Jennifer Lopez naked virus?

[meekon5]

I have two mails this morning (one from ZDNet another from NW Security) both warning about the above virus. I have no other information (checked NAI.Com and CERT both in virus and hoax areas) apart from these two sources, one claiming it's a version of the lovebug virus, the other claiming it's a varient of the chernobyl virus.

Anyone got anything else on this. I don't want to release a general alert to my company f this turns out to be a hoax. We had enough trouble with the French office reacting to the SULFNBK.EXE hoax. It seemed they were more inclined to believe their Lawyers than their IT department. (Oh well, their loss, swupport becomes suddenly a lot harder for the french office).

 

[THoey]

Nothing on McAfee's site as of this moment... Terry M. Hoey
th3856@txmail.sbc.com
While I don't mind e-mail messages, please post all questions in these forums for the benefit of all members.

 

[2ffat]

It is a variant of the Love-Letter virus. The following is a copy of the alert I got from Sophos:

At the time of writing Sophos has not seen any infections but
has issued this alert due to media interest.

Description:

VBS/Lovelet-CM is an email-aware worm. The worm copies itself to
a file called JENNIFERLOPEZ_NAKED.JPG.vbs in the Windows
directory. It then forwards itself via email to every contact in
the Microsoft Outlook address book with the following
characteristics:

Subject: Where are you?

Body text: This is my pic in the beach!

Attached file: JENNIFERLOPEZ_NAKED.JPG.vbs

When the attached file is opened the worm searches all fixed and
network drives for files with extensions .VBS, .VBE, .JS, .JSE,
.CSS, .WSH, .SCT, .HTA, JPG, .JPEG, .MP2 and .MP3. All found
files are overwritten by the worm.

Original extensions .JS, .JSE, .CSS, .WSH, .SCT and HTA are
changed to .VBS. Original extensions .JPG and .JPEG are
converted to double extension .JPG.VBS and .JPEG.VBS
respectively. Attributes of the original files with .MP2 and
.MP3 extension are changed so that the original file is hidden
and a new file with the identical name and VBS extension is
created by the worm.

The worm also creates the Registry keys
HKCU\software\JENNIFERLOPEZ_NAKED\ so that it contains the text
"Worm made in algeria" and
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion \Run, so that it
contains the name of the worm file. The worm then sends itself
to all contacts found in the Microsoft Outlook address book.

Finally it drops and runs a file infected with a variant of the
highly destructive W95/CIH virus (also known as Chernobyl). The
dropped file is detected by SAV as W95/CIH-10xx.

Read the analysis at

http://www.sophos.com/virusinfo/analyses/vbsloveletcm.html

James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.

 

[meekon5]

Thanks for that. Enough for me to release a general warning to the company on this one. Thank you again.

 

[AVChap]

Actually, there is a description. You won't find it as "JenniferLopezNaked". They've named it VBS/LoveLetter.CN@MM. Check here:

http://vil.nai.com/vil/virusSummary.asp?virus_k=99096

Cheers!

 

[shrahuman]

what is the accepted frequency of virus scan

 

[2ffat]

Your best bet is the "double barrel" approach. I use a memory resident scanner that checks every file that opens for viruses. Then (at least) once a day I run another scanner that checks memory, boot sectors, and files for viruses. I do this on all servers and workstations. Works for us.


James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.

 

[meekon5]

We've just signed up to a third party virus protection from Star. We re-direct our dns to and from the company through their server and all incoming and outgoing mail is filtered through four comercial virus checking packages and their own heuristic scan. Any problem mail is held on their server and notified both to the sender/reciever and our department. We are trying it out on the UK site at the moment and will roll it out to our other subsidiaries if it proves useful.

 

[2ffat]

meekon5,

[tab]Let us know how well it works.

James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.