McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Valcard (AVP)

Characteristics

This threat is detected with the 4140 DATS (or newer) as New BackDoor or New Worm when scanning with program heuristics enabled. Exact detection was included in the 4187 DATs, released on Feb 20. Avert has not received any field samples of this threat.

This mass-mailing worm poses as a Macromedia Flash movie. It arrives in an email message containing the following information:

Subject: ...when sleepers wake and yet still dream...
or Subject: Be Mine ?!
or Subject: From Me To You
or Subject: Good night, sweet prince, and flights of angels sing thee to thy rest
or Subject: Happy Valentines
or Subject: I can express no kinder sign of love, than this kind kiss
or Subject: I can express no kinder sign of love, than this kind kiss
or Subject: Love at first sight
or Subject: O, beauty, till now I never knew thee!
or Subject: Poetry is an echo, asking a shadow to dance
or Subject: Romance from Afar
or Subject: Romantic gesture
or Subject: Secret Admirer
or Subject: Somebody Loves You
or Subject: Thy eternal summer shall not fade
or Subject: Yours Always

Body:
Febuary Feelings
It's that time of year again.
But I'm still only sedning a card to you.
Sender's name

or Body:
In this life we cannot do great things.
We can only do small things with great love.
Sender's name

or Body:
Hi
I feel like a child sending you this card
but I just had to do it.
Sender's name

or Body:
...and every breath I ever took,
every tear I ever wept,
Every star I wished upon,
Seemed nothing until now.
Sender's name

or Body:
Happy Valentines
I hope you like the card I've attached,
even if you don't feel the same.
Sender's name

Attachment: ValentineCard.exe

Executing the attachment infects the local machine. The worm copies itself to the WINDOWS SYSTEM directory as ValentineCard.exe and creates a registry run key to load itself at startup.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run 14th=C:\WINDOWS\SYSTEM\ValentineCard.exe

It sends itself to all users found in the Microsoft Outlook Address Book using MAPI messaging. A registry key is created for the worm to note that it has run before.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Valentine=true

After the first run, the worm creates a WAV file, C:\EVIL.JPG, and opens it. As the file contains the incorrect extension, the file does not open properly.

Symptoms

Presence of C:\EVIL.JPG or %SysDir%\ValentineCard.exe

Method of Infection

Executing this worm cause it to email itself to all recipients found in the Microsoft Outlook Address Book. It does not contain any damaging payloads.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Valcard (AVP)

Characteristics

Characteristics -

This threat is detected with the 4140 DATS (or newer) as New BackDoor or New Worm when scanning with program heuristics enabled. Exact detection was included in the 4187 DATs, released on Feb 20. Avert has not received any field samples of this threat.

This mass-mailing worm poses as a Macromedia Flash movie. It arrives in an email message containing the following information:

Subject: ...when sleepers wake and yet still dream...
or Subject: Be Mine ?!
or Subject: From Me To You
or Subject: Good night, sweet prince, and flights of angels sing thee to thy rest
or Subject: Happy Valentines
or Subject: I can express no kinder sign of love, than this kind kiss
or Subject: I can express no kinder sign of love, than this kind kiss
or Subject: Love at first sight
or Subject: O, beauty, till now I never knew thee!
or Subject: Poetry is an echo, asking a shadow to dance
or Subject: Romance from Afar
or Subject: Romantic gesture
or Subject: Secret Admirer
or Subject: Somebody Loves You
or Subject: Thy eternal summer shall not fade
or Subject: Yours Always

Body:
Febuary Feelings
It's that time of year again.
But I'm still only sedning a card to you.
Sender's name

or Body:
In this life we cannot do great things.
We can only do small things with great love.
Sender's name

or Body:
Hi
I feel like a child sending you this card
but I just had to do it.
Sender's name

or Body:
...and every breath I ever took,
every tear I ever wept,
Every star I wished upon,
Seemed nothing until now.
Sender's name

or Body:
Happy Valentines
I hope you like the card I've attached,
even if you don't feel the same.
Sender's name

Attachment: ValentineCard.exe

Executing the attachment infects the local machine. The worm copies itself to the WINDOWS SYSTEM directory as ValentineCard.exe and creates a registry run key to load itself at startup.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run 14th=C:\WINDOWS\SYSTEM\ValentineCard.exe

It sends itself to all users found in the Microsoft Outlook Address Book using MAPI messaging. A registry key is created for the worm to note that it has run before.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Valentine=true

After the first run, the worm creates a WAV file, C:\EVIL.JPG, and opens it. As the file contains the incorrect extension, the file does not open properly.

Symptoms

Symptoms -

Presence of C:\EVIL.JPG or %SysDir%\ValentineCard.exe

Method of Infection

Method of Infection -

Executing this worm cause it to email itself to all recipients found in the Microsoft Outlook Address Book. It does not contain any damaging payloads.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A