VIRUS: POP3 Uuencoded .vbs

This signature detects e-mail attachments containing the string "begin" and the file extension "vbs" sent through POP3. This can indicate the e-mail virus LoveLetter is attempting to enter the system. The executed file copies itself to the Windows system directory and edits the Registry to run the virus on reboot; when activated, it downloads a Trojan from a specified Web site that deletes security keys and sends stolen passwords to its owner. LoveLetter also obtains e-mail addresses from the Microsoft Outlook database and sends infected messages to all addresses found, overwrites mIRC and Pirch setup files, and sends infected messages through IRC.

Extended Description

LoveLetter is a worm. It changes registry keys, steals passwords, destroys files, and propogates itself via e-mail and mIRC.

Short Name
VIRUS:POP3:UUENCODED-DOT-VBS
Severity
Major
Recommended
False
Recommended Action
Drop
Category
VIRUS
Keywords
.vbs POP3 Uuencoded
Release Date
04/22/2003
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3375
False Positive
Unknown

Found a potential security threat?