Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
W32/Lovelorn@MM [McAfee], WORM_LOVELORN.A [Trend], Win32.Lovelorn.A [CA], I-Worm.Lovelorn [KAV], W32/Cailont-A [Sophos], W32.Nolor@mm
Sent by email, using its own SMTP engine .
The email sent by the worm looks like this:
Re:baby!your friend send this file to you !
Re:Get Password mail...
There're some Passwords here
The Sexy story and 4 sexy picture of BINLADEN !
Re:I Love You...OKE!
A Greeting-card for you .
Guide to f*ck ...
Re:Baby! 2000USD,Win this game...
Read this file
Read File at
run File Attach to extract:BinladenSexy.jpg...
Souvenir for you from file attach...
See the Greeting-card .
Read file attach
I like Sexy with you.
Play the game from file attach
The attachment is sent in BASE64 format or as HTML file.
Lovelorn searches drives C: D: and E:. It tries to collect email addresses from files with the following strings in their names:
It creates the following files in System directory:
Setup.htm, which creates the viral file, %Temp%\Temp.exe, when executed.
Bsbk.dll, which is a MIME64-encoded copy of Setup.htm.
Netsn.dll, which is a MIME64-encoded copy of the dropped %System%\Explorer.exe
It copies itself in:
The worm makes the registry entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "explorer"="%System%\explorer.exe"
Description inserted by Crony Walker on Tuesday, June 15, 2004