ILOVEYOU Virus Rides Again - As A Resume
The
ILOVEYOU virus, which caused havoc earlier this year, has resurfaced
with a vengeance, says Kasperksy Lab, the Moscow-based IT security
company.
The firm, which has taken to issuing updates to its antivirus software
on a daily basis in recent times, says that a variant of the virus,
known as "I-Worm.LoveLetter.bd," was spotted in the wild late on
Aug. 15 by PC users in Switzerland and Russia.
The bad news is that the virus variant uses a well-known trick of
making the recipient think the attachment is something other
than what it actually is.
In the I-Worm variant of ILOVEYOU, the header of the attached file is
RESUME.TXT, making the reader think the attachment is a resume enquiry
from a Swiss Internet company, which is said to be looking for an
Internet programmer.
Kaspersky Lab says that, after the infected attachment is executed,
the virus automatically opens the Notepad word processor (bundled by
default with all versions of Windows) and shows the following text:
"Knowledge Engineer, Zurich
Intelligente Agenten im Internet sammeln Informationen, erkluren
Sachverhalte im Customer Service, navigieren im Web, beantworten Email
Anfragen oder verkaufen Produkte.
[skipped]"
At the same time as this data is displayed, Kaspersky Lab says that
the virus invisibly gains access to the host PC's Microsoft Outlook e-mail
program (if present) and, just like the original ILOVEYOU worm, sends
out copies of itself containing the attached infected resume file to
all the entries in the hapless users' address book.
While an initial scan suggests that the I-Worm variant is a simple
rework of the ILOVEYOU virus, Kaspersky Lav warns that the virus has
been extensively recoded to perform various nasties on the host PC.
One of these appears to include the ability to download updated worms
and Trojan horse applications across the Internet, allowing, for
example, hackers to upload significant quantities of malicious code to
the host PC, and so cause further havoc.
Early indications suggest that the upload feature of the I-Worm
variant is flawed and will only work if an online banking package
called USB PIN from the Union Bank of Switzerland is also installed on
the host PC.
If this application is present, the I-Worm variant attempts to connect
with at least three Web sites to download an application called
HCHECK.EXE, an executable that contains a Trojan horse program called
Hooker.
The Hooker program sucks up all variable data, including user
keystrokes, user IDs and passwords, from the host PC and relays them
to an anonymous mailbox.
Kaspersky Lab says that the Web sites with HCHECK.EXE include public
file areas of servers operated by the Michigan State University and
the US National Institute of Health. The IT security firm says it is
working with site operators to remove copies of the offending program.
Kasperksy Lab's Web site is at http://www.kasperskylabs.com.
Reported by Newsbytes.com, http://www.newsbytes.com.