|
| Symantec Security Response http://securityresponse.symantec.com |
VBS.LoveLetter.CD | 
|
| Discovered on: February 07, 2001 |
| Last Updated on: July 29, 2004 06:38:30 PM |
| This worm spreads as an email attachment, CARTOLINA.VBS. If your computer is infected by this worm, it will use the Microsoft Outlook address book to propagate itself. It cannot propagate itself if Outlook is not installed on your computer. It tries to send itself out each time that the attachment is executed. It also changes the default pages of Internet Explorer. Norton AntiVirus currently detects this as VBS.LoveLetter.Variant. |
 |
|
| Removal tool link: http://securityresponse.symantec.com/avcenter/venc/data/fix.vbs.loveletter.html | ||
| Also Known As: | CARTOLINA.A, VBS_LOVELETTER.CD, VBS/LOVELETTER.CD, VBS/JER |
| Type: | Worm |
| Infection Length: | 2070 |
 | ||||
| ||||
|
| |||||||||||||||||||||||||||
- Payload Trigger: opening the .VBS file
- Payload:
- Large scale e-mailing: sends e-mail messages to entire Outlook Address book
- Subject of email: C'è una cartolina per te!
- Name of attachment: Cartolina.vbs
- Size of attachment: 2070
The following is a sample of a VBS.LoveLetter.CD email message:
| Subject: C'è una cartolina per te! Message Body: Ciao, un tuo amico ti ha spedito una cartolina virtuale... mooolto particolare! Attachment: CARTOLINA.VBS |
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
- Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
- If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
- Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
- Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
- Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
- Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
- Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
Current virus definitions detect this worm as VBS.LoveLetter.Variant. If an attachment is detected as infected with VBS.LoveLetter.Variant, it should be deleted.
Virus definitions that detect this variant with the new variant name, VBS.LoveLetter.CD, will be available in the next definition update to be released on February 14, 2001. To obtain the new definition earlier than that date, if you suspect a file is infected with VBS.LoveLetter.CD, you can submit the file to SARC using Scan & Deliver (submit the file from Norton AntiVirus Quarantine).
Corporate customers can also obtain Spec Definitions (Beta definitions that have not yet been through the full testing process) from their usual sources. (This is not necessary for most users. Current definitions will protect you from this threat; run LiveUpdate to obtain the most recent virus definitions.)
Write-up by: JP Duan and Douglas Knowles