FOR CUSTOMERS

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.HLLM.LoveLorn

(Worm/LovLorn.6, WORM_LOVELORN.A, W32/Lovelorn.C@mm, Email-Worm.Win32.Lovelorn.f, System error, VBS.Lovelorn.A, W32/Lovelorn@MM, I-Worm/Lovelorn.dropper, Generic.PWStealer.82B4027D, W32/Lovelorn.dr, Parser error, I-Worm/Lovelorn.B, Email-Worm.Win32.Charches.a, VirTool.Win32.Hex2Vbs.a, Win32.Petuk.DR@mm, I-Worm/Lovelorn.CA, VBS/Lovelorn!dropper!Worm, Worm/c.A, VBS_LOVELORN.A, Email-Worm.Win32.Petuk.dr)

Added to the Dr.Web virus database: 2003-04-29

Virus description added:

Description

Win32.HLLM.LoveLorn is a mass-mailing worm written in Borland C++. It affects computers running under Windows 95/98/Me/NT/2000/XP. The worm\'s size is 102,400 bytes.

Launching

To secure its automatic launching at every Windows start up the worm adds the value
\"explorer = \"%\\SYSTEM%\\explorer.exe\"
to the registry entry
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

Spreading

The worm propagates to all the addresses found in the local Windows address book (WAB). It generates mail messages sent from the infected computer using its own SMTP engine.

The worm inserts the yahoo.com - based sender`s address, for example, love_lorn@yahoo.com, thuyquyen@yahoo.com or lovelorn@yahoo.com to the From: filed.
The subjects of the messages formed by the worm vary and may be the followin:

Read this file 
Help...
Re:baby!your friend send this file to you !
HELP??-
Enjoy 
Read File attach .
Re:Get Password  mail...
There\'re some Passwords here
Re:Binladen_Sexy.jpg
The Sexy story and 4 sexy picture of BINLADEN !
Souvenir for you from file attach...
See the Greeting-card .
Re:I Love You...OKE!
A Greeting-card for you .
Read file attach 
I like Sexy with you.
Re:Kiss you..
Guide to fuck ...
Play the game from file attach
Help.
Re:Baby! 2000USD,Win this game...
The texts accompanying messages may be the following:
Read this file 
Help...
Enjoy 
Read File attach .
run File Attach to extract:BinladenSexy.jpg...
Enjoy! BINLADEN:SEXY..
Souvenir for you from file attach...
See the Greeting-card .
I like Sexy with you.
Play the game from file attach
The attachment names to all message types are entitled as %%%.KISS.OK.EXE or %%%.HTM, where % is a variable and may be, for example, lovelorn, love_lorn or thuyguyen.

Action

Being released on a computer the worm drops to the %System% folder (in Windows 9x and Windows ME it is C:\\Windows\\System, in Windows NT/2000 it is C:\\WINNT\\System32, in Windows XP it is C:\\Windows\\System32) several files:

  • explorer.exe, kernel32.exe, netdll.dll, serscg.dll are copies of the worm
  • setup.htm is a web-page with a script embedded into it written in Visual Basic. This file is detected by DrWeb® anti-virus program as Win32.HLLM.LoveLorn. After this file is run the worm places to the Windows temporary folder one more file named temp.exe.
  • netsn.dll is a base-64 - encoded copy of the worm - a mail encoding compatible with MIME
  • bsbk.dll is a base-64 - encoded copy of the worm\'s html-dropper.
  • © Doctor Web
    2003 — 2022

    Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies