Results 1 to 5 of 5

Thread: Questions about vbs.loveletter.as

  1. #1

    Lightbulb Questions about vbs.loveletter.as

    I contracted vbs.loveletter.as through Kazaa. It didn't do any damage that I can see, because it was automatically quarantined. But, my computer seems to be running slower and performs more "illegal operations" then it did before. What exactly does the worm do? Are there any programs other than anti-virus stuff that can better protect my PC?

    BTW, I checked Google, and all I got was a lot of mumbo-jumbo I couldn't understand. I don't know too much and I don't pretend to be 1337.
    If at first you don\'t succeed, try again. Then give up. There is no sense in being ridiculous about things!

  2. #2
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    VBS.Loveletter.AS is a Visual BASIC Script worm that is detected by Norton AntiVirus (NAV) as VBS.LoveLetter.Variant with virus definitions prior to August 28, 2000. This worm shares many of the properties of the VBS.LoveLetter worm. It spreads using Microsoft Outlook and overwrites files with a copy of itself.

    Technical Details:
    When executed, the worm copies itself into the following locations:

    Windows folder as Reload.vbs
    Windows\System folder as Linux32.vbs
    Windows\System folder as a randomly generated 4- to 8-character file ending in .gif.vbs, .jpg.vbs, or .bmp.vbs

    The worm checks whether Winfat32.exe exists in the Windows\System folder. If the file is present, the worm randomly sets the Internet Explorer Start Page to one of the following Web addresses:
    http:/ /members.fortunecity.com/plancolombia/macromedia32.zip
    http:/ /members.fortunecity.com/plancolombia/linux322.zip
    http:/ /members.fortunecity.com/plancolombia/linux321.zip

    Depending on which file is downloaded, the worm performs the following action:
    Copies Macromedia32.zip as the hidden file Important_note.txt in the Windows folder and modifies the registry to load this text file at startup.
    Copies Linux321.zip as \Windows\Syslogos.sys to replace the screen that is displayed when Windows has shut down.
    Copies Linux322.zip as \Windows\Logow.sys to replace the screen that is displayed when Windows is shutting down.

    The worm also creates the file Us-president-and-fbi-secrets.htm in the Windows folder, but this file is not loaded.

    The worm uses MAPI calls to the Microsoft Outlook application and creates messages by iterating through all addresses in the Microsoft Outlook address book. The worm marks these recipients using the registry in an attempt to send them the mail only once.

    The randomly generated file names appear in all capital letters and are formatted so that every even numbered letter is a vowel, for example, SOXU, DEII, YIEUHUDI, BILALU, and so on.

    This Information was taken from: http://securityresponse.symantec.com...letter.as.html
    yeah, I\'m gonna need that by friday...

  3. #3
    Join Date
    Jul 2002
    I would suggest next time use easy-cd-creator which can load things directly into a CD-R without haveing to put it into the HD first then scan that disc. I told my friend to do this and he found out that whole cd he had burned was filled with virii. Every DLL and EXE either had trojans and worms so you are lucky just to only have one bad thing off of kazza instead of about 10 or 20.

    "Its easyier to get rid of a cd then a HD" but when you load it you will have the same effect so be as carefull as you possably can be..... 'especially in kazza.'

  4. #4
    It's a gas!
    Join Date
    Jul 2002
    Every DLL and EXE was either had trojans and worms
    Well i dont use kazaa that often but when i do i MAKE SURE i dont download any exe's, thats just plain dumb!

    Also watch out for the double-barrel file extensions!



  5. #5
    Wow guys...thanks!
    If at first you don\'t succeed, try again. Then give up. There is no sense in being ridiculous about things!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts