"ILOVEYOU" virus analysis

[telomere () INCONNECT COM (Steve Wolfe)]

  A brief analysis of the "iloveyou" virus that's now hitting quite a few
people....

------------------------------------------------------------
Disclaimer:  This is information provided in good-faith, with the intent to
assist those afflicted by the virus.  I am not responsible for any
consequence of reading or using this information.
------------------------------------------------------------

  "iloveyou" is a virus/trojan that is spreading very prolifically, and
creating a headache for many IT employees.  It is written in VBScript, and
proliferates itself via email.

Introduction.  The virus proliferates itself via email, sending letters
with the subject "ILOVEYOU", and in the body, "kindly check the attached
LOVELETTER coming from me."

     Attached is a VBScript file called "I-LOVE-YOU.TXT.vbs".  The
capitalization is apparently an attempt to fool users if they are not
looking carefully, upon seeing the ".TXT", they think the file is a (safe)
text file, and run it.

  Once executed, the script does the following:

1.  If the key "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout" is set to a positive number in the registry, it is
set to zero.  If it is not present, it is not affected.

2.  The VBScript then saves a copy of itself to:

     (a).  \%%WINDIR%%\Win32DLL.vbs
     (b).  \%%SYSDIR%%\MSKernel32.vbs
     (c).  \%%SYSDIR%%\LOVE-LETTER-FOR-YOU.TXT.vbs

3.  Sets the appropriate registry entries to start it on boot:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
=> (b)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Wi
n32DLL  => (a)

4.  Changes the MSIE home page to a presumably malicious URL.  If the file
"WinFAT32.exe" exists, then it sets the startup page (contained in the
registry setting (HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page) to one of the following URL's:

http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw65873
45gvsdf7679njbvYT/WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786
324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgE
R67b3Vbvg/WIN-BUGSFIX.exe
http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwe
rasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe

  I haven't looked at those executables, but persumably, they are also of
malicious intent.  The sites above were not reachable, I assume that the
onslaught has brought their web servers to their knees, or the
administrators have simply shut them down/blocked traffic.

5.  If the "WIN-BUGSFIX.exe" file exists, it then sets it to run at boot:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFI
X = > (download directory)\win-bugsfix.exe

and also sets the MSIE startup page to about:blank (a blank page).

6.  It then prints out HTML, containing these messages:

This HTML file need ActiveX Control
To Enable to read this HTML file
- Please press #-#YES#-# button to Enable ActiveX

7.  The ActiveX then sets the registry entries to make it run at boot, as
in step #3, and writes the files as in step 2.

8.  The virus spreads itself.  It opens up a MAPI connection to your
Outlook address list, and sends a copy of itself to each of the entries.

9.  Enumerates disk drives and infects files.

   In infecting the files, it searches each of the drives found, and does
the following:

   (A)  Any file with the extensions .vbs, .vbe, .js, .jse, .css, .wsh,
.sct, .hta, .jpg, or .jpeg are relaced with a copy of the virus.  Then, it
appears that a copy of the virus is also written to the name of the file
with ".vbs" attached - for example, "logo.jpg" would be replaced with the
virus, and a file called "logo.jpg.vbs" would be created as well.

   (B)  If any file with the extensions .mp2 or .mp3 is encountered, it
will mark that file as hidden, then it will create a copy of itself with
that name with the .vbs extensions - for example, "macarena.mp3" would be
hidden, and a copy of the virus written to "macarena.mp3.vbs".

   (C)  If mirc32.exe, mirc.ini, script.ini, mirc.hlp or mlink32.exe is
encountered, it will write to the script.ini in that directory, and modify
it so that anyone joining a channel will be automatically sent a copy of
LOVE-LETTER-FOR-YOU.htm, containing the virus.

**NOTE**  Althougth the code tries to replace .jpg files and .jpeg files as
well, on the infected system I looked at, they did not appear to have been
replaced by analyzing content, modification date, and size.  I can't see
anything in the code that would make it break, so I have no clue why they
were not affected.

---------------------
Removal

   Removing the virus is easy enough, but as another author said ("The
Pope"), it is painful, and if you have useful VBScript, WSH or other files
of similar nature (listed below), you may have already lost very valuable
data.  The steps are:

1.  Remove the registry entries

HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Wi
n32DLL
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
remove *all* instance of the following files:

LOVE-LETTER-FOR-YOU.HTM
*.vbs
*.vbs
*.vbe
*.js
*.jse
*.css
*.wsh
*.sct
*.hta

  Find hidden files of .mp2 and .mp3 extensions, and remove the "hidden"
bit.

  It is also a good idea to clear the "documents" folder.

  Now, for .jpg and .jpeg files... technically, they should be removed.
However, since jpg's are not executable, I do not see how they could affect
anything, but then again, I'm not all-knowing.  Also, they did not appear
to have been infected on the machine I looked at, but that doesn't mean
that they won't be infected on your machine.  The safest bet is to remove
them as well.

----------------------------
Prevention:

  Delete the email if you receive it, and are using one of the MS Outlook
programs, do not open it if you receive it via IRC.

----------------------------
 Overall comments

  This virus doesn't really represent any new technology or technique, just
a mix of some commonly-known methods.  The single semi-unique aspect is
using VBScript.  By using unique capitalization of files
(LOVE-LETTER-FOR-YOU.TXT.vbs), it is possible to make many people think
that it's just a regular text file.

  As to the origin of the virus, a commen section in the code claims
creation by "spyder", giving an email address, what appears to be a
company, and "Manila,Philippines".  Whether the author would actually put a
real email address and location is questionable.

steve