===============================================
 Command Software Systems, Inc.
 Virus Alert  Update (2): VBS/NewLove.A
 May 19, 2000
 ========================================

 Earlier today you received an e-mail stating that Command AntiVirus
 Deffiles were updated 5/19/00, including detection for VBS/NewLove.A, a
 destructive worm that is currently spreading in-the-wild.We strongly
 recommend that you update Command AntiVirus Deffiles.

 Note: VBS/NewLove.A will arrive as an attachment with a .VBS extension in
 an e-mail with FW: in the subject line. It is strongly recommended that
 you do not open e-mail matching these criteria.

 =================================

 ADDITONAL DEFFILES DOWNLOAD LOCATIONS

 We have posted Command AntiVirus Deffiles to additional public
 locations to allow for easier access. If you have not updated your
 Deffiles yet, use one of the links below:

 http://www2.commandcom.com/files/deffiles.exe

 ftp://www.command.co.uk/public/deffiles.exe

 ftp://ftp.medianet.ca/deffiles.exe

 ---------------------------------------------
 Note: This worm will arrive as an attachment with a .VBS extension in an
 e-mail with FW: in the subject line. It is strongly recommended that you
do
 not open e-mail matching these criteria.

 ============================

 DESCRIPTION: VBS.NewLove.A

 VBS.NewLove.A is a VBScript worm that e-mails itself to all addresses in
the
 Microsoft Outlook address book on an infected system. This worm has a
 destructive payload, attempting to overwrite, and therefore delete files
on
 local and network drives. Command AntiVirus Deffiles posted 5/19/00 will
 detect the VBS.NewLove.A worm.

 Polymorphic in nature, VBS/NewLove.A  generates varying attachment names
and
 subject lines with each iteration, using recently opened file names are
used
 by the worm to create them.

 Upon execution, the virus drops a copy of itself in the Windows and
 Windows\System directories. This filename is randomly generated.
 VBS/NewLove.A then creates values for these files in the following
registry
 keys:

 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

 It then searches the Windows\Recent sub-directory, selects a file at
random
 and creates a new copy of itself, using the found filename and adding a
 random erroneous extension plus the extension .vbs. (The erroneous
extension
 preceding the actual .vbs will be one of the following: Doc, Xls, Mdb,
Bmp,
 Mp3, Txt, Jpg, Gif, Mov, Url, Htm, or Txt). If no files exist in
 Windows\Recent, this filename will be randomly generated. Additionally,
the
 virus is polymorphic, adding several lines of random text to this new
file.
 In essence, the attachment will increase in size with each subsequent
 infection, thus the effect on mail servers is two-fold. This file is then
 sent to everyone in the Microsoft Outlook address book. The message
appears
 as follows:

 Subject: FW: filename

 where filename corresponds with the name of the original file chosen from
 Windows\Recent plus the random extension. Body: There is no text in the
 body of the message. The attached file will carry the actual .vbs
 extension, preceded by the randomly created and erroneous extension.
 

 VBS/NewLove.A then searches the local drives, creating new copies of
itself
 based on filenames found on the user's drives, deleting the originals or
 overwriting them with a zero byte file. This malicious aspect of the
 virus can destroy all files not currently in use by the operating system.
 

 VBS/NewLove.A relies on WSH (Windows Shell Script) to run.
 

 Detection:
 Command AntiVirus version 4.58.3 with deffiles dated May 19, 2000 or
 above is needed to detect this worm.
 
 

 Powered by ALOAK
 http://www.aloak.ca