Subject: [NEWS] Love Bug variant fools Anti-Virus programs Date: Sat, 27 May 2000 10:34:36 +0200 The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com Love Bug variant fools Anti-Virus programs -------------------------------------------------------------------------------- SUMMARY While the security community is trying to find a decent cure for e-mail Viruses such as the recent I Love You Virus, a new Virus clone shows that the current solution by most Virus blocking software is meaningless. DETAILS After the recent Love bug damages, many products claimed to have solved the "I Love You" Virus problem. Most did this by simply discovering certain characteristics of the Virus, such as the distinguished subject line ("I Love You"). All e-mail messages with that subject were simply blocked, and users were told to delete without opening any e-mail with a subject line that was known to be used by this Virus clones. But clearly, that's no way to fight a Virus. To prove how futile this combat method is, a new variant of this e-mail Virus is on the wild, and this time, the subject line is a variable. This Virus is very similar to "I Love You", only when propagating it sets the subject line to a file name from the directory C:\Windows\Recent. Since this is probably different from one person to another, the Virus becomes 'polymorphic': It changes its shape on propagation. The attachment bares the same name as the subject (i.e. the file name picked up from the Windows\Recent folder) with the .vbs (VB Script) extension appended. ADDITIONAL INFORMATION For more information about this new variant, called 'NewLove', see: The Trend Virus Encyclopedia ======================================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.