Alert: Lovesan Variants
There are now at least two additional variations of the Lovesan
worm. They behave in the same manner as the original Lovesan worm in that
they spread via the RPC flaw (http://www.helpdesk.umd.edu/virus/alerts/rpcflaw.shtml),
but the files and registry keys they create are different:
Lovesan.b
Lovesan.b puts the following files in the Windows system32 directory:
- teekids.exe (the worm itself)
- root32.exe (a backdoor Trojan program that
allows hackers access to the computer)
- index.exe (the file that creates both the
worm and the backdoor file on the system)
Lovesan.b then creates the following registry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Microsoft Inet Xp.." = teekids.exe Microsoft can suck my left
testi! Bill
Users who find they are infected with Lovesan.b should follow the
instructions for removing the original Lovesan AND should do a complete
scan of their computer using up-to-date anti-virus software. Members of
the University of Maryland currently running McAfee VirusScan should
manually update their software using one of the following methods:
One way is to go to the McAfee corporate edition website
(www.mcafeeb2b.com), click on
Downloads (in the left column of options), then click on
the link for DATs under the Virus Protection
section. There
you will find download links for both the DAT File and the SuperDAT file
(the first two links). Click on and download the SuperDAT file, then
double-click on the downloaded file to fully update your software.
The other way to update the software is through the VirusScan
Console component. VirusScan users can open the VirusScan Console by
clicking on Start | Programs | Network Associates | VirusScan
Console. Once the console window is open, select
AutoUpdate from
the list
of tasks and then click on the Start button to perform
the update
(remember that you will need to be connected to the Internet at the time
you perform this operation).
If you don't have any anti-virus software on your computer but you are a
member of UMCP, you can download and install McAfee VirusScan from http://www.helpdesk.umd.edu/virus/software.shtml.
For further details on Lovesan.b, please visit:
Lovesan.c
Lovesan.c is exactly the same as the original Lovesan worm except for the
name of the file that is created in the Windows system32
directory. Lovesan.c puts the following file in that directory:
Lovesan.c creates the following registry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "windows auto update" = Penis32.exe
Users who find they are infected with Lovesan.c should follow the
instructions for removing the original Lovesan AND should do a complete
scan of their computer using up-to-date anti-virus software. Members of
the University of Maryland currently running McAfee VirusScan should
manually update their software using one of the following methods:
One way is to go to the McAfee corporate edition website
(www.mcafeeb2b.com), click on
Downloads (in the left column of options), then click on
the link for DATs under the Virus Protection
section. There
you will find download links for both the DAT File and the SuperDAT file
(the first two links). Click on and download the SuperDAT file, then
double-click on the downloaded file to fully update your software.
The other way to update the software is through the VirusScan
Console component. VirusScan users can open the VirusScan Console by
clicking on Start | Programs | Network Associates | VirusScan
Console. Once the console window is open, select
AutoUpdate from
the list
of tasks and then click on the Start button to perform
the update
(remember that you will need to be connected to the Internet at the time
you perform this operation).
If you don't have any anti-virus software on your computer but you are a
member of UMCP, you can download and install McAfee VirusScan from http://www.helpdesk.umd.edu/virus/software.shtml.
For further details on Lovesan.c, please visit:
To learn how to sign up to receive alerts via email about any new viruses
that threaten the university, click here.
To return to the previous web page, click on the Back button of your web
browser.
To return to the main VNP web page, click here.
|
