Virus Database

I-Worm.NewLove

Description I-Worm.NewLove

This is an extremely dangerous variant of the "LoveLetter" Internet worm. Just as with its forerunner "LoveLetter", the "NewLove" worm is written in Visual Basic Script language and spreads as a VBS file with a random name. The worm installs itself into the system, gains access to the MS Outlook address book, and sends itself to all addresses listed in there.
The infected message subject begins with "FW:" and is completed with a random text up to 30 characters in length and random extension from the following list:
Doc, Xls, Mdb, Bmp, Mp3, Txt, Jpg, Gif, Mov, Url, Htm, Txt

This also serves as the name of the attached file, for example:
FW: VPAVQXCUUNGUFLTJSLNAUTQZXJUG.Bmp
FW: QKUPLSXOOIBPAGNENGIVPN.Mp3
FW: TNXSOVARRLESDJQHQJLYSQNWV.Mdb
FW: HBLHCJOFFZS.Mdb
FW: MGQMHOTKKEXLWCJAJ.Doc
FW: SMXSNUZRRKDRCJQGPIKXRQNWU.Mdb
FW: CWGCXE.Mp3
The message body is empty, and there is a VBS file attached with the same file name that is in the subject line, but with an added ".VBS" extension. Depending on the system settings, a real extension of the attached file (".vbs") may not be shown. In this case, the filename of an attached file is displayed as shown above (with no "FW:").
When the attached file is activated (by double clicking, for example), the worm sends its copies to all addresses from the MS Outlook address base.
The worm then destroys the computer. It scans all local and mapped disk drives and replaces all files with its copy, and adds the ".VBS" extension to file names (for example COMMAND.COM becomes COMMAND.COM.VBS). As a result, all files on all accessable drives are totally destroyed.
Because of this, the worm is able to spread just once - it sends its copy to all availabe addresses and then destroys the computer.
The worm is able to spread only in the instance that MS Outlook is installed in the system. The worm payload routine is activated independent of the e-mail system installed on the computer. In the case that there is another e-mail system installed, the worm does not send infected e-mails, instead destroying all files on the computer.
The worm is polymorphic. Upon each infection, it inserts random comments into its code. The worm does this each time it spreads, and as a result, its size grows depending on its generation (about 60% of the current size), for example:
1st generation: 110Kb
2st generation: 248Kb
3st generation: 403Kb
4st generation: 585Kb
5st generation: 805Kb
6st generation: 1040Kb
e.t.c.
The "pure" worm code is just about 5Kb in size.
Protection for this type of worms has already been released by Kaspersky Lab. The "AVP Script Checker" protects the system against the new worm and prevents infection. We strongly recommend you download "AVP Script Checker" from our Kasperky Lab Web sites.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Why

Description Macro.Word.Why

This virus contains only one macro, but while infecting copies it to two macros in documents and to three macros in NORMAL.DOT:
documents: AutoOpen, makemacros
NORMAL.DOT: AutoOpen, AutoClose, makemacros

The virus infects the global macros area (NORMAL.DOT) on opening an infected file (AutoOpen), and infects documents that are opened or closed (AutoOpen, AutoClose).
The virus displays the DialogBox:
Why Why Why
Why doesn't pepole work?
No money
No drink
No eat
No instant noodles
No lunch box

Macro.Word.Williamto

Description Macro.Word.Williamto

This is an encrypted Word macro virus. It contains 16 macros: Halim, FileNew, AutoOpen, FileOpen, FileSave, FileClose, FilePrint, HelpAbout, Williamto, FileSaveAs, ToolsMacro, FormatStyle, JustifyPara, ViewToolBars, FileTemplates, ToolsCustomize.
The virus infects the global macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and writes itself to documents that are opened, saved or saved with new name (FileOpen, FileSave, FileSaveAs).
This is the stealth virus: it draws its own dialog on entering Tools/Macro menu, on pressing any button the virus displays the MessageBox:
WordBasic Err = 7
Not enough memory

After opening a file the virus displays the message:
Williamto Virus
Williamto WordBasic Virus
Programmed by Williamto Halim
Virus Research Laboratory
Dedicated to Angelia Hadeli

On error while saving files the virus displays:
Attention!!!
Williamto Halim always lives in your computer

On closing files it displays:
File Close
Please close it later! Let's have fun!

On July 9 it displays:
Nice Day
Happy Birthday Amgelia Hadeli by Williamto Halim

The virus also replaces the "About Microsoft Word" with:
About Microsoft Word
Williamto WordBasic Virus
Programmed by Williamto Halim
Virus Research Laboratory
Dedicated to Angelia Hadeli

On printing documents the virus erases original text and prints its text:
Welcome to Williamto Word Macro Virus
I'm sorry about this but your computer has been infected by
Williamto Word Macro Virus
Please beware about this!!!
This Virus will destroy your data in your disk!!!
Copyright 1997 Virus Research Labs (Jakarta/Indonesia)

While printing the virus outputs to the status line the text:
[ Welcome to Williamto Word Macro Virus - Programmed & Written by
Williamto Halim the Hackers - Virus Research Laboratory ]

On November 11th the virus formats the hard drive and displays the MessageBox:
Attention!!!
I will format your hard disk now, ha-ha-ha!

Home