IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ALERT 00-043

"VBS.NewLove."
 May 19, 2000

As of May 18, 2000, a new, more destructive variant of the LOVE LETTER worm, NewLove.VBS, has been identified. Like the earlier variants, this worm is transmitted via e-mail, but unlike the others, this new polymorphic variant can change the subject line and the program code every time it is retransmitted, thus making it more difficult for users and anti-virus programs to detect. The worm is transmitted when a user opens an e-mail attachment.

The NewLove.VBS variant uses the filename of a file that a user has recently been working on, and places that filename in the subject line of the e-mail transmission. The recipient may think that they have been forwarded a file from a known associate. When the attachment is opened, this worm can damage all files not currently in use, by changing the file extensions to .VBS. It can also transmit itself to a new group of victims taken from the current victim's e-mail address book. The new e-mail will have a different subject line taken from a filename that the current victim has recently been working on.

VBS.NewLove.A

Subject: Variable; "FW: filename.ext" (where filename.ext is dervied from the user's recently opened documents list)
Attachment: Variable; "filename.ext.vbs" (where filename.ext is dervied from the user's recently opened documents list)
Size of attachment: Variable
Message Body: Variable.
Target of Infection: Overwrites all files that are not currently in use regardless of extension.
Shared Drives: Will overwrite files on all mapped local drives (with the exception of files in root directories)

Major Anti-Virus vendors have posted software to detect and prevent infection by many variants of the LoveLetter worm. Affected users should contact their anti-virus software web site frequently for updated information and patches.

The FBI has opened an investigation into this activity. NIPC alerts and additional information on this worm, as they become available, will be posted to the NIPC's web page. Please report any evidence of infection to your local FBI office, NIPC, military, or civilian computer incident response group, as appropriate. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206.