Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/Lovelorn@MM [McAfee], WORM_LOVELORN.A [Trend], Win32.Lovelorn.A [CA], I-Worm.Lovelorn [KAV], W32/Cailont-A [Sophos], W32.Nolor@mm
Type:Worm 
Size:101,888 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email, using its own SMTP engine . 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:High 

DistributionThe email sent by the worm looks like this:

Subject:
Re:baby!your friend send this file to you !
HELP??-
Re:Get Password mail...
There're some Passwords here
Re:Binladen_Sexy.jpg
The Sexy story and 4 sexy picture of BINLADEN !
Re:I Love You...OKE!
A Greeting-card for you .
Re:Kiss you..^@^
Guide to f*ck ...
Re:Baby! 2000USD,Win this game...
Help

Body:
Read this file
Help...
Enjoy
Read File at
run File Attach to extract:BinladenSexy.jpg...
Enjoy! BINLADEN:SEXY..
Souvenir for you from file attach...
See the Greeting-card .
Read file attach
I like Sexy with you.
Play the game from file attach
Help.

From:
'lovelorn@yahoo.com',
'love_lorn@yahoo.com'
'thuyquyen@yahoo.com'

The attachment is sent in BASE64 format or as HTML file.

Technical DetailsLovelorn searches drives C: D: and E:. It tries to collect email addresses from files with the following strings in their names:
'.EML'
'*ITEM*.DBX'
'*BOX*.DBX'

It creates the following files in System directory:
Setup.htm, which creates the viral file, %Temp%\Temp.exe, when executed.
Bsbk.dll, which is a MIME64-encoded copy of Setup.htm.
Netsn.dll, which is a MIME64-encoded copy of the dropped %System%\Explorer.exe

It copies itself in:
Explorer.exe
Kernel32.exe
Netdll.dll
Serscg.dll

The worm makes the registry entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "explorer"="%System%\explorer.exe"
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .