This is a variant of the VBS/Loveletter family. It contains similar routines as other variants and includes a date activated payload which attempts to disconnect all mapped drives from the local host on the network. One AntiVirus firm announced this as VBS/Plan in a press release.

This worm contains this string which is not displayed:

rem "Plan Colombia" virus v1.0
rem by Sand Ja9e Gr0w
rem Santa fe de Bogotá 2000/09
rem I dedicate to all you the song "GoodBye" of Andreas Bochelli

If this Internet worm is run either intentionally or accidentally, it will install to the local system and also perform actions against files.

This worm will copy itself ot the local system in the following locations:
WINDOWS\reload.vbs
WINDOWS\SYSTEM\LINUX32.vbs
WINDOWS\SYSTEM\[RANDOM NAME]

In the above, the random name could have the following possible file extensions:
".GIF.vbs", ".BMP.vbs", ".JPG.vbs"

The filename itself is generated using a random pick alternating between any letter in the alphabet, and the vowel character set A, E, I, O, U. For instance, a possible filename could be "bAlIr.BMP.vbs" Next, this worm will modify the registry to load itself via the registry at Windows startup from these locations:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ LINUX32 = WINDOWS\SYSTEM\LINUX32.vbs

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ reload = WINDOWS\reload.vbs

After modifying the registry, it checks for the existence of the file "WINFAT32.EXE". If this file is found, it modifies settings for Internet Explorer to download three files from a web page. The three files are two .BMP files and one .TXT however the names of the files suggest being of .ZIP format - they are not.

The three files copied to the local system are:
macromedia32.zip
linux321.zip
linux322.zip

These are then copied from the Temporary Internet Files folder to the WINDOWS folder as:
important_note.txt
logow.sys
logos.sys

The logo files are bitmap replacements for Windows startup and shutdown screens. The .txt is displayed at Windows startup due to a registry modification made by this worm:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\plan colombia = WINDOWS\important_note.txt

After this, the worm writes a file as:
"US-PRESIDENT-AND-FBI-SECRETS.HTM" in the WINDOWS\SYSTEM folder. This .HTM file contains the worm code.

Next, the worm will run an email routine to distribute itself via MAPI email. The email is variable and could have either of four possible formats. The Subject line with either be static (below) or a random 6 letters, and the body will either be static (below) or a random 10 letters:

Subject =
"US PRESIDENT AND FBI SECRETS =PLEASE VISIT = >
(http://WWW.2600.COM)< "
Body =
"VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES.."
Attachment = [RANDOM FILE NAME]

The random name is predetermined in an earlier process mentioned above.

After the email routine, this worm performs another action against the system and mapped drives. If this worm find files of type ".VBS" or ".VBE", it will overwrite and replace them with its own code.

If this worm finds files of type ".js", ".jse", ".css", "wsh", "sct", "hta", ".jpg" or ".jpeg", it will first copy itself as that filename and add extension .VBS and delete the original file.

If this worm finds files of type ".MP2" or ".MP3", it will set their attributes to hidden.

Finally, if the current day is September 7, this worm will display a message: "Dedicated to my best brother=> Christiam Julian(C.J.G.S.)"
"Att. [randome 5 letters] (M.H.M. TEAM)"

After this message is displayed and cleared, it will attempt to disconnect drives Z: through E: in reverse order.

Removal Instructions

Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and removal.

Note1- Microsoft has released an for Outlook as an email attachment security update. For a list of attachments blocked and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Note2- It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

PE,Trojan,Internet Worm and memory resident:
Use specified engine and DAT files for detection. To remove,
boot to MS-DOS mode or use an emergency boot diskette and use the command line scanner such as "SCANPM C: /CLEAN/ALL"