Beware of a Résumé with an Offer Too Good to Be True

15 Aug 2000
Virus News

Yet another "LoveLetter" variation is masquerading as a r�sum�

Cambridge, UK, August 16, 2000 - Kaspersky Lab Int., an international anti-virus software development company, announced today the discovery of another variation of the "LoveLetter" script-virus, which became infamous earlier this year in May. The virus, known under the technical name "I-Worm.LoveLetter.bd", is found in the wild. To date, Kaspersky Lab has received several reports about infections in Switzerland and Russia.

The virus uses a well-known psychological trick to entice a user to open the infected file RESUME.TXT.VBS (attached to an e-mail message) by offering the opportunity to view the r�sum� of a Swiss Internet company looking for an Internet programmer. After the infected attachment has been executed, the virus automatically opens the Notepad word processor (bundled by default with all Windows versions) and shows the following text:

Knowledge Engineer, Zurich


Intelligente Agenten im Internet sammeln Informationen, erkluren Sachverhalte im
Customer Service, navigieren im Web, beantworten Email Anfragen oder verkaufen
Produkte.

[text omitted]

Simultaneously, the virus clandestinely gains access to the Outlook mail program and, just as the original "LoveLetter", sends out copies of itself containing the attached infected "r�sum�" file to all the entries in the Outlook address book.

The most distinctive feature of the virus is that it is able to download additional malicious components from the Internet to the infected PC. However, this feature is active only if the user is running USB software produced by the Union Bank of Switzerland for conducting online banking transactions.

Without the user's knowledge, the virus tries to connect with one of three Web sites in order to download the file HCHECK.EXE containing the Trojan program "Hooker." "Hooker," in turn, collects all the user information from the infected PC including name, company, installed software, address, logins, and passwords for Internet access. Also, it intercepts the keyboard buffer and tracks all the keystrokes printed on the computer. Then, the Trojan sends this information to an anonymous e-mail address obviously owned by the virus author.

It should be highlighted that the Trojan component has been downloaded from the Web sites of several major governmental and educational establishments having no strict access policy to their content. Among these establishments are Michigan State University and the U.S. National Institutes of Health. Inadvertently, all users have full access to the public upload directory, which enables them not only to upload files, but also to download them. It is this breach that is exploited by the virus to prevent the author's location from being revealed.

In order to prevent infection from this virus, Kaspersky Lab recommends that under no circumstances should the attachment RESUME.TXT.VBS be opened, and the same applies to other unexpected attachments received by e-mail, both from unknown persons and colleagues and friends.

In addition, Kaspersky Lab recommends that users install AVP Script Checker - the ultimate anti-virus plug-in to protect you against script-viruses including those from the "LoveLetter" family. It effectively blocks script-viruses without requiring any updates to the anti-virus database. "Script Checker utilizes the unique technology of intercepting the script-viruses directly in the system memory. Additionally, it is powered by the world's first heuristic code analyser to protect you even from unknown script-viruses. This enables the program to successfully detect all variations of the �LoveLetter' virus," said Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab.

Procedures for removal of the virus have already been added to the daily update of AntiViral Toolkit Pro (AVP).

AntiViral Toolkit Pro can be purchased online at the following address: http://www.digitalriver.com/dr/v2/ec_Main.Entry? SP=10007&SID=25571&CID=0.