Signature Detail
Short Name |
VIRUS:POP3:UUENCODED-DOT-VBS |
|---|---|
Severity |
High |
Recommended |
No |
Recommended Action |
Drop |
Category |
VIRUS |
Release Date |
2003/04/22 |
Update Number |
1213 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
VIRUS: POP3 Uuencoded .vbs
This signature detects e-mail attachments containing the string "begin" and the file extension "vbs" sent through POP3. This can indicate the e-mail virus LoveLetter is attempting to enter the system. The executed file copies itself to the Windows system directory and edits the Registry to run the virus on reboot; when activated, it downloads a Trojan from a specified Web site that deletes security keys and sends stolen passwords to its owner. LoveLetter also obtains e-mail addresses from the Microsoft Outlook database and sends infected messages to all addresses found, overwrites mIRC and Pirch setup files, and sends infected messages through IRC.
Extended Description
LoveLetter is a worm. It changes registry keys, steals passwords, destroys files, and propogates itself via e-mail and mIRC.
References