IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ALERT 00-053

"Loveletter.bd"
August 17, 2000

There have been 2 reports of this worm on United States sites.

On August 17, 2000, the NIPC began tracking the propagation of a worm entitled "VBS/Loveletter.bd," which contains password-stealing agent. The worm, which first appeared in Germany, attempts to download a Trojan component via an FTP shell instruction coupled with a script file. The Trojan is executed and loaded at windows startup file. When the infected system is rebooted the Trojan proceeds to capture network password information and sensitive PIN information stored in the registry related to UBS online banking software. After capturing the sensitive information the worm then e-mails the file to three hard-coded e-mail recipients. This is a VBScript Internet worm, which was loosely based on the original VBS/Loveletter worm. This worm does not damage files.

This worm distributes itself via MAPI e-mail as "resume.txt.vbs" with the subject line "resume" and no body text. If this VBScript is run, it may display an actual resume in Notepad. However, in the background it is doing other things such as downloading the Trojan component and sending itself to others via MAPI e-mail.

The anti-virus software industry has obtained a copy of the worm and is currently working on a DAT file for the virus. The Loveletter variant can be detected as "New VBS" using VirusScan 4.5 with heuristics enabled. The worm is currently rated has medium threat by anti virus vendors, however, users are strongly urged to check with anti-virus vendors for removal instructions.

As always, users are advised to keep their anti-virus software current by checking their vendors
web sites frequently for new updates, and to stay apprised of alerts from NIPC, CERT/CC, and other cognizant organizations.

Please report any illegal or malicious activities to your local FBI office or the NIPC, and to your military or civilian computer incident response group, as appropriate.