Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

VBS.LoveLetter.BD

VBS.LoveLetter.BD

Updated:
13 February 2007
Also Known As:
Loveletter.AD, VBS/Contract, Trojan.PSW.Hooker.24.c
Download Removal Tool

This worm attempts to email itself to everyone in the Microsoft Outlook address book. The worm arrives as an email attachment named Resume.txt.vbs. The worm might steal online banking information for customers of the United Bank of Switzerland using their PIN software.

NOTE: This worm was previously detected as VBS.NewLove.A.

Antivirus Protection Dates

  • Initial Rapid Release version 08 August 2000
  • Latest Rapid Release version 28 September 2010 revision 054
  • Initial Daily Certified version 08 August 2000
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date pending
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When first executed, this worm creates a file called Resume.txt in the current directory. The worm then attempts to open the file in Notepad. It appears as:
"Knowledge Engineer, Zurich"
"Intelligente Agenten im Internet sammeln Informationen, erklaren Sachverhalte im" "Customer Service, navigieren im Web, beantworten Email Anfragen oder verkaufen" "Produkte. Unsere Mandantin entwickelt und vermarktet solche Software-Bots: State of the" "Art des modernen E-Commerce. Auftraggeber sind fuhrende Unternehmen, die besonderen" "Wert auf ein effizientes Customer Care Management legen. Das weltweit aktive," "NASDAQ kotierte Unternehmen mit Sitz in Boston braucht zur Verstarkung seines" "explosiv wachsenden Teams in der Schweiz engagierte, hochmotivierte und kreative" "Spezialisten. Kurz: Sie haben es in der Hand, die Knowledge Facts fur aussergewohnliche" "Losungen im Internet zu realisieren und neue Schnittstellen zwischen Mensch und" "Datenautobahnen zu schaffen. Das Tor zur Welt steht Ihnen offen. Eine faszinierende" "Zukunft braucht Ihre Inspiration und Ihr Know-how.... "

While the Resume.txt file is being displayed, the worm continues its malicious actions. It copies itself into the Windows\System folder as Resume.txt.vbs. The worm then attempts to email itself to everyone in the Microsoft Outlook address book. Next, it sets a registry key so that it does not perform this action multiple times.

Finally, the worm searches for the registry key:
HKCU\Software\UBS\UBSPIN\Options\Datapath
  • If the registry key is found, the worm attempts to email the file defined at this registry key to three anonymous email addresses. This information might contain account information for customers of the United Bank of Switzerland using their PIN software.
  • If the registry key was found, the worm tries to download a file called Hcheck.exe. If it succeeds, the worm executes the file. This file is a Trojan horse and it attempts to capture all user information (such as Windows registration information and Internet passwords). Once executed, it also continously checks the keyboard buffer for any keystrokes.

Once the worm has performed its malicious actions, it attempts to delete all of the temporary files that it has created.
For more information regarding the PIN software from UBS bank, see the following article on the UBS Web site:
http://www.ubs.com/e/index/about/media/20000817a.html .

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Delete all detected files.
Writeup By: Neal Hindocha