Vulnerability Development mailing list archives
Info on the I LOVE YOU worm
From: jhill () CRICKLADE AC UK (Mr Jason C Hill)
Date: Thu, 4 May 2000 15:39:25 +0100
Here's some info that i received on the worm.. live and learn! Have phun! Jason Hill <JASON.HILL () BIOSYS NET> Subject: Virus Warning: Update Date: Thu, 4 May 2000 13:35:24 +0100 From: "Computer Manuals' General List" <general-list () compman co uk> Reply-To: info () compman co uk To: general-list () compman co uk We've received a flood of requests for more information, so here's our uptodate analysis: UPDATE: Loveletter VBS virus The virus is sent as an attachment to messages with the subject "ILOVEYOU" or "CHECK THIS". We have only received the "ILOVEYOU" version of the virus so the information here may not be the same for the "CHECK THIS" version. The description here has been made from our own analysis of the virus source code, and may not be the same as any information distributed by anti-virus vendors - at the present time we have not received information from any anti-virus vendor about this virus which is why we are making this information available to warn our list subscribers. This virus is capable of infecting anyone with Windows that has the Windows Scripting Host or Scripting Runtimes installed. This means that all versions of Windows with Internet Explorer 4 or higher installed could be susceptible. All Windows directories listed below assume Windows 95/98 installed in c:\windows. If you have Windows installed in a different directory you will need to change the paths used; eg. if Windows installed on d replace c:\windows\ with d:\windows\, if WinNT used then replace c:\windows with c:\winnt and c:\windows\system with c:\winnt\system32. The virus is an attachment, and does not run automatically within Outlook (or other VBS enabled mail clients). The attachment is called LOVE-LETTER- FOR-YOU.TXT.vbs, so on any machines that have the extensions hidden (default setting for Windows) it will look appear to just be a text file, although the icon will not be the normal Notepad one. If you run the attachment the following steps are taken: 1. The registry key HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout") is checked to see if it is higher than 1, and if so is set to 0 to prevent the script from timing out while running. 2. The contents of the virus are written to the files c:\windows\system\mskernel32.vbs, c:\windows\win32dll.vbs, and c:\windows\system\LOVE-LETTER-FOR-YOU.TXT.vbs. 3. The following registry entries are created: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunS ervices\Win32DLL with the values set to the relevant files. This causes the mskernel32.vbs and win32dll.vbs files to be run every time Windows is started and so running the virus again. 4. The value of the registry entry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory is read to determine the default location of downloaded files for Internet Explorer. If this is blank or does not exist then the virus uses C: for all file handling 5. If the file c:\windows\system\winfat32.exe exists then the Internet Explorer start page registry entry (HKCU\Software\Microsoft\Internet Explorer\Main\Start Page) is set to one of the following URLs: http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw 6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe5467 86324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZn mPOhfgER67b3Vbvg/WIN-BUGSFIX.exe http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkh YUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/ WIN-BUGSFIX.exe The next Internet Explorer is started or the home button is pressed it will try to download the win-bugsfix.exe file from the location set - we do not know what this exe file does as we have not been infected by the virus. 6. If the win-bugsfix.exe file exists in the IE download directory or c: (depending on step 4) then the registry entry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ WIN-BUGSFIX is created to cause the win-bugsfix.exe file to be run every time Windows is started, and the Internet Explorer start page is set to about:blank. 7. The virus creates an HTML version of itself that can be run within an email message in a similar way to other VBS viruses. This file is written to c:\windows\system\LOVE-LETTER-FOR-YOU.HTM, which is used later in the IRC replication. 8. The virus then checks to see if you are using the Windows Address Book. This is used by Outlook to hold the contact list, but can also be used by itself. If there are any addresses in the WAB then each address is sent a copy of the virus as a message with the subject "ILOVEYOU", this is done using MAPI which is used by Outlook and Outlook Express, but may also be used by other mail clients. Each contact is only mailed once; the virus keeps track of which contacts have been mailed by adding registry entries to HKEY_CURRENT_USER\Software\Microsoft\WAB\ for each address. 9. The virus then checks all local and network mapped drives for files with the following extensions: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2 and writes itself into them. It then renames these files to add the extension vbs to those that are not already vbs or vbe files. In addition mp2 and mp3 files are hidden. While looking for these files the virus also looks for mirc32.exe, mlink32.exe, mirc.ini, script.ini, or mirc.hlp, and if it finds any of these it will create a script.ini file in the same directory which causes mIRC to send a copy of the HTML version of the virus using DCC to everyone else in the channel. Please note that this description has been put together from our own analysis of the ILOVEYOU version of the virus. This has been dubbed VBS/LoveLetter.A by Symantec, but no formal virus description has yet been released. The use of the winfat32.exe and win-bugsfix.exe files is not known. Computer Manuals Ltd. =------------------------------------------------------------------------- You have been sent this message as a member of the Computer Manuals General mailing list. If you do not wish to receive future mailings please use our online subscription form at: http://computer-manuals.co.uk/lists/ or send a blank message to general-list-leave () compman co uk =------------------------------------------------------------------------- Computer Manuals Online Bookstore http://computer-manuals.co.uk/ =-------------------------------------------------------------------------
Current thread:
- Info on the I LOVE YOU worm Mr Jason C Hill (May 04)