You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Valentin.E

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Valentin.E carries out the following actions:

  • When it is run, it displays several messages with the text Ur My Best Friend on the screen, like the following:

  • Valentin.E is run every time a file with an EXE extensión is run.
  • It ends several processes if they are active in the affected computer.
    These processes belong to antivirus programs and firewalls, among others, and are the following:
    ANTIVIR
    ATRACK
    AVCONSOL
    AVP.EXE
    AVSYNMGR
    CFINET
    CFINET32
    F-PROT95
    FP-WIN
    F-STOPW
    IAMAPP
    IOMON98
    LOCKDOWN2000
    LUCOMSERV
    MCAFEE
    NAVAPSVC
    NAVAPW32
    NAVLU32
    NAVRUNR
    NAVW32
    NAVWNT
    NISSERV
    NORTON
    PCCIOMON
    PCCMAIN
    PCCWIN98
    POP3TRAP
    PVIEW95
    RESCUE32
    SAFEWEB
    SCAM32
    SIRC32
    SYMPROXYSVC
    VSHWIN32
    VSSTAT
    WEBSCANX
    WEBTRAP
    ZONEALARM
  • It gathers the following information about the affected computer:
    - all the file names and their location.
    - the names of the files, processes and events that are being run when the infection took place.
    Then, it sends this data to its creator, who can use this information to carry out more malicious actions.

Infection strategy 

Valentin.E creates the following files in the Windows directory:

  • %????%.EXE, which is a copy of itself.
    where %????% stands for 4 random characters.
  • %????????%.DLL. In this file it stores all the email addresses it finds in the affected computer.
    This file consists of 8 characters and its name is created by taking two times the 4 random characters of the copy of itself.
  • %????%.TXT, text file where the creator's signature is stored.
    The content of this file is the following:
    <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
    w32.yAHa.D
    aUThor :H^H, h2h@ach    <blocked>ans.com
    oRigIN :inDia, kERala(gODS own cOUntrY)
    KANagaaa ,mANdi pEnnee nJan Ninne sNEhikkunnuu..
    oRu sITe kITTiyirunnegggil.. hACK CHEyyyamayirunnuuu..
    <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

Additionally, it creates two files DSK$$$.$$2 and REG$$$.$$2, where the information obtained from the computer is stored.

 

Valentin.E modifies the following entry from the Windows Registry:

  • HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command
    (Default) = "%1"%*
    It changes this entry to:
    HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command
    (Default) = %windir%\%????%"%1"%*
    where %windir% is the Windows directory.
    By modifying this entry, Valentin.E ensures that it is run whenever a file with an EXE extension is run.

Means of transmission 

Valentin.E spreads via email. In order to do so, it carries out the process below:

  • It reaches the computer in an email message with the following characteristics:

    Subject: it is related to friendship and love
    It can be one of the following:
    Are you looking for Love
    Best Friends
    Bullshit
    charming
    Check ur friends Circle
    Cool
    Dont wait for long time
    Easy Way to revel ur love
    Enjoy friendship
    Enjoy Romantic life
    excite
    Find a good friend
    for you
    Free Screen saver
    Friendship
    Friendship
    Friendship Screen saver
    Funny
    Great
    Hi
    how are you
    How sweet this Screen saver
    humour
    I am For u
    Idiot
    Interesting
    Interesting
    Joke
    Learn How To Love
    Let's Dance and forget pains
    Let's Laugh
    Life for enjoyment
    Looking for Friendship
    Love
    love speaks from the heart
    LoveGangs
    make ur friend happy
    Need a friend?
    New
    Nice
    Nothink to worryy
    One
    One Hackers Love
    One Way to Love
    Origin of Friendship
    powful
    relations
    Romantic
    Say 'I Like You' To ur friend
    Screensaver
    searching for true Love
    Send This to everybody u like
    Shake it baby
    Shake ur friends
    Shaking
    stuff
    The world of Friendship
    The world of lovers
    to check
    to enjoy
    to see
    to share
    to ur friends
    to ur lovers
    to watch
    True Love
    U r the person?
    U realy Want this
    Ur My Best Friend
    war Againest Loneliness
    Who is ur Best Friend
    Wonderfool
    Wowwwwwwwwwww check it
    you care ur friend
    Message:
    The message starts with any of the following texts:
    Text 1
    Hi dear
    check the attach
    see u
    Text 2
    Hi
    Check the Attachment ..
    See u
    Text 3
    Attached one Gift for u..
    Text 4
    wOW CHECK THIS
    Text 5
    Check the attachment
    Text 6
    See the attachement
    Text 7
    Enjoy the attachement
    Text 8
    More details attached
    and continues with the text below, in which a screensaver is attached and users are required to send it to their friends:
    This e-mail is never sent unsolicited. If you need to unsubscribe,
    follow the instructions at the bottom of the message.
    ***********************************************************
    Enjoy this friendship Screen Saver and Check ur friends circle...
    Send this screensaver from     <web address> to everyone you
    consider a FRIEND, even if it means sending it back to the person
    who sent it to you. If it comes back to you, then you'll know you
    have a circle of friends.
    * To remove yourself from this mailing list, point your browser to:
    <web address>
    * Enter your email address (<recipient address>) in the field provided
    and click "Unsubscribe".
    OR...
    * Reply to this message with the word "REMOVE" in the subject line.
    This message was sent to address     <recipient address>
    X-PMG-Recipient: <sender address>
    <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

    Attachment: the file name is variable and has a double extension.
    The file name can be any of the following:
    BIODATA
    BULLSHITSCR
    CHECKFRIENDS
    DAILYREPORT
    ENJOYLOVE
    FREESCREENSAVER
    FRIENDS
    FRIENDS
    FRIENDS4U
    FRIENDSCIRCLE
    FRIENDSCR
    FRIENDSEARCH
    FRIENDSGREETINGS
    FRIENDSHIP
    FRIENDSHIP4U
    FRIENDSHIPBIRD
    FRIENDSHIPFORU
    FRIENDSWORLD
    FUCKER
    GOLDFISH
    GREETINGS
    LOVE
    LOVE
    LOVE4U
    LOVEFINDER
    LOVEGREETINGS
    LOVELETTER
    LOVERS
    LOVERS
    LOVERSCREENSAVER
    LOVERSGANG
    LOVESCR
    LOVESHORE
    MOUNTAN
    PASSION
    PASSIONUP
    REPORT
    RESUME
    RISHTHA
    SCREENSAVER
    SCREENSAVER4U
    SCREENSAVER4U
    SCREENSAVERFORU
    SHAKEIT
    SHAKESCR
    SHAKINGFRIENDSHIP
    SHAKINGLOVE
    SHAREIT
    SHARELOVE
    TRUEFRIENDS
    TRUELOVERS
    URFRIEND
    WEEKLYREPORT
    WERFRIENDS
    First extension:
    BMP
    DAT
    DOC
    GIF
    HTM
    JPG
    MDB
    MP3
    MPG
    TXT
    WAV
    XLS
    ZIP
    Second extensión:
    BAT
    PIF
    SCR

    The following image is an example of the email message Valentin.E sends:

  • Valentin.E is automatically run when this message is opened through Outlook. This happens in systems with old Internet Explorer versions (previous to version 6). In other systems, #nombrevrius# will be run when the attached file is opened.
  • Valentin.E searches for email addresses in the Address book of different services, such as Outlook, Hotmail, Yahoo and IRC, among others.
  • Valentin.E sends itself out to the addresses it has gathered, using its own SMTP engine.
  • However, it does not send itself to those addresses that contains any of the following text strings: gov, mil.

Further Details  

Valentin.E is 27,336 bytes in size.