McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• virus_warning.jpg.vbs

Characteristics

*Note: Ensure that the extensions .VBS, .HTM are included when scanning.*

This variant was posted to a newsgroup anonymously and is a minor variant of VBS/Loveletter.a.

This is a VBScript worm with virus qualities. This worm will arrive in an email message with this format:

Subject "Dangerous Virus Warning"
Message "There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it."
Attachment "virus_warning.jpg.vbs"

If the user runs the attachment, the worm runs using the Windows Scripting Host program. This is not normally present on Windows 95 or Windows NT unless Internet Explorer 5 is installed.

When the worm is first run it drops copies of itself and writes an .HTM file in the following places :

WINDOWS\WIN32DLL.VBS
WINDOWS\SYSTEM\MSKERNEL32.VBS
WINDOWS\SYSTEM\VIRUS_WARNING.JPG.VBS
WINDOWS\SYSTEM\URGENT_VIRUS_WARNING.HTM

It also adds the registry keys :

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32=WINDOWS\SYSTEM\MSKernel32.vbs

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=WINDOWS\Win32DLL.vbs

in order to run the worm at system startup.

This worm searches all drives connected to the host system and replaces the following files:

*.JPG
*.JPEG

with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm.

The worm also overwrites the following files:

*.CSS
*.DOC
*.GIF
*.HTA
*.HTM
*.HTML
*.JS
*.JSE
*.SCT
*.TXT
*.VBE
*.VBS
*.WAV
*.WSH
*.XLS

with copies of itself except with a .VBS extension.

This virus locates instances of the following file types:

*.MP3
*.MP2

and if found, makes them hidden and copies itself as these filenames except with .VBS extension. For isntance, if file exists as '2PAC.MP3', this now becomes a hidden file and the virus is copied as '2PAC.MP3.VBS'.

The worm creates a file 'Urgent_virus_warning.htm' and modifies the SCRIPT.INI file with intentions to send the file however due to a typo, the file is never sent.

The title of the .HTM page is 'Dangerous Virus Warning'. The content of the page is also suspicious:

To view the picture please follow the instructions
Select [YES] for your viewing pleasure

Choosing the YES option will run the Java script embedded in the file which contains the virus code.

After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address book. The mails will be of the same format as the original mail.

This virus modifies the Internet Explorer start page to download a program from Tucows.com called 'E-Mail Remover' in a file named 'SETUP24.EXE'. This is a program and not a trojan.

Symptoms

Existence of files mentioned above, replacement of files as mentioned above. Email propagation as described above. IRC file distribution as mentioned above.

Method of Infection

This virus will run if Windows Scripting Host is installed. Running the email attachment received either accidentally or intentionally will install to the local system, and also to all available drives, send via email message as an attachment and also via IRC if installed.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• virus_warning.jpg.vbs

Characteristics

Characteristics -

*Note: Ensure that the extensions .VBS, .HTM are included when scanning.*

This variant was posted to a newsgroup anonymously and is a minor variant of VBS/Loveletter.a.

This is a VBScript worm with virus qualities. This worm will arrive in an email message with this format:

Subject "Dangerous Virus Warning"
Message "There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it."
Attachment "virus_warning.jpg.vbs"

If the user runs the attachment, the worm runs using the Windows Scripting Host program. This is not normally present on Windows 95 or Windows NT unless Internet Explorer 5 is installed.

When the worm is first run it drops copies of itself and writes an .HTM file in the following places :

WINDOWS\WIN32DLL.VBS
WINDOWS\SYSTEM\MSKERNEL32.VBS
WINDOWS\SYSTEM\VIRUS_WARNING.JPG.VBS
WINDOWS\SYSTEM\URGENT_VIRUS_WARNING.HTM

It also adds the registry keys :

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32=WINDOWS\SYSTEM\MSKernel32.vbs

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=WINDOWS\Win32DLL.vbs

in order to run the worm at system startup.

This worm searches all drives connected to the host system and replaces the following files:

*.JPG
*.JPEG

with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm.

The worm also overwrites the following files:

*.CSS
*.DOC
*.GIF
*.HTA
*.HTM
*.HTML
*.JS
*.JSE
*.SCT
*.TXT
*.VBE
*.VBS
*.WAV
*.WSH
*.XLS

with copies of itself except with a .VBS extension.

This virus locates instances of the following file types:

*.MP3
*.MP2

and if found, makes them hidden and copies itself as these filenames except with .VBS extension. For isntance, if file exists as '2PAC.MP3', this now becomes a hidden file and the virus is copied as '2PAC.MP3.VBS'.

The worm creates a file 'Urgent_virus_warning.htm' and modifies the SCRIPT.INI file with intentions to send the file however due to a typo, the file is never sent.

The title of the .HTM page is 'Dangerous Virus Warning'. The content of the page is also suspicious:

To view the picture please follow the instructions
Select [YES] for your viewing pleasure

Choosing the YES option will run the Java script embedded in the file which contains the virus code.

After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address book. The mails will be of the same format as the original mail.

This virus modifies the Internet Explorer start page to download a program from Tucows.com called 'E-Mail Remover' in a file named 'SETUP24.EXE'. This is a program and not a trojan.

Symptoms

Symptoms -

Existence of files mentioned above, replacement of files as mentioned above. Email propagation as described above. IRC file distribution as mentioned above.

Method of Infection

Method of Infection -

This virus will run if Windows Scripting Host is installed. Running the email attachment received either accidentally or intentionally will install to the local system, and also to all available drives, send via email message as an attachment and also via IRC if installed.

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

N/A