McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Nolor@mm (Symantec)

• W32/Cailont-A (Sophos)

• W32/Lovelorn.dr

• WORM_LOVELORN.A (Trend)

Characteristics

This threat has been assigned a risk assessment of Low-Profiled due to the media article at http://www.zdnet.com.au/newstech/security/story/0,2000048600,20274044,00.htm. The worm is referred to as Nolor (aka Cailont) in this article.

This is a mass-mailing worm which uses its own SMTP engine to mail itself from the victim's machine, either as an executable or via a HTML dropper. The attachment will be named as follows:

Executable attachment The attachment will be named %USERNAME%.KISS.OK.EXE.
HTML dropper attachment The attachment will be named %USERNAME%.HTM.

where %USERNAME% is derived from the "From:" address of the message. Since the From: address may be spoofed (see below), %USERNAME% may take the following values:

• LOVE_LORN
• LOVELORN
• THUYQUYEN
• Other string taken from spoofed "From:" address (for emailaddr@domain.com string is 'emailaddr').

Installation

When the worm is executed the following files are written to the %SysDir% directory:

• Explorer.exe (copy of the worm)
• Bsbk.dll (base64 copy of the HTML dropper)
• Kernel32.exe (copy of the worm)
• mssys.dll (text file containing target email addresses)
• netdll.dll (copy of the worm)
• netsn.dll (base64 copy of the worm)
• serscg.dll (copy of the worm)
• setup.htm (html dropper)

The following Registry key is added:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"explorer" = "C:\WINDOWS\SYSTEM\explorer.exe"

in order to execute the worm at each subsequent restart of the computer.

HTML dropper

The HTML dropper contains a VBScript which writes a copy of the worm to the temp folder as TEMP.EXE, and executes it. The HTML dropper is detected as W32/Lovelorn.dr with the specifed engine/DATs.

The HTML file contains some brief poetry (written in Vietnamese):

Tinh` cho khong bieu'

which roughly translates as:

Love given not told

Mass-Mailing

The worm uses its own SMTP engine to send itself out from the victims machine. In testing the worm was observed to mail itself to email addresses harvested from DBX files on the victim machine.

The "From:" address may be spoofed using any of the following email addresses:

• lovelorn@yahoo.com
• love_lorn@yahoo.com
• thuyquyen@yahoo.com
• default SMTP email address on victim machine (determined from Registry)
• SMTP email address extracted from victim machine (eg. DBX files)

Part of the attachment name is determined from the chosen "From:" address, using the local-part of the email address (eg. "emailaddr" for emailaddr@domain.com). This string is prepended to ".KISS.OK.EXE" or ".HTM" for the executable and HTML dropper attachments respectively (as described above).

Various subject lines are used in outgoing messages, for example:

• There're some Passwords here
• Re:Get Password mail...

Various message bodies are also used, for example:

• Enjoy
• Read File attach .

Floppy worm Propagation

Strings within the worm suggest the worm may also attempt to copy itself to floppies as: A:\NQH_Kiss_you.exe.

Process Killing

Strings within the worm suggest it attempts to terminate any processs that contain the following strings:

• BKAV
• NAVA

Symptoms

Presence of the files and Registry key detailed above.

Method of Infection

This worm mails itself using its own SMTP engine. It attaches itself directly to messages as an attachment named %USERNAME%.KISS.OK.EXE. It also mails itself via a HTML dropper, attachment name %USERNAME%.HTM.

%USERNAME% is derived from the From: address of the message (which itself may be spoofed).

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Nolor@mm (Symantec)

• W32/Cailont-A (Sophos)

• W32/Lovelorn.dr

• WORM_LOVELORN.A (Trend)

Characteristics

Characteristics -

This threat has been assigned a risk assessment of Low-Profiled due to the media article at http://www.zdnet.com.au/newstech/security/story/0,2000048600,20274044,00.htm. The worm is referred to as Nolor (aka Cailont) in this article.

This is a mass-mailing worm which uses its own SMTP engine to mail itself from the victim's machine, either as an executable or via a HTML dropper. The attachment will be named as follows:

Executable attachment The attachment will be named %USERNAME%.KISS.OK.EXE.
HTML dropper attachment The attachment will be named %USERNAME%.HTM.

where %USERNAME% is derived from the "From:" address of the message. Since the From: address may be spoofed (see below), %USERNAME% may take the following values:

• LOVE_LORN
• LOVELORN
• THUYQUYEN
• Other string taken from spoofed "From:" address (for emailaddr@domain.com string is 'emailaddr').

Installation

When the worm is executed the following files are written to the %SysDir% directory:

• Explorer.exe (copy of the worm)
• Bsbk.dll (base64 copy of the HTML dropper)
• Kernel32.exe (copy of the worm)
• mssys.dll (text file containing target email addresses)
• netdll.dll (copy of the worm)
• netsn.dll (base64 copy of the worm)
• serscg.dll (copy of the worm)
• setup.htm (html dropper)

The following Registry key is added:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"explorer" = "C:\WINDOWS\SYSTEM\explorer.exe"

in order to execute the worm at each subsequent restart of the computer.

HTML dropper

The HTML dropper contains a VBScript which writes a copy of the worm to the temp folder as TEMP.EXE, and executes it. The HTML dropper is detected as W32/Lovelorn.dr with the specifed engine/DATs.

The HTML file contains some brief poetry (written in Vietnamese):

Tinh` cho khong bieu'

which roughly translates as:

Love given not told

Mass-Mailing

The worm uses its own SMTP engine to send itself out from the victims machine. In testing the worm was observed to mail itself to email addresses harvested from DBX files on the victim machine.

The "From:" address may be spoofed using any of the following email addresses:

• lovelorn@yahoo.com
• love_lorn@yahoo.com
• thuyquyen@yahoo.com
• default SMTP email address on victim machine (determined from Registry)
• SMTP email address extracted from victim machine (eg. DBX files)

Part of the attachment name is determined from the chosen "From:" address, using the local-part of the email address (eg. "emailaddr" for emailaddr@domain.com). This string is prepended to ".KISS.OK.EXE" or ".HTM" for the executable and HTML dropper attachments respectively (as described above).

Various subject lines are used in outgoing messages, for example:

• There're some Passwords here
• Re:Get Password mail...

Various message bodies are also used, for example:

• Enjoy
• Read File attach .

Floppy worm Propagation

Strings within the worm suggest the worm may also attempt to copy itself to floppies as: A:\NQH_Kiss_you.exe.

Process Killing

Strings within the worm suggest it attempts to terminate any processs that contain the following strings:

• BKAV
• NAVA

Symptoms

Symptoms -

Presence of the files and Registry key detailed above.

Method of Infection

Method of Infection -

This worm mails itself using its own SMTP engine. It attaches itself directly to messages as an attachment named %USERNAME%.KISS.OK.EXE. It also mails itself via a HTML dropper, attachment name %USERNAME%.HTM.

%USERNAME% is derived from the From: address of the message (which itself may be spoofed).

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A