VBS.NewLove

NewLove is a worm coded in Visual Basic Script (VBS) language. As its name indicates this worm is a new variant of now "famous" VBS.LoveLetter predecesor. After its installation on the host computer it acts in similar way as the LoveLetter worm. In particular, it triggers an avalanche of e-mail messages sent to all addresses in the Microsoft Outlook directory of the host computer. These messages contain the NewLove worm copy attached.
The "Subject" field of an infected message looks as if it was a forwarded message, since the subject field begins with capital letters FW followed by the name of a recently used (or randomly generated) file consisting of up to 30 letters. The extension of the file, selected by the worm is a member of the following set: Doc, Xls, Mdb, Bmp, Mp3, Txt, Jpg, Gif, Mov, Url, Htm and Txt, e.g.:

Subject: FW: INOUTGBUIPGNMOM.Gif

The message body contains no text. The name of the file attached to the message differs from that in the subject field by VBS extension only. The worm is activated upon the execution of the attachment. Activation of the worm is followed by massive action: the files accessible on available disks are replaced by the copy of the worm itself. The names of the destroyed files are changed. In particular and extension VBS is added, i.e.: if the name of the original file was, let say, "TETRIS.EXE", the newly created (destroyed file) will be named "TETRIS.EXE.VBS".

The worm execises a simple polymorphic algorithm. Every new infection is accompanied by ammendment/insertion of a new, randomly selected comment (remark) lines. This effect can be illustrated as follows:

'QHISGJQVFMGZMYXLCKDFSGLIRQBM
Set regedit = CreateObject("WScript.Shell")
'QWEMXQVHETUKUXBWMQQQSELAGGOQRNAEWNOYMPVUSFFSWDRBQCLYL

The aforemention action casuses the size of this worm to grow up to several MB.