Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement



Virus Name  : VBS/Plan

Alias             : I-Worm.LoveLetter, VBS_COLOMBIA

Virus type    : VBScript worm

Threat level : Low

Virus details :

                     VBS/Plan is a new modified variant of VBS/LoveLetter worm uses Microsoft outlook to spread. Also it needs Windows Scripting Host to infect the system.

                     The email message subject will be "US PRESIDENT AND FBI SECRETS =PLEASE VISIT = > (http://WWW.2600.COM)<=" or randomly selected name with 6 characters length created by the Polymorphic routine. The message body will be "VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES.." or randomly selected name with 10 characters length. The attachment will be a random name with extensions .BMP.vbs, .JPG.vbs, .GIF.vbs ( Example: aEcOb.JPG.vbs ). The VBS extension will not appear if Windows Scripting Host is installed.

                     While opening the e-mail attachment, will copy LINUX32.vbs and a random file name in windows system folder and reload.vbs in windows folder. Then it changes the registry settings so that the the script is automatically executed when the system is restarted.

                     Then it checks for "WinFAT32.exe" in windows system folder, if found it also tries to download three files named, and If the files are download , it copies the files in the name of important_note.txt, logow.sys, logos.sys Windows folder. Actaully, these are not zip files. The first one is a text file and other two are BMP files. The bmp file is used for windows startup and shutdown screen. The text file is displayed by modifying the registry.

                     Then the worm creates "US-PRESIDENT-AND-FBI-SECRETS.HTM" in windows system folder. It opens the Microsoft Outlook Address book and sends email to all the email ids stored in that. The message subject, body and attachment details will be the same as explained above.

                     Then the virus searches for all local and remote drives and overwrites .js, .jse, .css, .wsh, .sct and .hta files with the script. It overwrites jpg, jpeg files with the virus code and renames to .vbs extension. In case of mp2 and mp3 files it hides the original file and creates a new file with .vbs extension and writes its code there.

                     The worm contains date activated payload also. When the current date is 17th and current month is September ( 9th month ) it will display the following message.

"Dedicated to my best brother=> Christiam Julian(C.J.G.S.)"
"Att. ( random name of 5 letters lenght ) (M.H.M. TEAM)"

                      If you press Ok to the message box it will try to disconnect Network drives from E: to Z: in reverse order.

How can I protect my system?

                     There is no special update required for Solo users. Solo "Heuristic Engine" will detect and remove this worm automatically in the name "VBS/LoveLetter.variant".

                   Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

                     To protect your system against infection, disable Windows Scripting Host by following these steps: Click the Start button, Settings, Control Panel, then select Add/Remove Programs, then select the Windows Setup tab, then double-click Accessories, scroll down to Windows Scripting Host, and uncheck the box. Save changes and close the window.

How to remove this worm?

                   If you are already infected with this worm, you can remove it from your computer using Solo Antivirus software. Solo antivirus can detect and remove VBS/Plan worm safely. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link