Symantec United States
 global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


©1995-2009 Symantec Corporation.
All rights reserved.

Legal Notices
Privacy Policy
security updates

VBS.Plan

Category 2

VBS.Plan is a Visual BASIC Script worm that is detected by Norton AntiVirus (NAV) as VBS.LoveLetter.Variant with virus definitions prior to Aug. 28, 2000. This worm shares many of the properties of the VBS.LoveLetter worm. It spreads using MS Outlook and overwrites files with a copy of itself.

Also Known As: VBS.President.Worm, VBS/Columbia, VBS.LoveLetter.AS, VBS.LoveLetter.BJ, I-Worm.Plan
Type: Worm
Infection Length: 12,609 bytes

protection
  • Virus Definitions (Intelligent Updater)

    • June 15, 2000

    threat assessment

    Wild

    Threat Metrics
    Low Medium High

    Wild:
    Low

    Damage:
    Medium

    Distribution:
    High

    Damage

    • Payload Trigger: September, 17th. and/or Execute email attachment
    • Payload: Overwrites files and disconnects all mapped network drives
      • Large scale e-mailing: Sends itself to all addresses in the Microsoft Outlook address book.
      • Modifies files: Overwrites files with the following extensions: .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .jpg, .jpeg, .mp3, and .mp2. Files with extensions of .mp2 and .mp3 are hidden from the user by setting the hidden directory attribute. The overwritten files can be recovered if the user is running NProtect from Norton SystemWorks or Norton Utilities at the time of infection. Replaces logow.sys and logos.sys.
      • Causes system instability: Might overload email servers.

    Distribution

    • Subject of email: US PRESIDENT AND FBI SECRETS =PLEASE VISIT = (HTTP://WWW.2600.COM)<= or a randomly generated 6 letter word displayed in all capital letters, or it might be blank.
    • Name of attachment: Randomly generated 4-8 letter file name ending with .gif.vbs, .bmp.vbs, or .jpg.vbs.
    • Size of attachment: 12,609 bytes
    • Target of infection: Overwrites files with the following extensions: .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .jpg, .jpeg, .mp3, and .mp2. Files with extensions of .mp2 and .mp3 are hidden from the user by setting the hidden directory attribute.

    technical details

    When executed, the worm copies itself into the following locations:

    • Windows folder as Reload.vbs
    • Windows\System folder as Linux32.vbs
    • Windows\System folder as a randomly generated 4- to 8-character file ending in .gif.vbs, .jpg.vbs, or .bmp.vbs

    The worm checks whether Winfat32.exe exists in the Windows\System folder. If the file is present, the worm randomly sets the Internet Explorer Start Page to one of the following Web addresses:
    Depending on which file is downloaded, the worm performs the following action:
    • Copies Macromedia32.zip as the hidden file Important_note.txt in the Windows folder and modifies the registry to load this text file at startup.
    • Copies Linux321.zip as \Windows\Syslogos.sys to replace the screen that is displayed when Windows has shut down.
    • Copies Linux322.zip as \Windows\Logow.sys to replace the screen that is displayed when Windows is shutting down.

    The worm also creates the file Us-president-and-fbi-secrets.htm in the Windows folder, but this file is not loaded.

    The worm uses MAPI calls to the Microsoft Outlook application and creates messages by iterating through all addresses in the Microsoft Outlook address book. The worm marks these recipients using the registry in an attempt to send them the mail only once.

    The randomly generated file names appear in all capital letters and are formatted so that every even numbered letter is a vowel, for example, SOXU, DEII, YIEUHUDI, BILALU, and so on.

    recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

    removal instructions

    To remove this worm, perform the following steps in the order presented (detailed instructions follow):

    • Verify that NAV is set to scan all files.
    • Restart the computer in Safe Mode.
    • Scan the computer for infected files.
    • Delete the Us-president-and-fbi-secrets.htm and files with a .vbs extension.
    • Remove worm entries from the registry.
    • (Optional) Restore copies of Logos.sys and Logow.sys
    • (Optional) Recover infected image files.

