Info on the I LOVE YOU worm

[jhill () CRICKLADE AC UK (Mr Jason C Hill)]

Here's some info that i received on the worm.. live and learn!

Have phun!
Jason Hill <JASON.HILL () BIOSYS NET>

Subject:
          Virus Warning: Update
     Date:
          Thu, 4 May 2000 13:35:24 +0100
    From:
          "Computer Manuals' General List" <general-list () compman co uk>
 Reply-To:
          info () compman co uk
      To:
          general-list () compman co uk

We've received a flood of requests for more information, so here's
our uptodate analysis:

UPDATE: Loveletter VBS virus

The virus is sent as an attachment to messages with the subject
"ILOVEYOU" or "CHECK THIS". We have only received the "ILOVEYOU"
version of the virus so the information here may not be the same for the
"CHECK THIS" version. The description here has been made from our own
analysis of the virus source code, and may not be the same as any
information distributed by anti-virus vendors - at the present time we
have not
received information from any anti-virus vendor about this virus which
is why
we are making this information available to warn our list subscribers.

This virus is capable of infecting anyone with Windows that has the
Windows
Scripting Host or Scripting Runtimes installed. This means that all
versions
of Windows with Internet Explorer 4 or higher installed could be
susceptible.

All Windows directories listed below assume Windows 95/98 installed in
c:\windows. If you have Windows installed in a different directory you
will
need to change the paths used; eg. if Windows installed on d replace
c:\windows\ with d:\windows\, if WinNT used then replace c:\windows with
c:\winnt and c:\windows\system with c:\winnt\system32.

The virus is an attachment, and does not run automatically within
Outlook (or
other VBS enabled mail clients). The attachment is called LOVE-LETTER-
FOR-YOU.TXT.vbs, so on any machines that have the extensions hidden
(default setting for Windows) it will look appear to just be a text
file, although
the icon will not be the normal Notepad one. If you run the attachment
the
following steps are taken:

1. The registry key HKEY_CURRENT_USER\Software\Microsoft\Windows
Scripting Host\Settings\Timeout") is checked to see if it is higher than
1, and
if so is set to 0 to prevent the script from timing out while running.

2. The contents of the virus are written to the files
c:\windows\system\mskernel32.vbs, c:\windows\win32dll.vbs, and
c:\windows\system\LOVE-LETTER-FOR-YOU.TXT.vbs.

3. The following registry entries are created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunS
ervices\Win32DLL

with the values set to the relevant files. This causes the
mskernel32.vbs and
win32dll.vbs files to be run every time Windows is started and so
running the
virus again.

4. The value of the registry entry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
Directory is read to determine the default location of downloaded files
for
Internet Explorer. If this is blank or does not exist then the virus
uses C: for
all file handling

5. If the file c:\windows\system\winfat32.exe exists then the Internet
Explorer
start page registry entry (HKCU\Software\Microsoft\Internet
Explorer\Main\Start Page) is set to one of the following URLs:

http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw
6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe

http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe5467
86324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe

http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZn
mPOhfgER67b3Vbvg/WIN-BUGSFIX.exe

http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkh
YUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/
WIN-BUGSFIX.exe

The next Internet Explorer is started or the home button is pressed it
will try
to download the win-bugsfix.exe file from the location set - we do not
know
what this exe file does as we have not been infected by the virus.

6. If the win-bugsfix.exe file exists in the IE download directory or c:
(depending on step 4) then the registry entry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
WIN-BUGSFIX is created to cause the win-bugsfix.exe file to be run every
time Windows is started, and the Internet Explorer start page is set to
about:blank.

7. The virus creates an HTML version of itself that can be run within an
email
message in a similar way to other VBS viruses. This file is written to
c:\windows\system\LOVE-LETTER-FOR-YOU.HTM, which is used later in
the IRC replication.

8. The virus then checks to see if you are using the Windows Address
Book.
This is used by Outlook to hold the contact list, but can also be used
by
itself. If there are any addresses in the WAB then each address is sent
a
copy of the virus as a message with the subject "ILOVEYOU", this is done
using MAPI which is used by Outlook and Outlook Express, but may also be
used by other mail clients. Each contact is only mailed once; the virus
keeps track of which contacts have been mailed by adding registry
entries to
HKEY_CURRENT_USER\Software\Microsoft\WAB\ for each address.

9. The virus then checks all local and network mapped drives for files
with the
following extensions: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg,
mp3,
mp2 and writes itself into them. It then renames these files to add the
extension vbs to those that are not already vbs or vbe files. In
addition mp2
and mp3 files are hidden. While looking for these files the virus also
looks for
mirc32.exe, mlink32.exe, mirc.ini, script.ini, or mirc.hlp, and if it
finds any of
these it will create a script.ini file in the same directory which
causes mIRC
to send a copy of the HTML version of the virus using DCC to everyone
else
in the channel.

Please note that this description has been put together from our own
analysis of the ILOVEYOU version of the virus. This has been dubbed
VBS/LoveLetter.A by Symantec, but no formal virus description has yet
been
released. The use of the winfat32.exe and win-bugsfix.exe files is not
known.

Computer Manuals Ltd.

=-------------------------------------------------------------------------
You have been sent this message as a member of the Computer Manuals
General mailing list. If you do not wish to receive future mailings
please use our online subscription form at:

   http://computer-manuals.co.uk/lists/

or send a blank message to general-list-leave () compman co uk
=-------------------------------------------------------------------------
Computer Manuals Online Bookstore
http://computer-manuals.co.uk/
=-------------------------------------------------------------------------