Win32/ILoveBritney [Threat Name]

Short description

Win32/ILoveBritney is an overwriting file infector.

Installation

The virus does not create any copies of itself.


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­WindowsNT\­CurrentVersion\­RunServices]
    • "ILoveBritney" = "%malwarefilepath%"

This causes the virus to be executed on every system start.


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = "http://www.britney-spears%removed%/site.html"

The virus may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­\­Britney\­Install]
Executable file infection

Win32/ILoveBritney is an overwriting file infector.


The virus searches for files with the following file extensions:

  • *.exe

Only following folders are searched:

  • %windir%

When the virus finds a file matching the search criteria, it overwrites its content.


The virus writes the program code of the malware into the file.


It avoids files with the following filenames:

  • emm386.exe
  • setver.exe
Spreading

Win32/ILoveBritney is a virus that spreads via e-mail.


The virus gathers e-mail addresses for further spreading by searching in the Windows Address Book (WAB).


Subject of the message is one of the following:

  • New Britney Screen Saver

The sender address is one of the following:

  • %useremailaddress%

Body of the message is one of the following:

  • Hi %recipientemailaddress%
  • I Send you this mail to give you a new screen saver about Britney Spears.
  • I hope your enjoy to have it.
  • See you soon...

The attachment is an executable file of the virus.


The name of the attached file is following:

  • %originalmalwarefilename%
Other information

The virus moves the following files (source, destination):

  • %windir%\­ssstars.scr, %windir%\­britney.scr

The virus may delete the following files:

  • c:\­*.*

If the current system date and time matches certain conditions, the virus displays the following message:

  • It's Britney Birthday!!!!!
  • You musn't work today...

The following files are deleted:

  • c:\­autoexec.bat
  • c:\­config.sys
  • c:\­io.sys
  • c:\­msdos.sys

The virus may display the following messages:

  • Britney Spears is very beautifulgirl!!!
  • If youdon't think that, you think it now, Ha Ha Ha Ha!!!!!
  • You can't use your PC, now!!!
  • It's time to stop your computer....

If the current system date and time matches certain conditions, the virus displays the following message:

  • You can't use your PC, now!!!
  • It's time to stop your computer...

The virus may change the window title of specific running applications to the following text:

  • Win32.ILoveBritney par ZeMacroKiller98

The virus may turn off the computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.