Content
W32/Admirer@MM
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 02/14/2002
- Length
- 96,768 bytes
- Minimum DAT
- 4187 (02/20/2002)
- Updated DAT
- 4425 (02/02/2005)
- Minimum Engine
- 5.1.00
- Description Added
- 02/14/2002
- Description Modified
- 02/20/2002 7:09 PM (PT)
Tab Navigation
Characteristics
This threat is detected with the 4140 DATS (or newer) as New BackDoor or New Worm when scanning with program heuristics enabled. Exact detection was included in the 4187 DATs, released on Feb 20. Avert has not received any field samples of this threat.
This mass-mailing worm poses as a Macromedia Flash movie. It arrives in an email message containing the following information:
Subject: ...when sleepers wake and yet still dream...
or Subject: Be Mine ?!
or Subject: From Me To You
or Subject: Good night, sweet prince, and flights of angels sing thee to thy rest
or Subject: Happy Valentines
or Subject: I can express no kinder sign of love, than this kind kiss
or Subject: I can express no kinder sign of love, than this kind kiss
or Subject: Love at first sight
or Subject: O, beauty, till now I never knew thee!
or Subject: Poetry is an echo, asking a shadow to dance
or Subject: Romance from Afar
or Subject: Romantic gesture
or Subject: Secret Admirer
or Subject: Somebody Loves You
or Subject: Thy eternal summer shall not fade
or Subject: Yours Always
Febuary Feelings
It's that time of year again.
But I'm still only sedning a card to you.
Sender's name
or Body:
In this life we cannot do great things.
We can only do small things with great love.
Sender's name
Hi
I feel like a child sending you this card
but I just had to do it.
Sender's name
or Body:
...and every breath I ever took,
every tear I ever wept,
Every star I wished upon,
Seemed nothing until now.
Sender's name
Happy Valentines
I hope you like the card I've attached,
even if you don't feel the same.
Sender's name
Attachment: ValentineCard.exe
Executing the attachment infects the local machine. The worm copies itself to the WINDOWS SYSTEM directory as ValentineCard.exe and creates a registry run key to load itself at startup.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run 14th=C:\WINDOWS\SYSTEM\ValentineCard.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Valentine=true
Symptoms
Presence of C:\EVIL.JPG or %SysDir%\ValentineCard.exe
Method of Infection
Executing this worm cause it to email itself to all recipients found in the Microsoft Outlook Address Book. It does not contain any damaging payloads.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- I-Worm.Valcard (AVP)
Characteristics
Characteristics -
This threat is detected with the 4140 DATS (or newer) as New BackDoor or New Worm when scanning with program heuristics enabled. Exact detection was included in the 4187 DATs, released on Feb 20. Avert has not received any field samples of this threat.
This mass-mailing worm poses as a Macromedia Flash movie. It arrives in an email message containing the following information:
Subject: ...when sleepers wake and yet still dream...
or Subject: Be Mine ?!
or Subject: From Me To You
or Subject: Good night, sweet prince, and flights of angels sing thee to thy rest
or Subject: Happy Valentines
or Subject: I can express no kinder sign of love, than this kind kiss
or Subject: I can express no kinder sign of love, than this kind kiss
or Subject: Love at first sight
or Subject: O, beauty, till now I never knew thee!
or Subject: Poetry is an echo, asking a shadow to dance
or Subject: Romance from Afar
or Subject: Romantic gesture
or Subject: Secret Admirer
or Subject: Somebody Loves You
or Subject: Thy eternal summer shall not fade
or Subject: Yours Always
Febuary Feelings
It's that time of year again.
But I'm still only sedning a card to you.
Sender's name
or Body:
In this life we cannot do great things.
We can only do small things with great love.
Sender's name
Hi
I feel like a child sending you this card
but I just had to do it.
Sender's name
or Body:
...and every breath I ever took,
every tear I ever wept,
Every star I wished upon,
Seemed nothing until now.
Sender's name
Happy Valentines
I hope you like the card I've attached,
even if you don't feel the same.
Sender's name
Attachment: ValentineCard.exe
Executing the attachment infects the local machine. The worm copies itself to the WINDOWS SYSTEM directory as ValentineCard.exe and creates a registry run key to load itself at startup.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run 14th=C:\WINDOWS\SYSTEM\ValentineCard.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Valentine=true
Symptoms
Symptoms -
Presence of C:\EVIL.JPG or %SysDir%\ValentineCard.exe
Method of Infection
Method of Infection -
Executing this worm cause it to email itself to all recipients found in the Microsoft Outlook Address Book. It does not contain any damaging payloads.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
