- A NEW LOVE LETTER STYLE WORM DETECTED
Virus Name : VBS/Plan
Alias : I-Worm.LoveLetter,
Virus type : VBScript
level : Low
VBS/Plan is a new
modified variant of VBS/LoveLetter worm uses Microsoft
outlook to spread. Also it needs Windows
Scripting Host to infect the system.
The email message subject
will be "US PRESIDENT AND FBI SECRETS
=PLEASE VISIT = > (http://WWW.2600.COM)<=" or randomly
selected name with 6 characters length
created by the Polymorphic routine. The message
body will be "VERY JOKE..! SEE PRESIDENT AND FBI
TOP SECRET PICTURES.." or randomly selected name with 10
characters length. The attachment will be a
random name with extensions .BMP.vbs, .JPG.vbs,
.GIF.vbs ( Example: aEcOb.JPG.vbs ). The VBS
extension will not appear if Windows Scripting
Host is installed.
While opening the e-mail
attachment, will copy LINUX32.vbs and a random
file name in windows system folder and reload.vbs
in windows folder. Then it changes the registry settings so that
the the script is automatically executed when the
system is restarted.
Then it checks for
"WinFAT32.exe" in windows system
folder, if found it also tries to download three
files named macromedia32.zip, linux321.zip and
linux322.zip. If the files are download , it
copies the files in the name of
important_note.txt, logow.sys, logos.sys Windows folder. Actaully, these
are not zip files. The first one is a text file
and other two are BMP files. The bmp file is used
for windows startup and shutdown screen. The text
file is displayed by modifying the registry.
Then the worm creates "US-PRESIDENT-AND-FBI-SECRETS.HTM"
in windows system
folder. It opens the Microsoft Outlook Address
book and sends email to all the email ids stored
in that. The message subject, body and attachment
details will be the same as explained above.
Then the virus searches
for all local and remote drives and overwrites
.js, .jse, .css, .wsh, .sct and .hta files with
the script. It overwrites jpg, jpeg files with
the virus code and renames to .vbs extension. In
case of mp2 and mp3 files it hides the original
file and creates a new file with .vbs extension
and writes its code there.
The worm contains date
activated payload also. When the current date is
17th and current month is September ( 9th month )
it will display the following message.
to my best brother=> Christiam
"Att. ( random name of 5 letters lenght )
If you press Ok to the
message box it will try to disconnect Network
drives from E: to Z: in reverse order.
How can I protect my
There is no
special update required for Solo users. Solo
"Heuristic Engine" will
detect and remove this worm automatically in the
Solo antivirus registered
users are already protected from this worm. Make
sure that you have installed registered version
of Solo Antivirus to protect your system from all
To protect your system
against infection, disable Windows Scripting
Host by following these steps: Click the Start
button, Settings, Control Panel, then select
Add/Remove Programs, then select the Windows
Setup tab, then double-click Accessories, scroll
down to Windows Scripting Host, and uncheck the
box. Save changes and close the window.
to remove this worm?
you are already infected with this worm, you can
remove it from your computer using Solo Antivirus
software. Solo antivirus can detect and
remove VBS/Plan worm safely.
Use the following link to Download 30 day
trial version of Solo antivirus
remove viruses from your computer.
Solo anti-virus not only
scans for all viruses, it contains a unique System
Integrity Checker to protect you from
New Internet Worms, Backdoors and
malicious VB, Java Scripts. It also
effectively removes all existing Internet Worms,
File viruses, malicious VB, Java scripts,
Trojans, Backdoors, boot sector, partition table
and macro viruses.
purchase Solo antivirus using the link