<HTML>
<!-- Lotus-Domino (Release 4.6.3 - December 7, 1998 on Windows NT/Intel) -->
<HEAD>
<TITLE>What is VBS.NewLove.A?</TITLE></HEAD>
<BODY TEXT="000000" BGCOLOR="ffffff">
<BODY BACKGROUND="http://www.symantec.com/images/sidesym2.gif" BGCOLOR="WHITE" VLINK="#996600" ALINK="#990000">
<TITLE>What is VBS.NewLove.A?</TITLE>
<FORM ACTION="http://www.symantec.com/search/iatoc" METHOD="POST" ENCTYPE="application/x-www-form-urlencoded">
<P>
<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0 WIDTH=500>
<TR>
<TD ALIGN=LEFT VALIGN=TOP WIDTH="152">
<IMG SRC="http://www.symantec.com/images/spacer.gif" BORDER=0 WIDTH=152 HEIGHT=1><BR>
<A HREF="http://www.symantec.com/index.html"><IMG SRC="http://www.symantec.com/images/sym_logo.gif" ALT="Symantec logo" BORDER=0 HEIGHT=39 WIDTH=144></A><BR>
<IMG SRC="http://www.symantec.com/images/us.logo.gif" ALT="United States" BORDER=0 HEIGHT=24 WIDTH=144></A><BR>
</TD>
<TD COLSPAN=2 ALIGN=LEFT VALIGN=TOP WIDTH="434">
<IMG SRC="http://www.symantec.com/images/us.serviceandsupport.ts.banner.gif" ALT="Technical Support" HEIGHT=63 WIDTH=435 ALIGN=BOTTOM>
</TD>
</TR>
<TR>
<TD ALIGN=LEFT VALIGN=TOP WIDTH=152>
<P><FONT SIZE=2>
<A HREF="http://www.symantec.com/infoforyou.html">
<IMG SRC="http://www.symantec.com/images/us.informationforyou.area.gif" WIDTH=144 HEIGHT=22 BORDER=0 ALT="Information for You"></A><BR>
<IMG SRC="http://www.symantec.com/images/sep_2.gif" WIDTH=144 HEIGHT=13 BORDER=0><BR><A HREF="http://shop.symantec.com/index.html">
<IMG SRC="http://www.symantec.com/images/us.shopsymantec.area.gif" WIDTH=144 HEIGHT=22 BORDER=0 ALT="Shop Symantec"></A><BR>
<IMG SRC="http://www.symantec.com/images/sep_2.gif" WIDTH=144 HEIGHT=13 BORDER=0><BR><A HREF="http://www.symantec.com/product/index.html">
<IMG SRC="http://www.symantec.com/images/us.products.area.gif" WIDTH=144 HEIGHT=22 BORDER=0 ALT="Products"></A><BR>
<IMG SRC="http://www.symantec.com/images/sep_2.gif" WIDTH=144 HEIGHT=13 BORDER=0><BR>
<A HREF="http://www.symantec.com/resource.html"><IMG SRC="http://www.symantec.com/images/us.resourcecenters.area.gif" WIDTH=144 HEIGHT=22 BORDER=0 ALT="Resource Centers"></A><BR>
<IMG SRC="http://www.symantec.com/images/sep_2.gif" WIDTH=144 HEIGHT=13 BORDER=0><BR><A HREF="http://www.symantec.com/servsupp.html"><IMG SRC="http://www.symantec.com/images/us.serviceandsupport.area.gif"WIDTH=144 HEIGHT=22 BORDER=0 ALT="Service and Support"></A><BR>
<IMG SRC="http://www.symantec.com/images/spacer.gif" HEIGHT=1 WIDTH=12 BORDER=0><BR>
<IMG SRC="http://www.symantec.com/images/sep_2.gif" WIDTH=144 HEIGHT=13 BORDER=0><BR><A HREF="http://www.symantec.com/corporate/index.html">
<IMG SRC="http://www.symantec.com/images/us.aboutsymantec.area.gif" WIDTH=144 HEIGHT=22 BORDER=0 ALT="About Symantec"></A><BR>
<IMG SRC="http://www.symantec.com/images/sep_2.gif" WIDTH=144 HEIGHT=13 BORDER=0><BR></FONT>
<A HREF="http://www.symantec.com/"><IMG SRC="http://www.symantec.com/images/us.globalsites.area.gif" ALT= "Global Sites" WIDTH=144 HEIGHT=22 BORDER=0></A><BR>
<IMG SRC="http://www.symantec.com/images/sep_2.gif" HEIGHT=13 WIDTH=144><BR>
<A HREF="http://www.symantec.com/feedback/"><IMG SRC="http://www.symantec.com/images/us.webmaster.gif" ALT="Webmaster" HEIGHT=22 WIDTH=70 ALIGN=TOP BORDER=0></A>
<A HREF="http://www.symantec.com/help.html"><IMG SRC="http://www.symantec.com/images/us.help.gif" ALT="Help" HEIGHT=22 WIDTH=70 ALIGN=TOP BORDER=0></A>
<P><FONT SIZE=2>© 1995-2000 Symantec Corporation<BR>All rights reserved.<BR><A HREF="http://www.symantec.com/legal/legal_note.html"><BR><FONT SIZE=2>Legal Notices</FONT></A><FONT SIZE=2><BR></FONT><A HREF="http://www.symantec.com/legal/privacy.html"><FONT SIZE=2>Privacy Policy</FONT></A>
</TD>
<TD ALIGN=LEFT VALIGN=TOP WIDTH="13"> </TD>
<TD ALIGN=LEFT VALIGN=TOP WIDTH=422>
<FONT SIZE=4 FACE="ARIAL, MS SANS SERIF, HELVETICA"><B>
<!-- Page Header -->
</B></FONT></FORM><BR>
<!-- ------------------------------- -->
<!-- main page area -->
