan,Internet Worm and memory resident:
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use an emergency boot diskette and use the command line scanner such as "SCANPM C: /CLEAN /ALL"

Virus Information
 Discovery Date:5/18/00
 Origin:Unknown
 Type:Virus
 SubType:VbScript
 Risk Assessment:High

VirusScan 4x:
Use this file to automatically install the extra.dat to the correct location on your system. This can also be pushed across a network in a login script. The size is very small so the impact of the push will be minimal to the user, if noticed at all download here.

VirusScan 4x:
Unzip the file, use the manual process to put the extra.dat in place download here.

Dr Solomon's 8x:
Unzip the file use the manual process to put the extra.drv in place download here.

Minimum Dat
4080

Minimum Engine
4.0.35