VBS:NewLove

is another computer worm created in VBS (Visual Basic Script language). It arrives  via e-mail and is activated by double click on the message attachment which could have random name but has the extension .vbs. It requires Windows Scripting Host to be installed on the victim's computer. This support is not installed under Windows 95 and Windows NT 4 by default. It is installed under Windows 98 and Windows 2000 and it is also  part of some additional software packages (such as Microsoft Internet Explorer v5.x).

VBS:NewLove was discovered on 18th May 2000. This worm uses e-mail as the only spreading channel. The subject of the message starts "FW: " and includes the name of the infected attachment (without the .vbs extension). Worm is polymorphic: when it creates a new copy of itself, this copy contains additional comments with random content. Comment lines begin with the single quote. It also adds spaces on the beginning of the lines. Comments contain strings of uppercase characters with no  spaces between them.  Such string can be up to 300 characters in long. Virus is growing with each copy and after some time it can be really huge.

The random filename is selected from the Windows Recent directory and is appended with one of those extensions: .Doc, .Xls, .Mdb, .Bmp, .Mp3, .Txt, .Jpg, .Gif, .Mov, .Url, .Htm and .Txt followed by the above mentioned .vbs extension.

When executed, worm copies itself to the Windows and System directories under the same name it arrived and adds two keys with the same name in the following registry item:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Damage

The worm has very dangerous payload. It searches all directories on all fixed and network drives and deletes all files found. It then creates new files with the same name as the original files but with a .vbs extension. All such files are zero bytes long.
 

Removal

Delete all infected files and remove all registry keys mentioned above. Then reboot the computer. If any damage has been done, Windows should be reinstalled and all data restored from the backup.

Any avast! with VPS file dated on or after 19th May 2000 is able to detect this virus. We recommend to change the avast32 task to test ALL files! 

Viruses
Viruses in the Wild Virus Database History Virus Report Form Eicar Test File
Subscription Services
VPS Subscription Service
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Home page
Viruses  script viruses  VBS:NewLove