<!-- ------------------------------- -->
<P><table border=0 cellpadding=3 cellspacing=0 width=422><tr><td colspan=3 cellpadding=0 bgcolor=#2a116d><b><font size=2 color=white face=Arial,Helvetica,Geneva,Swiss,SunSans-Regular>Knowledge Base > Symantec </FONT></B></td></tr></table><BR>
<TABLE WIDTH="100%" BORDER=0 CELLSPACING=0>
<TR VALIGN=top><TD WIDTH="32%"><CENTER><A HREF="http://service1.symantec.com/SUPPORT/nav.nsf/pfdocs/2000051814021806"><IMG SRC="http://www.symantec.com/techsupp/images/button_printer.gif" ALT="Printer Friendly Version" WIDTH="102" HEIGHT="32" ALIGN="BOTTOM" BORDER="0"></A></CENTER></TD><TD WIDTH="35%"><CENTER><TD></TD></CENTER></TD><TD></TD></TR>
</TABLE>
<BR>
<B><FONT COLOR="0000ff">What is VBS.NewLove.A?</FONT></B><BR>
<BR>
<FONT SIZE=-1 FACE="ARIAL,MS SANS SERIF,UNIVERS,HELVETICA"><B>Situation:</B></FONT><BR>
You want to know about the VBS.NewLove.A worm.<BR>
<BR>
<FONT SIZE=-1 FACE="ARIAL,MS SANS SERIF,UNIVERS,HELVETICA"><B>Solution:</B></FONT><BR>
As of this writing, the following information is known about the VBS.NewLove.A worm:<BR>
<TABLE BORDER=1>
<TR VALIGN=top><TD WIDTH="125">Detected as</TD><TD WIDTH="192">VBS.NewLove.A</TD></TR>
<TR VALIGN=top><TD WIDTH="125">Also known as</TD><TD WIDTH="192">VBS.LoveLetter.ed<BR>
VBS.LoveLetter.Gen<BR>
VBS_SPAMMER<BR>
VBS.LoveLetter.FW.A</TD></TR>
<TR VALIGN=top><TD WIDTH="125">Infection Length</TD><TD WIDTH="192">Variable</TD></TR>
<TR VALIGN=top><TD WIDTH="125">Area of Infection</TD><TD WIDTH="192">Overwrites files</TD></TR>
</TABLE>
<BR>
<B>Description</B><BR>
This is a heavily mutated variant of the VBS.LoveLetter.A worm. For information on the original VBS.LoveLetter.A worm and its variants, please see <A HREF="http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000050407210206"><FONT COLOR="0000ff">What is VBS.LoveLetter.A?</FONT></A><BR>
<BR>
The Symantec AntiVirus Research Center (SARC) has received samples of this worm and is currently analyzing them. Unlike VBS.LoveLetter.A, which limited its infection to graphic and music files, the VBS.NewLove.A worm will search through all local and mapped network drives and attempt to infect all files on all drives.<BR>
<BR>
The worm spreads by sending itself to all of the addresses in the Microsoft Outlook address book. The attachment name is randomly chosen, but will always have a .vbs extension. The subject header will begin with "FW:" and will include the name of the randomly chosen attachment, (excluding the .vbs extension).<BR>
<BR>
<B>How to protect your computer against </B><B>VBS.NewLove.A</B><BR>
SARC has updated the definitions to protect against this worm. Please run LiveUpdate to obtain the latest definitions. You can also download the definitions from:<BR>
<BR>
<FONT COLOR="0000ff"><a href="http://www.symantec.com/avcenter/download.html">http://www.symantec.com/avcenter/download.html</a></FONT><BR>
<BR>
<B>What to watch for</B><BR>
Watch for email messages that have the following:<UL><LI>Email subject: Varies, but will display "FW: filename.ext" (where filename.ext can be any file name. It is chosen by the worm, at random, on the computer from which the email was sent). <LI>Attachment name: Varies, but will display "filename.ext.vbs" (where filename.ext can be any file name. It is chosen by the worm, at random, on the computer from which the email was sent). <LI>Attachment size: Varies<BR>
<BR>
<B>NOTES:</B><UL><LI>The file extension may not display on all computers. This will depend on Windows settings and the file extension itself.<LI>If the file has been sent by an infected Windows NT or 200 computer, the file name will be omitted and the subject of the message will be "FW: .EXT" and the attachment name will be ".EXT.VBS" </UL></UL><BR>
<B>WARNING:</B> If you suspect that you have received such a message, <I>do not open it</I>. This worm will overwrite <I>all </I>files on the computer that are not currently in use, regardless of extension. In addition, it will overwrite files on all mapped (network) local drives, with the exception of files in root directories.<BR>
