Computer upgrades, repairs, troubleshooting and consulting services. Products, virus and malware alerts FAQs and VFaqs.

 

The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

 

CpuCare.com Home PageBusiness to Business Contact

Virus and Malware Alerts

 

We Build the Best & Repair the Rest! ©

 

Alerts October 2000

FAQ Search Virus Alerts Hardware Faqs

 

 

Computer Repair
PC Maintenance
Disaster Recovery
SpyWare Removal
Company Profile
Disclaimer
Contact Information
Home Users

 

 


Top 10 1999 Alerts January 2000 Alerts February 2000 Alerts March 2000 Alerts April 2000 Alerts May 2000 Alerts June 2000 Alerts July 2000 Alerts August 2000 Alerts September 2000 Alerts October 2000 Alerts November 2000 Alerts December 2000

 

 

 

 

Top 10 malware reported to Sophos in October 2000

Position Last
month		 Malware Percentage of reports
1 3 W32/Apology-B
   29.8%
2 New VBS/LoveLet-AS
   13.7%
3 1 VBS/Kakworm
   11.8%
4 5 W32/Qaz
   7.1%
5 New XM97/Jini-B
   6.2%
6 2 VBS/LoveLet-G
   3.7%
7 7 WM97/Marker-C
   2.5%
8 Re-entry W32/Pretty
   1.9%
9 New W32/Flcss
   1.2%
10 Re-entry WM97/Thus-T
   1.2%
Others 20.9%

 

 

This section helps you to understand how it behaves

VBS/LoveLet-AS is a Visual Basic Script worm.

 

The worm forwards itself as an email attachment with the subject line:

 

'US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.COM)<='

 

or a random 6 letter string.

 

The message body will either be

 

'VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURE..'

 

or a random 10 letter string.

 

Running the attached file infects your computer.

 

On the 17 September the worm displays a message box containing the text

"Dedicated to my best brother=>Christiam Julian(C.J.G.S.) Att. TEGIF (M.H.M. Team)"

 

where 'TEGIF' can be any random 5 letters. Dedicated to my best brother=>Christiam Julian(C.J.G.S.) Att. TEGIF (M.H.M. Team)

 

It then attempts to disconnect drives Z: through to E:.

 

The worm attempts to download the files MACROMEDIA32.ZIP, LINUX321.ZIP and LINUX322.ZIP via Internet Explorer. Despite their filenames these files are not true ZIP files but rather a text file and two bitmap graphic files. VBS/LoveLet-AS bitmap graphic VBS/LoveLet-AS bitmap graphic

 

MACROMEDIA32.ZIP is copied to the Windows directory with the filename important_note.txt and set to run on startup with the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

 

The two other files are copied to the Windows directory as logos.sys and logow.sys respectively.

 

The worm makes copies of itself (using the filenames LINUX32.VBS and reload.vbs) and sets them to run at startup.

 

It creates a copy of itself in the System directory with a filename of 5 to 8 characters with either the extension .GIF.VBS or .JPG.VBS - it is this file which is mailed out to all addresses in your Outlook address book.

 

 

 

 

 

 

Google
 


 

 

This webpage is optimized for 800 x 600 monitor resolution or above and the latest web browser. 

 

 

 

Copyright © 1998 The Computer Guys

 Back Home Up Next