McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Lorena (AVP)

Characteristics

This is a VBScript worm, which requires the Windows Scripting Host in order to run. It is detected as a variant of New Script with macro and script heuristics enabled.

When run, it first displays a message box:

It then sends email to all the users in Windows Outlook address book using MAPI addressing. The email subject is chosen randomly from the following list:

• "Re:"
• "Exciting Photos"
• "Photos XXX"
• "Sensual photos"

Email body is one of the following:

• "hi check these super photos"
• "check my exciting photos"
• "look these exciting photos"
• "Please check my photos in beach"
• "Sensual photos single for you "

The worm intends to send itself as attachment. During our lab test, it failed to send the attachment.

The worm creates the following registry keys in order to run at Windows start up. It also changes autoexec.bat for the same purpose.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "System"="C:\Windows\System 32\*.JPEG.vBS"
  
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "WINFT" = "C:\WINNT\NT.JPEG.vBS"

The worm creates/modifies registry keys to enable Kazaa file sharing, changes desktop wallpaper to c:\wallpaper.HTM, which is a modified copy of the worm itself.

The worm searches the local hard drive for the following peer-to-peer file sharing folders and copies itself to these folders.

• \KaZaA\My Shared Folder\
• \ICQ\shared files\
• \eDonkey2000\incoming\
• \bearshare\shared\
• \Grokster\My Grokster\
• \Morpheus\My Shared Folder\

The file name is randomly chosen from a list of 73 names with .vbs extension. If the mIRC client is installed on the machine, the worm creates a script.ini file, which can send itself via IRC channels. The worm also searches for a list of antivirus product directories and deletes all the files contained. The worm copies itself to all the sub folders of local hard drive with a file name "Lorena-te-amo.vbs".

Symptoms

Presence of the Lorena-te-amo.vbs file and registry keys mentioned above.

Method of Infection

The worm can spread via peer-to-peer network shares and IRC channels.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Lorena (AVP)

Characteristics

Characteristics -

This is a VBScript worm, which requires the Windows Scripting Host in order to run. It is detected as a variant of New Script with macro and script heuristics enabled.

When run, it first displays a message box:

It then sends email to all the users in Windows Outlook address book using MAPI addressing. The email subject is chosen randomly from the following list:

• "Re:"
• "Exciting Photos"
• "Photos XXX"
• "Sensual photos"

Email body is one of the following:

• "hi check these super photos"
• "check my exciting photos"
• "look these exciting photos"
• "Please check my photos in beach"
• "Sensual photos single for you "

The worm intends to send itself as attachment. During our lab test, it failed to send the attachment.

The worm creates the following registry keys in order to run at Windows start up. It also changes autoexec.bat for the same purpose.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "System"="C:\Windows\System 32\*.JPEG.vBS"
  
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "WINFT" = "C:\WINNT\NT.JPEG.vBS"

The worm creates/modifies registry keys to enable Kazaa file sharing, changes desktop wallpaper to c:\wallpaper.HTM, which is a modified copy of the worm itself.

The worm searches the local hard drive for the following peer-to-peer file sharing folders and copies itself to these folders.

• \KaZaA\My Shared Folder\
• \ICQ\shared files\
• \eDonkey2000\incoming\
• \bearshare\shared\
• \Grokster\My Grokster\
• \Morpheus\My Shared Folder\

The file name is randomly chosen from a list of 73 names with .vbs extension. If the mIRC client is installed on the machine, the worm creates a script.ini file, which can send itself via IRC channels. The worm also searches for a list of antivirus product directories and deletes all the files contained. The worm copies itself to all the sub folders of local hard drive with a file name "Lorena-te-amo.vbs".

Symptoms

Symptoms -

Presence of the Lorena-te-amo.vbs file and registry keys mentioned above.

Method of Infection

Method of Infection -

The worm can spread via peer-to-peer network shares and IRC channels.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A