For Home

Virus Profile: VBS/Valentin@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/11/2001
Date Added: 2/12/2001
Origin: Spain
Length: N/A
Type: Virus
Subtype: E-mail
DAT Required: 4121
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

VBS/Valentin@MM is detected as "New Script" with heuristics enabled using the 4120 engine. This virus contains a destructive payload, instructions to send itself via Outlook email and also send messages to cell phones.

- Presence of the file "loveday14-b.hta"
- Modified Outlook Express signature
- Altered Internet Explorer start page, now set to a Spanish website
- Files overwritten with Spanish text, using double extensions (ie. EXE.TXT)

Cell phone users in Europe may receive messages containing the following information:
Subject: "Feliz san valentin"
Body: "Feliz san valentin. Por favor visita" (followed by a link to a Spanish website, infected by the virus author.)

Methods of Infection

Opening email messages which are composed in HTML format and which contain the script will install the Internet worm on systems which are vulnerable to the "Scriptlet.TypeLib" exploit. If the Preview Pane is enabled, simply highlighting the message subject is enough to activate the virus. The HTA file is written to the local machine as is the HTML file and both are created at system startup, and with each composition of HTML format email message.

Aliases

Valentin.A (CA), Valentine (F-Prot), VBS.Valentin.A
   

Virus Characteristics

VBS/Valentin@MM is detected as "New Script" with heuristics enabled using the 4120 engine. This virus contains a destructive payload, instructions to send itself via Outlook email and also send messages to cell phones.

This virus is believed to have been created by the author of VBS/San@M.It also sets the Internet Explorer start page to a Spanish website, similar to VBS/San@M.

The virus is embedded in an HTML file, uses the Vbscript.Encode method to partially encrypt its code, and makes use of the, so called, "Scriptlet.TypeLib" vulnerability.

When the viral code is executed, it copies itself to the StartUp folder, "c:\WINDOWS\Start Menu\Programs\Startup\loveday14-b.hta". If the Spanish version of Windows is detected, it copies itself to the corresponding Startup folder, "c:\WINDOWS\Menú Inicio\Programas\Inicio\loveday14-b.hta".

The file "main.html" is created in the WINDOWS SYSTEM directory.

The virus sends itself to all recipients found in the Outlook Address Book. The subject line of the message is left empty and there is no attachment. The e-mail message body contains the embedded virus code, in HTML format.

The virus attempts to send e-mail messages to random mobile-phone addresses of a Spanish telecom provider. These messages contain the following information:
Subject: "Feliz san valentin"
Body: "Feliz san valentin. Por favor visita" (followed by a link to a Spanish website, infected by the virus author.)

It virus attempts to use the mIRC Internet Relay Chat client to send itself, as "main.html", to other IRC users.

If the current day is 8, 14, 23, or 29, the virus attempts to overwrite all files on the C: drive with Spanish text. The overwritten files contain the original file name with the extension .TXT (ie. C:\COMMAND.COM becomes C:\COMMAND.COM.TXT)

These overwritten files contain the text: 

Hola, me llamo Onel2 y voy a utilizar tus archivos para declararle mi amor
a Davinia, la chica mas guapa del mundo.
Feliz san Valentin Davinia. Eres la mas bonita y la mas simpatica.
Todos los dias a todas horas pienso en ti y cada segundo que no te veo
es un infierno.
Quieres salir conmigo?
En cuanto a ti usuario, debo decirte que tus ficheros
no han sido contaminados por un virus,
sino sacralizados por el amor que siento por Davinia.
Some visible parts of the code are:
"Que cosa mas tonta".
"loveday14 by Onel2 Melilla, España"
"feliz san valentin davinia"
   
Use specified engine and DAT files for detection and removal.

Removal of this Internet worm consists of several steps:

* close email client(s)
* install the MS patch mentioned above
* remove the .HTA and/or .HTML files associated with this threat
* turn off 'preview pane' (optional)
* delete the default email signature setting (Tools/Options/Signature)
* delete messages which are not needed which may contain the embedded script

Users may also benefit by removing Windows Scripting Host from their Windows environment. To do this in Windows 9x, go to 'Control Panel' and choose 'Add/Remove Programs'. Click on the 'Windows Setup' tab and double click on 'Accessories'. Scroll down to 'Windows Script Host' and uncheck it and choose 'OK'. It may be necessary to reboot the system. For additional help or support, visit Microsoft's Support Site .

Users may also want to disable 'Active Scripting' in the 'Restricted Sites' zone and set E-Mail to run in the 'Restricted Sites' zone. To do this:

-open Internet Explorer
-choose the Tools menu
-choose Internet Options
-click the Security tab
-click the Restricted Sites icon
-click 'Custom Level'
-scroll down to 'Active Scripting' and set it to Disable or Prompt
-Click OK
-open Outlook
-choose the Tools menu
-choose Options
-click the Security Tab
-In the 'Security Zones' section, choose the 'Restricted Sites' zone

AVERT Recommended Updates :

* scriptlet.typelib/Eyedog vulnerability patch

* Malformed E-mail MIME Header vulnerability patch

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .