New Zealand ADSL Mailing List


RE: FTP Woes and "I love You"

From: Kevin Hardie <kevin_at_bwpl.co.nz>
Date: Fri, 5 May 2000 11:08:29 +1200
Message-ID: <000001bfb61d$a90be8a0$0501a8c0@eng4>

even worse, overwrites VBS etc and grabs passwords and emails them as well
...

Courtesy McAfee

http://vil.nai.com/villib/dispvirus.asp?virus_k=98617

Profile

Virus Name
VBS/Loveletter

Aliases
I-Worm.Loveletter, IRC/Loveletter, Loveletter, Troj/LoveLet-A,
VBS.Loveletter.a

Variants

None

Date Added
5/4/00

Virus Information

Discovery Date: 5/4/00

Origin: Phillipines

Type: Virus

SubType: VbScript

Risk Assessment: High-Outbreak

Minimum Dat: 4077

Minimum Engine: 4.0.35

Virus Characteristics
This is a VBScript worm with virus qualities. This worm will arrive in an
email message with this format:

Subject "ILOVEYOU"
Message "kindly check the attached LOVELETTER coming from me."
Attachment "LOVE-LETTER-FOR-YOU.TXT.vbs"

If the user runs the attachment the worm runs using the Windows Scripting
Host program. This is not normally present on Windows 9x or Windows NT
unless Internet Explorer 5 is installed.

When the worm is first run it drops copies of itself in the following places
:

C:\WINDOWS\SYSTEM\MSKERNEL32.VBS
C:\WINDOWS\WIN32DLL.VBS
C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS

It also adds the registry keys :

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=C:\WINDOWS\Win32DLL.vbs

in order to run the worm at system startup.

The worm replaces the following files:

*.JPG
*.JPEG
*.MP3
*.MP2

with copies of itself and it adds the extension .VBS to the original
filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would
contain the worm.

The worm also overwrites the following files:

*.VBS
*.VBE
*.JS
*.JSE
*.CSS
*.WSH
*.SCT
*.HTA

with copies of itself and renames the files to *.VBS.

The worm creates a file "LOVE-LETTER-FOR-YOU.HTM" which contains the worm
and this is then sent to the IRC channels if the mIRC client is installed.
This is accomplished by the worm replacing the file SCRIPT.INI.

After a short delay the worm uses Microsoft Outlook to send copies of itself
to all entries in the address book. The mails will be of the same format as
the original mail.

This worm also has another trick up it's sleeve in that it tries to download
and install an executable file called WIN-BUGSFIX.EXE from the Internet.
This exe file is a password stealing program that will email any cached
passwords to the mail address MAILME@SUPER.NET.PH

In order to facilitate this download the worm sets the start-up page of
Microsoft Internet Explorer to point to the web-page containing the password
stealing trojan.

The email sent by this program is as follows :

-------------copy of email sent-----------
From: goat1@192.168.0.2To: mailme@super.net.ph
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok... email.passwords.sender.
trojan---by: spyder
Host: [machine name]
Username: [user name]
IP Address: [victim IP address]

RAS Passwords:...[victim password info]
Cache Passwords:...[victim password info]
-------------copy of email sent-----------

The password stealing trojan is also installed via the following registry
key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX

to autorun at system startup. After it has been run the password stealing
trojan copies itself to WINDOWS\SYSTEM\WinFAT32.EXE and replaces the
registry key with

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
WinFAT32=WinFAT32.EXE

Symptoms
VirusScan 4.0.3+
<http://a868.g.akamai.net/7/868/903/dee251ac78af9b/download.mcafee.com/produ
cts/datfiles/extra/love-4.zip>
Toolkit 8
<http://a868.g.akamai.net/7/868/903/be1f1c3cc44347/download.mcafee.com/produ
cts/datfiles/extra/love-8.zip>

Method Of Infection
VirusScan 4.0.3+
<http://a868.g.akamai.net/7/868/903/dee251ac78af9b/download.mcafee.com/produ
cts/datfiles/extra/love-4.zip>
Toolkit 8
<http://a868.g.akamai.net/7/868/903/be1f1c3cc44347/download.mcafee.com/produ
cts/datfiles/extra/love-8.zip>

Removal Instructions
Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and removal.

Note- It is very common for macro viruses to disable options within Office
applications for example in Word, the macro protection warning commonly is
disabled. After cleaning macro viruses, ensure that your previously set
options are again enabled.

PE,Trojan,Internet Worm and memory resident:
Use specified engine and DAT files for detection. To remove, boot to MS-DOS
mode or use an emergency boot diskette and use the command line scanner such
as "SCANPM C: /CLEAN /ALL"

DAT not yet available: In the event you have this virus, trojan or Internet
worm on your system(s) and the specified DAT is not yet available, refer to
the documentation posted for submitting a sample to McAfee AVERT for
resolution.

To unsubscribe: send mail to majordomo@freebsddiary.cx
with "unsubscribe adsl" in the body of the message
Received on Fri May 5 10:06:58 2000


This archive was generated by hypermail 2.2.0 : Thu Nov 30 11:48:04 2006 EST