    To verify that NAV is set to scan all files:
    • NAV 4.0/5.0:
      1. Start NAV.
      2. Click Options.
      3. Click the Scanner tab.
      4. Click All files, and then click OK.
    • NAV 2000/2001
      1. Start NAV.
      2. Click Options.
      3. Click Manual Scans.
      4. Under "File types to scan," click All files, and then click OK.
    To restart the computer in Safe Mode:
    • Windows 95:
      1. Exit all programs, and then shut down the computer.
      2. Turn off the computer, and wait 30 seconds. You must turn off the computer to remove the virus from memory. Do not use the reset button.
      3. Turn on the computer. When you see the "Starting Windows 95" message, press F8.
      4. Type the number for Safe Mode, and then press Enter.
    • Windows 98 or Windows Me:
      1. Click Start, and click Run.
      2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
      3. Click Advanced on the General tab.
      4. Check Enable Startup Menu, click OK, and then click OK again.
      5. Exit all programs, and then shut down the computer.
      6. Turn off the computer, and wait 30 seconds. You must turn off the computer to remove the virus from memory. Do not use the reset button.
      7. Turn on the computer, and wait for the menu.
      8. Type the number for Safe Mode, and then press Enter.

        NOTE: After you have completed all of the steps in this document, you may repeat steps 1 through 4, and in step 4, uncheck Enable Startup Menu. The next time you restart the computer, you will not see the Startup menu.
    To scan the computer for infected files:
    Scan your computer with NAV, and delete any files that NAV detects as infected.

    To delete the Us-president-and-fbi-secrets.htm file and files with a .vbs extension:
    First, configure Windows to show all files, and then find and delete the worm's .htm and .vbs files. Here are the steps:

    To show all files:
    1. Start Windows Explorer.
    2. Click the View menu, and click Options or Folder options.
    3. Click the View tab, and uncheck (if it is checked) "Hide file extensions for known file types."
    4. Click Show all files, and then click OK.

    To find the worm's files:
    1. Click Start, point to Find, and click Files or Folders.
    2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
    3. In the Named box, type us*.htm and then click Find Now.
    4. If the Us-president-and-fbi-secrets.htm file is found, select it and press the Delete key.
    5. Click New Search, and then click OK to confirm
    6. In the Named box, type *.vbs and click Find Now.
    7. If any files are found, you should in most cases delete them because they probably have been overwritten by the worm. If these are .vbs files that you have created or downloaded for a specific purpose, you should move them to external media, such as a floppy disk.

    To remove worm entries from the registry:

    CAUTION: We strongly recommend that you back up the Windows registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
    1. Click Start, and click Run. The Run dialog box appears.
    2. Type regedit and click OK. The Registry Editor opens.

      NOTE: For information about how to edit the registry, click Help and then click Help Topics. See the information regarding Changing Keys and Values.
    3. Navigate to the following subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    4. Look for the following String values in the right pane:

      plan columbia
      linux32
      reload
    5. If any of these exist, select each in turn, press the Delete key, and then click Yes to confirm.
    6. Navigate to the following subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    7. Look for the following String value in the right pane:

      reload
    8. If this entry exists, select the entry and then press the Delete key.
    9. Exit the Registry Editor.

    (Optional) To restore copies of Logos.sys and Logow.sys:
    In some cases, VBS.Plan may infect the following files:
    • Logow.sys
    • Logos.sys

    These files are used by Windows to display the Windows shutdown messages. If you delete them, then when Windows shuts down you will not see the "Windows is shutting down" or the "It is now safe to turn off your computer" messages. This does not affect the ability of Windows to shut down. If you want to restore these files, you will need to use the Extract command (Windows 95) or the System File Checker (Windows 98). Please see your Windows documentation for information on how to do this.

    (Optional) To recover infected image files:
    If you have Norton Utilities and the Protected Recycle bin was enabled at the time of the infection, you can recover the deleted originals of many of the infected files. To do so, follow these steps:
    1. Right-click the Protected Recycle bin, and click Norton UnErase.
    2. When the wizard appears, click Next.
    3. At the next panel, hold down the Ctrl key and click each file that you want to restore.
    4. Click Restore.

    Additional information:

    Additional precautions that you can take:
    Some threats, such as this one, use the VBScript computer language to run. You can protect yourself from threats that use this language by enabling Script Blocking (Norton AntiVirus 2001/2002) or by disabling or uninstalling the Windows Scripting Host. Because the Windows Scripting Host is an optional part of Windows, it can be safely removed from your computer. (Some programs, however, need Windows Scripting Host in order to function properly.)

    • If you are using Norton AntiVirus 2002, which includes Script Blocking, make sure that Script Blocking is enabled (the default).
    • If you are using Norton AntiVirus 2001, a free program update that includes Script Blocking is available. Please run LiveUpdate to obtain this.
    • For other versions of Norton AntiVirus, SARC offers a tool to disable the Windows Scripting Host.
    • To disable the Windows Scripting Host in Microsoft Outlook Express only, see the Microsoft Knowledge Base document OLEXP: How to Disable Active Scripting in Outlook Express, Article ID: Q192846.


    Write-up by: Brian Ewell