Computer upgrades, repairs, troubleshooting and consulting services. Products, virus and malware alerts FAQs and VFaqs.

 

The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

 

CpuCare.com Home PageBusiness to Business Contact

Virus and Malware Alerts

 

We Build the Best & Repair the Rest! ©

 

Alerts June 2000

FAQ Search Virus Alerts Hardware Faqs

 

 

Computer Repair
PC Maintenance
Disaster Recovery
SpyWare Removal
Company Profile
Disclaimer
Contact Information
Home Users

 

 


Top 10 1999 Alerts January 2000 Alerts February 2000 Alerts March 2000 Alerts April 2000 Alerts May 2000 Alerts June 2000 Alerts July 2000 Alerts August 2000 Alerts September 2000 Alerts October 2000 Alerts November 2000 Alerts December 2000

 

 

 

 

Top 10 malware reported to Sophos in June 2000

Position Last
month		 Malware Percentage of reports
1 2 VBS/Kakworm
   28.5%
2 New VBS/Stages-A
   16.9%
3 1 VBS/LoveLet
   7.4%
4 9 WM97/Melissa
   3.2%
5 4 W32/Ska-Happy99
   2.8%
6 Re-entry WM97/Marker-C
   2.5%
7 New Troj/Sub7-21B
   2.1%
8 New XM97/Yawn-A
   2.1%
9 6 WM97/Marker-O
   2.1%
10 Re-entry WM97/Class-D
   2.1%
Others 30.3%

 

 

This section helps you to understand how it behaves

This is a worm which tries to spread itself in several ways. Most commonly, it sends itself as an attachment to an email.

 

LoveLetter

 

Infected emails have the subject line:

 

ILOVEYOU

 

The message text is:

 

kindly check the attached LOVELETTER coming from me.

 

The attachment is called LOVE-LETTER-FOR-YOU.TXT.vbs, which has a double-extension. Mailers which suppress well-known extensions such as .vbs may present this file as LOVE-LETTER-FOR-YOU.TXT, which appears more innocent. Because the worm arrives in a VBS file, it requires the Windows Scripting Host (WSH) in order to work. If you disable WSH, the viral attachment will be rendered harmless.

 

The worm also drops an HTM file which can spread the worm, and a mIRC script which tries to distribute it.

 

The worm checks the Internet Explorer Download Directory for the presence of the file WinFAT32.exe. If that file does not exist the worm randomly picks one of four websites and changes the registry to set it as the Start Page for Internet Explorer. The websites point to an EXE file, WIN-BUGSFIX.exe, which is then downloaded and the registry is modified to run the file on reboot. This file is detected as Troj/LoveLet-A. The Internet Explore Start Page is also set to blank.

 

The worm copies itself to two places in the system directory where they are executed each time the computer reboots.

The email component of the worm requires Microsoft Outlook to work. If you are using Outlook it will try to send itself to each entry in your Windows Address Book.

 

The worm also searches all local and networked drives for files that end with the extensions VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA. These files are overwritten with the worm and their extension is renamed to .VBS.

 

Any JPG or JPEG files are also overwritten by the worm but have the extension .VBS added to the existing filename.

 

Any MP2 or MP3 files are overwritten by the worm but are also copied to a new file that has the .VBS extension added. The original files are set as hidden.

 

If the worm determines that mIRC is installed on the system it will drop a mIRC script that will send the worm on via mIRC.

 

 

Google
 


 

 

This webpage is optimized for 800 x 600 monitor resolution or above and the latest web browser. 

 

 

 

Copyright © 1998 The Computer Guys

 Back Home Up Next