Worm: VBS_LOVELETTER.BH [Archive]

You are currently viewing a search engine-friendly (archive) version of this page.

View Full Version : Worm: VBS_LOVELETTER.BH

Techguy

November 21, 2000, 10:31 am

Worm: VBS_LOVELETTER.BH
--------------------------------------------------------------------------------
Aliases:
LOVELETTR.BH, Loveletter.variant

Description:
This is another variant of the VBS_LOVELETTER.A virus. It propagates via email like its predecessor, however it has a unique characteristic. This variant creates 62 registry entries. Most of these registry entries are harmless, such as changing the Internet Explorer Window title. However, some like deactivating Internet Explorer security, maybe harmful.

Solution:

To modify your registry and remove the files dropped by this virus please run kill_lbh.exe (http://www.antivirus.com/vinfo/security/kill_lbh.exe) - toold provided by Trend Micro. (This tool does not delete VBS_LOVELETTER.BH, to delete this virus you need to run an antivirus program with latest defintions. Note: not all AV programs detect this variant)

------------------
Thank you for using Help From Techs Support Forums!
Please come again and remember to refer a friend to our site.

Techguy

November 21, 2000, 10:31 am

Worm: VBS_LOVELETTER.AS
--------------------------------------------------------------------------------
VBS_LOVELETTR.AS
Risk rating: low
Virus type: VBScript
Destructive: Y

Aliases:
LOVELETTR.AS, LOVELETTER.AS, VBS_COLOMBIA, COLOMBIA, PRESIDENT AND FBI SECRETS,

Description:
This destructive Visual Basic Sript virus propagates via MS Outlook. Once executed, it sends itself as an attachment to all lists in the infected user's address book. If the current system date is November 7, the virus removes all connected network drives from the system.

Solution:
Scan your system with Trend antivirus and delete all files detected as VBS_LOVELETTR.AS. To do this Trend customers must download the latest pattern file and scan their system. Other email users may use Trend HouseCall, a free online virus scanner.

Manually delete the following dropped named:
c Windows\System\LINUX32.vbs
c Windows\reload.vbs
c Windows\important_note.txt
c Windows\System\US-PRESIDENT-AND-FBI-SECRETS.HTM

For the registry key:

In the Windows Start Menu, choose Run, type Regedit and then press enter.
On the left panel, follow the path
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run.
Look for the registry key called LINUX32.
Delete the key by clicking it and press the delete key.
Please do the same for the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\reload

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\plan columbia

------------------
Thank you for using Help From Techs Support Forums!
Please come again and remember to refer a friend to our site.