Yet another "LoveLetter" variation is masquerading as a r�sum�
Cambridge, UK, August 16, 2000 - Kaspersky Lab Int., an international anti-virus
software development company, announced today the discovery of another variation
of the "LoveLetter" script-virus, which became infamous earlier this
year in May. The virus, known under the technical name "I-Worm.LoveLetter.bd",
is found in the wild. To date, Kaspersky Lab has received several reports about
infections in Switzerland and Russia.
The virus uses a well-known psychological trick to entice a user to open the
infected file RESUME.TXT.VBS (attached to an e-mail message) by offering the
opportunity to view the r�sum� of a Swiss Internet company looking
for an Internet programmer. After the infected attachment has been executed,
the virus automatically opens the Notepad word processor (bundled by default
with all Windows versions) and shows the following text:
Knowledge Engineer, Zurich
Intelligente Agenten im Internet sammeln Informationen, erkluren Sachverhalte
Customer Service, navigieren im Web, beantworten Email Anfragen oder verkaufen
Simultaneously, the virus clandestinely gains access to the Outlook mail program
and, just as the original "LoveLetter", sends out copies of itself
containing the attached infected "r�sum�" file to all the entries
in the Outlook address book.
The most distinctive feature of the virus is that it is able to download additional
malicious components from the Internet to the infected PC. However, this feature
is active only if the user is running USB software produced by the Union Bank
of Switzerland for conducting online banking transactions.
Without the user's knowledge, the virus tries to connect with one of three
Web sites in order to download the file HCHECK.EXE containing the Trojan program
"Hooker." "Hooker," in turn, collects all the user information
from the infected PC including name, company, installed software, address, logins,
and passwords for Internet access. Also, it intercepts the keyboard buffer and
tracks all the keystrokes printed on the computer. Then, the Trojan sends this
information to an anonymous e-mail address obviously owned by the virus author.
It should be highlighted that the Trojan component has been downloaded from
the Web sites of several major governmental and educational establishments having
no strict access policy to their content. Among these establishments are Michigan
State University and the U.S. National Institutes of Health. Inadvertently,
all users have full access to the public upload directory, which enables them
not only to upload files, but also to download them. It is this breach that
is exploited by the virus to prevent the author's location from being revealed.
In order to prevent infection from this virus, Kaspersky Lab recommends that
under no circumstances should the attachment RESUME.TXT.VBS be opened, and the
same applies to other unexpected attachments received by e-mail, both from unknown
persons and colleagues and friends.
In addition, Kaspersky Lab recommends that users install AVP Script Checker - the ultimate
anti-virus plug-in to protect you against script-viruses including those from
the "LoveLetter" family. It effectively blocks script-viruses
without requiring any updates to the anti-virus database. "Script Checker
utilizes the unique technology of intercepting the script-viruses directly in
the system memory. Additionally, it is powered by the world's first heuristic
code analyser to protect you even from unknown script-viruses. This enables
the program to successfully detect all variations of the �LoveLetter'
virus," said Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky
Procedures for removal of the virus have already been added to the daily
update of AntiViral Toolkit Pro (AVP).
AntiViral Toolkit Pro can be purchased online at the following address: http://www.digitalriver.com/dr/v2/ec_Main.Entry? SP=10007&SID=25571&CID=0.