Return To Home Page Search Fire Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info Prognet Privacy Statement

Click here to view product details, fire framework, screen shots, Y2K statement, etc.Download fire evaluation copy, updates, upgrades, user manual, free utils and lot more.Customers can enjoy technical support, security tips, FAQ, free virus alert mail, etc. Online ordering, renewal form and upgrade details.Resellers, dealers and distributors can enter here.Click here to view latest virus alerts, virus information center, virus calendar, etc.Latest news and other press releases.About Prognet Technologies Pvt. Ltd, technical team, clients, events and lot more.

 

VBS/PLAN - A NEW LOVE LETTER STYLE WORM DETECTED

                     VBS/Plan is a new modified variant of VBS/LoveLetter worm uses Microsoft outlook to spread. Also it needs Windows Scripting Host to infect the system.

                     The email message subject will be "US PRESIDENT AND FBI SECRETS =PLEASE VISIT = > (http://WWW.2600.COM)<=" or randomly selected name with 6 characters length created by the Polymorphic routine. The message body will be "VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES.." or randomly selected name with 10 characters length. The attachment will be a random name with extensions .BMP.vbs, .JPG.vbs, .GIF.vbs ( Example: aEcOb.JPG.vbs ). The VBS extension will not appear if Windows Scripting Host is installed.

                     While opening the e-mail attachment, will copy LINUX32.vbs and a random file name in windows system folder and reload.vbs in windows folder. Then it changes the registry settings so that the the script is automatically executed when the system is restarted.

                     Then it checks for "WinFAT32.exe" in windows system folder, if found it also tries to download three files named macromedia32.zip, linux321.zip and linux322.zip. If the files are download , it copies the files in the name of important_note.txt, logow.sys, logos.sys Windows folder. Actaully, these are not zip files. The first one is a text file and other two are BMP files. The bmp file is used for windows startup and shutdown screen. The text file is displayed by modifying the registry.

                     Then the worm creates "US-PRESIDENT-AND-FBI-SECRETS.HTM" in windows system folder. It opens the Microsoft Outlook Address book and sends email to all the email ids stored in that. The message subject, body and attachment details will be the same as explained above.

                     Then the virus searches for all local and remote drives and overwrites .js, .jse, .css, .wsh, .sct and .hta files with the script. It overwrites jpg, jpeg files with the virus code and renames to .vbs extension. In case of mp2 and mp3 files it hides the original file and creates a new file with .vbs extension and writes its code there.

                     The worm contains date activated payload also. When the current date is 17th and current month is September ( 9th month ) it will display the following message.

"Dedicated to my best brother=> Christiam Julian(C.J.G.S.)"
"Att. ( random name of 5 letters lenght ) (M.H.M. TEAM)"

                      If you press Ok to the message box it will try to disconnect Network drives from E: to Z: in reverse order.

How can I protect my system?

                     There is no special update required for Fire users. Fire "Heuristic Engine" will detect and remove this worm automatically in the name "VBS/LoveLetter.variant".

                     To protect your system against infection, disable Windows Scripting Host by following these steps: Click the Start button, Settings, Control Panel, then select Add/Remove Programs, then select the Windows Setup tab, then double-click Accessories, scroll down to Windows Scripting Host, and uncheck the box. Save changes and close the window.

VBS/LoveLetter scanner is able to detect VBS/Plan worm. You can download this free utility at Download Center.

Go to top of the page
.