-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                      AL-2000.006  --  AUSCERT ALERT
                             Newlove Virus
                              19 May 2000

===========================================================================

PROBLEM:  

          Several Anti-virus vendors have issued reports of a new,
          more damaging variant of the Loveletter virus of two weeks
          ago.  The name of this variant is VBS.NewLove.A.

          This variant has polymorphic characteristics in that during
          propagation it changes its attachment name and up to 10 new
          lines of text in order to defeat detection.  The virus may
          also embed itself in random files in the Windows and
          Windows\System directories.

          This virus is more destructive than Loveletter.  It is
          believed that it indiscriminately over-writes files with
          zero-length files, resulting in an unusable system.

          As with the Loveletter, this virus is written in Visual
          Basic Script (.vbs extension).  It is reliant on Microsoft
          Outlook for propagation, in that it uses addressees listed
          in the Outlook address book.  While subject lines in
          electronic mail messages are randomised to some extent,
          current understanding is that they always begin with the
          characters "FW:".

          AusCERT has received no direct reports of infection among
          member sites.  We are issuing this warning to draw members'
          attention to the potential for release within Australia and
          New Zealand over the weekend.


PLATFORM: 
          
	  Microsoft Windows systems using Microsoft Outlook.

IMPACT:   

          The virus may propagate itself via email to all addressees
          in a user's Microsoft Outlook address book.  A large number
          of files throughout the system may be overwritten, causing
          system failure and an inability to reboot.

SOLUTION: 

          We encourage sites to caution users about the potential for
          damage through careless opening of electronic mail
          attachments with .vbs extensions.  Users are encouraged to
          see assistance from local system administrators if in doubt.

          We are aware of reports by two anti-virus vendors:

          Symantec:
            http://www.sarc.com/avcenter/venc/data/vbs.loveletter.fw.a.html

          Trend Micro:
            http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_NEWLOVE.A

          Aside from the recommendations within this sites,
          remediation is likely to require system restoration from
          backups.

- ---------------------------------------------------------------------------
For more information please contact your anti-virus vendor.
- ---------------------------------------------------------------------------

[AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.]

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOXXWJCh9+71yA2DNAQECmgP/RgvWv120a+L5TMDM/FCFaYNOPsj8w3TM
b8TpRCz7dymB4eZJFCECXnrQnyzOCwLa+u51hgNlUk2W8FuOwahq3F3XH6myGFiY
qwHwA3358XS3sNZZLm5lOre/EtJnYLekywwUW4CgrQ2/6Wy+CDnH/luxti4UJCKM
UR2cED6kscg=
=FAcs
-----END PGP SIGNATURE-----