This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
This virus is believed to have been created by the author of VBS/San@M.It also sets the Internet Explorer start page to a Spanish website, similar to VBS/San@M.
The virus is embedded in an HTML file, uses the Vbscript.Encode method to partially encrypt its code, and makes use of the, so called, "Scriptlet.TypeLib" vulnerability.
When the viral code is executed, it copies itself to the StartUp folder, "c:\WINDOWS\Start Menu\Programs\Startup\loveday14-b.hta". If the Spanish version of Windows is detected, it copies itself to the corresponding Startup folder, "c:\WINDOWS\Men Inicio\Programas\Inicio\loveday14-b.hta".
The file "main.html" is created in the WINDOWS SYSTEM directory.
The virus sends itself to all recipients found in the Outlook Address Book. The subject line of the message is left empty and there is no attachment. The e-mail message body contains the embedded virus code, in HTML format.
The virus attempts to send e-mail messages to random mobile-phone addresses of a Spanish telecom provider. These messages contain the following information:
Subject: "Feliz san valentin"
Body: "Feliz san valentin. Por favor visita" (followed by a link to a Spanish website, infected by the virus author.)
It virus attempts to use the mIRC Internet Relay Chat client to send itself, as "main.html", to other IRC users.
If the current day is 8, 14, 23, or 29, the virus attempts to overwrite all files on the C: drive with Spanish text. The overwritten files contain the original file name with the extension .TXT (ie. C:\COMMAND.COM becomes C:\COMMAND.COM.TXT)
These overwritten files contain the text:
Hola, me llamo Onel2 y voy a utilizar tus archivos para declararle mi amor a Davinia, la chica mas guapa del mundo. Feliz san Valentin Davinia. Eres la mas bonita y la mas simpatica. Todos los dias a todas horas pienso en ti y cada segundo que no te veo es un infierno. Quieres salir conmigo? En cuanto a ti usuario, debo decirte que tus ficheros no han sido contaminados por un virus, sino sacralizados por el amor que siento por Davinia.Some visible parts of the code are:
- Presence of the file "loveday14-b.hta"
- Modified Outlook Express signature
- Altered Internet Explorer start page, now set to a Spanish website
- Files overwritten with Spanish text, using double extensions (ie. EXE.TXT)
Opening email messages which are composed in HTML format and which contain the script will install the Internet worm on systems which are vulnerable to the "Scriptlet.TypeLib" exploit. If the Preview Pane is enabled, simply highlighting the message subject is enough to activate the virus. The HTA file is written to the local machine as is the HTML file and both are created at system startup, and with each composition of HTML format email message.
Use specified engine and DAT files for detection and removal.
Removal of this Internet worm consists of several steps:
* close email client(s)
* install the MS patch mentioned above
* remove the .HTA and/or .HTML files associated with this threat
* turn off 'preview pane' (optional)
* delete the default email signature setting (Tools/Options/Signature)
* delete messages which are not needed which may contain the embedded script
Users may also benefit by removing Windows Scripting Host from their Windows environment. To do this in Windows 9x, go to 'Control Panel' and choose 'Add/Remove Programs'. Click on the 'Windows Setup' tab and double click on 'Accessories'. Scroll down to 'Windows Script Host' and uncheck it and choose 'OK'. It may be necessary to reboot the system. For additional help or support, visit Microsoft's Support Site .
Users may also want to disable 'Active Scripting' in the 'Restricted Sites' zone and set E-Mail to run in the 'Restricted Sites' zone. To do this:
-open Internet Explorer
-choose the Tools menu
-choose Internet Options
-click the Security tab
-click the Restricted Sites icon
-click 'Custom Level'
-scroll down to 'Active Scripting' and set it to Disable or Prompt
-choose the Tools menu
-click the Security Tab
-In the 'Security Zones' section, choose the 'Restricted Sites' zone
* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .