My mom just got a virus I had never heard of. I can't say for sure, but I think it's new. Here goes. She got the email Wednesday night. She called me, I told her to do nothing to the computer til I got there. She had already deleted the message, so I don't know what it said. The only traces I found were reg entries in HKLM\software\microsoft\windows\current ver\run and runonce. the run entry had a refference to linux32.vbs, the runonce had a reference to reload?.vbs. I can't remember the exact file names, I left my notes at her place. Then, daring as I am, I moved the two files to a different location. I then went in to edit them, and there was a line in their that said "pxxx colombia virus ver 1.0" (again, I can't remember the exact name). InoculateIT PE also found a file called something to the effect of c:\windows\presidential_and_FBI_secrets.htm that was infected with the html.lovebug virus. I found no reference to that virus on Symantecs web site.


Anyone ever hear of this???

[This message has been edited by jbob (edited 10-27-2000).]

Info from: http://www.cai.com/virusinfo/virusalert.htm

VBS/Plan.A.Worm

Plan.A is a new e-mail spreading worm that has been seen in the wild in US. The worm spreads through e-mail using Microsoft Outlook.
It arrives as an e-mail with either randomly generated text subject line or the following:

US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.COM)<=

The body of the e-mail also might be randomly generated text, or the following:

VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES..

The e-mail contains an attachment with randomly generated filename and extension of ".GIF.vbs", ".BMP.vbs" or ".JPG.vbs". The VBS extension might not be displayed depending on the configuration
of the system.

Once activated, three copies of the worm dropped to the system:

Windows\System\LINUX32.vbs
Windows\reload.vbs
Windows\System\(randomly generated filename)

The following registry key created for LINUX32.vbs and reload.vbs to be run at the next Windows start up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\LINUX32\Windows\System\LINUX32.vbs"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices\reload\Windows\reload.vbs"

Note that the system directory and windows directory will be changed to match the configuration of the infected machine.

If "WinFAT32.exe" exists on the infected machine (this file is downloaded by VBS/LoveLetter.A"), Plan.A changes the startup page of Internet Explorer to download on of the three files: macromedia32.zip, linux321.zip or linux322.zip.

Files with the following extension will be replaced with a copy of the worm and extension appended with "VBS". For example, test.hta will become test.hta.vbs.

vbs
vbe
js
jse
css
wsh
sct
hta
jpg
jpeg

MP3 and MP2 file will be marked hidden and a copy of the worm dropped using the same filename with VBS extension.

On September 17, a message will be displayed:

Dedicated to my best brother=>Christiam Julian(C.J.G.S.) Att. (M.H.M. TEAM)

Then all network drives (mapped drived) will be disconnected.

InoculateIT signature release 12.24 includes detection for Plan.A. To guarantee detection of Plan.A, VBS files must be included in the list
of file types to scan.

To cure an infected system, all files being detected as Plan.A must be deleted. This can either be done manually or by setting InoculateIT
to delete infected files.

The registry keys mentioned above must be either deleted manually using RegEdit.


InnoculateIT is free AV-ware, btw. You can download it at http://www.cai.com/registration/

Let us know if that works.

This is the variation of the loveletter virus (sometimes called the lovebug). Here's some info: http://vil.mcafee.com/dispVirus.asp?virus_k=98684

You can search most major AV websites - keyword "vbs.loveletter" - for removal instructions.

Good Luck! http://sysopt.earthweb.com/forum/smile.gif
Kim

Sorry, I should have mentioned this is for the file found by InoculateIT PE at the end of your post.

[This message has been edited by jerkymom (edited 10-27-2000).]

[This message has been edited by jerkymom (edited 10-27-2000).]

Thanks for the info. I did remove both reg entries, as well as move the two files to another location. I think the damage will be minimal if any.

Would a real-time virus scanner detect this?

My boss (duh!) clicked on this attachment last Monday. It seemed to randomly pick one of bmp, jpg or gif and corrupt them, as well as the stuff above. There was also a nasty sting in the tail which reassigned all the network mapping.

Luckily the email forward and netkill didn't deploy, but he still forwarded to his seccie to try, because he couldn't get it to work! (double duh!)

Norton AV 2000 was running on her machine and nailed it. The infected machine was running F-Prot I think and didn't bat an eyelid.
Enforcing Netscape Messenger on everyone and killing WSH seems to have fixed everything http://sysopt.earthweb.com/forum/smile.gif

Oh, and I took a week to rebuild his PC. Just because I could. *snicker*

U-96