Author Topic: VBS:LoveLetter detected.  (Read 16088 times)

0 Members and 1 Guest are viewing this topic.

Offline WDGC

  • Jr. Member
  • **
  • Posts: 42
Re: VBS:LoveLetter detected.
« Reply #15 on: March 07, 2006, 11:48:29 PM »
The attachment shows a screenshot from the previous time [25.02.2006] the warning appeared.

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: VBS:LoveLetter detected.
« Reply #16 on: March 08, 2006, 05:40:10 AM »
Well, I still don't have a definitive answer but notice you had 7 instances of Internet Explorer open when you got the first alert.  Besides the Microsoft page any idea what was on the other 6?  Were there multiple browsers open the 2nd time too?
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline WDGC

  • Jr. Member
  • **
  • Posts: 42
Re: VBS:LoveLetter detected.
« Reply #17 on: March 08, 2006, 10:00:21 AM »
The second time only IE was open,  3 instances - 1 window for a gmail account and 2 windows with pages from a financial news site. These 3 pages plus another couple from the same financial news site and a couple of MS pages would have been the instances of IE open on the first occasion.

I never use IE for general browsing - always use Firefox - and cannot remember when I last had  anything, other than the  pages mentioned above, opened in IE.

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7085
  • Be alert for error code - ID 10T
Re: VBS:LoveLetter detected.
« Reply #18 on: March 08, 2006, 04:19:12 PM »
***

Perhaps this is happening when new email is coming into your gmail account. Most email accounts automatically add new email at certain intervals. For some reason it appears that someone/something is sending you email that is infected. Maybe you do not directly download email to your computer but Avast is seeing something coming from gmail and blocking it from entering your computer.

Actually, I have gotten the same types of warnings a few times while doing searches with Google. I am beginning to wonder if Google is being infected in various of their services from time to time. Google is big and popular ... a target likely to be exploited by hackers and malware writers. 


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline WDGC

  • Jr. Member
  • **
  • Posts: 42
Re: VBS:LoveLetter detected.
« Reply #19 on: March 08, 2006, 10:42:38 PM »
***
For some reason it appears that someone/something is sending you email that is infected. Maybe you do not directly download email to your computer but Avast is seeing something coming from gmail and blocking it from entering your computer.
***

My impression is that mail is not being sent. When I've received these warnings I haven't taken any action other than closing the warning box, I certainly haven't used the "Abort connection" button, yet don't receive mail.

Offline WDGC

  • Jr. Member
  • **
  • Posts: 42
Re: VBS:LoveLetter detected.
« Reply #20 on: March 09, 2006, 02:29:04 AM »
I've received another Avast virus warning, this time for  VBS:Zulu

-----
http://mail.google.com/mail/?&ik=f0fdf97385&view=tl&search=inbox&start=0&tlt=109dc58b864&fp=c8cdbccab8f97ae4&auto=1&zx=m2bhu5-cdg8b7\unp125610259

Malware name: VBS:Zulu
Malware type: Virus/Worm
VPS version: 0610-1, 08/03/2006
------

The "More info ... " link in the warning box only goes to the virus report page, but from Symantec Security Response:

Quote
VBS.Zulu.D is a simple encrypted virus that attempts to insert itself into .html, .htm, and .vbs files. It configures itself to run when you start Windows.

technical details

This virus inserts itself into .html, .htm, and .vbs files, and it drops the file Winstart.wsh.

It then adds the value

Winstart  <path>\Winstart.wsh

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run

Finally, it copies itself to Winstart.vbe.


http://www.symantec.com/avcenter/venc/data/vbs.zulu.d.html


As on previous occasions I didn't receive mail and my use of the computer was also much the same. Winstart.wsh isn't in the registry and there isn't any indication of Winstart.vbe.

 Although, to me, it seems almost certain these warnings are false positives, I could well do without them.

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: VBS:LoveLetter detected.
« Reply #21 on: March 10, 2006, 01:45:49 AM »
Actually, I have gotten the same types of warnings a few times while doing searches with Google. I am beginning to wonder if Google is being infected in various of their services from time to time.
See this for an example of what Charlie is referring to:

http://forum.avast.com/index.php?topic=19339.msg163125#msg163125

At the time of that post I thought something was up with Symantec, but it could be a Google thing. 

While its tempting (and logical??) to call these false positives my feeling is that the warnings should not be ignored.
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline WDGC

  • Jr. Member
  • **
  • Posts: 42
Re: VBS:LoveLetter detected.
« Reply #22 on: March 10, 2006, 10:11:48 AM »
At the time of that post I thought something was up with Symantec, but it could be a Google thing. 

While its tempting (and logical??) to call these false positives my feeling is that the warnings should not be ignored.


I take your point. Yes, it is tempting to call these warnings false positives, particularly as I've never received a virus, but if Google is somehow involved I daresay ones usual "safe browsing practices" are undermined to a degree, meaning in the absence of an explanation one cannot be certain.




Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7085
  • Be alert for error code - ID 10T
Re: VBS:LoveLetter detected.
« Reply #23 on: March 10, 2006, 08:09:08 PM »
***

Two tools some of us here use to make browsing a little safer are DrWeb browser plug-in which allows you to check links before actually going to the link site ... and ... SiteAdvisor plug-in which installs a button in the browser tool bar that is color coded and has a menu where you can view information on webpages. SiteAdvisor also gives info on each result when doing Google searches. Both are free. For more info on these, read the forum threads below.

DrWeb:
http://forum.avast.com/index.php?topic=19384.msg163390#msg163390

SiteAdvisor:
http://forum.avast.com/index.php?topic=19705.0


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline WDGC

  • Jr. Member
  • **
  • Posts: 42
Re: VBS:LoveLetter detected.
« Reply #24 on: March 11, 2006, 12:34:24 AM »
Thank you for the links CharleyO. DrWeb and SiteAdvisor seem to be very handy tools, I'll look into them.

Offline WDGC

  • Jr. Member
  • **
  • Posts: 42
Re: VBS:LoveLetter detected.
« Reply #25 on: March 11, 2006, 01:42:21 PM »
Another Avast warning received.

File name: http://mail.google.com/mail/?&ik=f0fdf97385&view=tl&search=inbox&start=0&tlt=109e9217ca2&fp=f01cd7ee7c81f7ed&auto=1&zx=u7awo5-p1qgef\unp227168775
Malware name: VBS:Zulu
Malware type: Virus/Worm
VPS version: 0610-2, 10/03/2006

For all intents and purposes everything the same as when previous warnings received. As a test I won't leave the Gmail account open as I usually do and see if the warnings stop. This should be the case should it not?

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: VBS:LoveLetter detected.
« Reply #26 on: March 11, 2006, 02:03:52 PM »
This should be the case should it not?
I would think so.

Edit:  Maybe if you leave it closed, but periodically open it to check your mail, you will get a better idea of what's going on.
« Last Edit: March 11, 2006, 02:11:10 PM by mauserme »
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline WDGC

  • Jr. Member
  • **
  • Posts: 42
Re: VBS:LoveLetter detected.
« Reply #27 on: March 12, 2006, 12:11:25 AM »
Edit:  Maybe if you leave it closed, but periodically open it to check your mail, you will get a better idea of what's going on.


Just so, that is what I had in mind.