<BR>
<B>Precautions you should take</B><BR>
Here are some precautions you can take to protect your computer:<UL><LI>Do not open any email attachments that have a .vbs extension.<LI>If you do not need the functionality provided by the Windows Scripting Host, then you may want to uninstall it. This will prevent the worm from running on your system. Please see <A HREF="http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000050512031906"><FONT COLOR="0000ff">How to uninstall the Windows Scripting Host</FONT></A> for detailed instructions.<LI>Obtain an update. Microsoft has an update that will provide additional protection to Microsoft Outlook users. According to Microsoft, the update will "make it more difficult to inadvertently launch attachments. The updates provide a more explicit warning dialogue, and prevent attached executables from being launched directly from e-mails...." This update is available at:<BR>
<BR>
<FONT COLOR="0000ff"><a href="http://www.microsoft.com/technet/security/virus/vbslvltr.asp">http://www.microsoft.com/technet/security/virus/vbslvltr.asp</a></FONT><FONT COLOR="0000ff"><BR>
</FONT></UL><B>Technical information</B><BR>
This polymorphic LoveLetter variant will overwrite<I> all </I>files that are not currently in use, regardless of extension. It arrives as an email message with a subject of "FW: FILENAME.EXT" and an attachment named "FILENAME.EXT.VBS" (where FILENAME.EXT is derived from the (sending) infected user's recently opened documents list.) The body of the email is empty. If no documents have been used recently, this name is randomly generated. If the message has been generated by a system running Windows NT or Windows 2000, then the filename will be omitted and the subject of the message will be "FW: .EXT" and the attachment name will be ".EXT.VBS" (the file extension will vary, depending on the recently opened documents list of the infected computer). <BR>
<BR>
<B>How to repair</B><BR>
You will need to restore from a full backup, or, if that is not available, reinstall all software, including the operating system, and then restore data from backup. This worms deletes the contents of <I>all</I> files on the system, leaving the affected files with a byte length of zero. This effectively destroys all files on the system, and will render the computer inoperable. The worm also appends the extension .vbs to each of these files. Because of this, no removal is possible once the worm has activated.<BR>
<BR>
This document will be updated as new information becomes available.<BR>
<BR>
Last Updated:<BR>
May 19, 2000<BR>
7:15 A.M. PST<BR>
<BR>
<BR>
<b><a href="http://www.symantec.com/techsupp/survey/satisfaction_survey.html"><FONT COLOR="0000ff">What do you think of our support? Please let us know.</a></font></b>
<BR><BR>
<HR><B><FONT SIZE=2>Product(s): </FONT></B><FONT SIZE=2>General, Virus Information</FONT><BR>
<B><FONT SIZE=2>Operating Systems(s): </FONT></B><FONT SIZE=2></FONT><BR>
<B><FONT SIZE=2>Document ID:</FONT></B><FONT SIZE=2> </FONT><FONT SIZE=2>2000051814021806</FONT><BR>
<B><FONT SIZE=2>Date Created:</FONT></B><FONT SIZE=2> </FONT><FONT SIZE=2>05/18/2000</FONT><BR>
<B><FONT SIZE=2>Last Modified:</FONT></B><FONT SIZE=2> </FONT><FONT SIZE=2>05/19/2000</FONT><BR>
<BR><CENTER>
<TABLE WIDTH="100%" BORDER=0 CELLSPACING=0>
<TR VALIGN=top><TD></TD><TD WIDTH="50%"><A HREF="http://www.symantec.com/techsupp/"><FONT SIZE="2">Help with Another Product</FONT></A></TD></TR>
</TABLE>
<BR>
</CENTER> <!-- ------------------------------- -->
<!-- standard footer -->
<!-- ------------------------------- -->
</TD></TR>
</TABLE>
<!-- Last revised by: tdc / Thu Oct 15 1998 -->
<IMG SRC="http://www.symantec.com/techsupp/custom/customizeLog.cgi">
</BODY>
</HTML>
<BR>
<noscript></BODY>
</HTML>