Bugtraq mailing list archives
"ILOVEYOU" virus analysis
From: telomere () INCONNECT COM (Steve Wolfe)
Date: Thu, 4 May 2000 11:55:14 -0600
A brief analysis of the "iloveyou" virus that's now hitting quite a few people.... ------------------------------------------------------------ Disclaimer: This is information provided in good-faith, with the intent to assist those afflicted by the virus. I am not responsible for any consequence of reading or using this information. ------------------------------------------------------------ "iloveyou" is a virus/trojan that is spreading very prolifically, and creating a headache for many IT employees. It is written in VBScript, and proliferates itself via email. Introduction. The virus proliferates itself via email, sending letters with the subject "ILOVEYOU", and in the body, "kindly check the attached LOVELETTER coming from me." Attached is a VBScript file called "I-LOVE-YOU.TXT.vbs". The capitalization is apparently an attempt to fool users if they are not looking carefully, upon seeing the ".TXT", they think the file is a (safe) text file, and run it. Once executed, the script does the following: 1. If the key "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout" is set to a positive number in the registry, it is set to zero. If it is not present, it is not affected. 2. The VBScript then saves a copy of itself to: (a). \%%WINDIR%%\Win32DLL.vbs (b). \%%SYSDIR%%\MSKernel32.vbs (c). \%%SYSDIR%%\LOVE-LETTER-FOR-YOU.TXT.vbs 3. Sets the appropriate registry entries to start it on boot: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 => (b) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Wi n32DLL => (a) 4. Changes the MSIE home page to a presumably malicious URL. If the file "WinFAT32.exe" exists, then it sets the startup page (contained in the registry setting (HKCU\Software\Microsoft\Internet Explorer\Main\Start Page) to one of the following URL's: http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw65873 45gvsdf7679njbvYT/WIN-BUGSFIX.exe http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786 324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgE R67b3Vbvg/WIN-BUGSFIX.exe http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwe rasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe I haven't looked at those executables, but persumably, they are also of malicious intent. The sites above were not reachable, I assume that the onslaught has brought their web servers to their knees, or the administrators have simply shut them down/blocked traffic. 5. If the "WIN-BUGSFIX.exe" file exists, it then sets it to run at boot: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFI X = > (download directory)\win-bugsfix.exe and also sets the MSIE startup page to about:blank (a blank page). 6. It then prints out HTML, containing these messages: This HTML file need ActiveX Control To Enable to read this HTML file - Please press #-#YES#-# button to Enable ActiveX 7. The ActiveX then sets the registry entries to make it run at boot, as in step #3, and writes the files as in step 2. 8. The virus spreads itself. It opens up a MAPI connection to your Outlook address list, and sends a copy of itself to each of the entries. 9. Enumerates disk drives and infects files. In infecting the files, it searches each of the drives found, and does the following: (A) Any file with the extensions .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, or .jpeg are relaced with a copy of the virus. Then, it appears that a copy of the virus is also written to the name of the file with ".vbs" attached - for example, "logo.jpg" would be replaced with the virus, and a file called "logo.jpg.vbs" would be created as well. (B) If any file with the extensions .mp2 or .mp3 is encountered, it will mark that file as hidden, then it will create a copy of itself with that name with the .vbs extensions - for example, "macarena.mp3" would be hidden, and a copy of the virus written to "macarena.mp3.vbs". (C) If mirc32.exe, mirc.ini, script.ini, mirc.hlp or mlink32.exe is encountered, it will write to the script.ini in that directory, and modify it so that anyone joining a channel will be automatically sent a copy of LOVE-LETTER-FOR-YOU.htm, containing the virus. **NOTE** Althougth the code tries to replace .jpg files and .jpeg files as well, on the infected system I looked at, they did not appear to have been replaced by analyzing content, modification date, and size. I can't see anything in the code that would make it break, so I have no clue why they were not affected. --------------------- Removal Removing the virus is easy enough, but as another author said ("The Pope"), it is painful, and if you have useful VBScript, WSH or other files of similar nature (listed below), you may have already lost very valuable data. The steps are: 1. Remove the registry entries HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Wi n32DLL HKCU\Software\Microsoft\Internet Explorer\Main\Start Page remove *all* instance of the following files: LOVE-LETTER-FOR-YOU.HTM *.vbs *.vbs *.vbe *.js *.jse *.css *.wsh *.sct *.hta Find hidden files of .mp2 and .mp3 extensions, and remove the "hidden" bit. It is also a good idea to clear the "documents" folder. Now, for .jpg and .jpeg files... technically, they should be removed. However, since jpg's are not executable, I do not see how they could affect anything, but then again, I'm not all-knowing. Also, they did not appear to have been infected on the machine I looked at, but that doesn't mean that they won't be infected on your machine. The safest bet is to remove them as well. ---------------------------- Prevention: Delete the email if you receive it, and are using one of the MS Outlook programs, do not open it if you receive it via IRC. ---------------------------- Overall comments This virus doesn't really represent any new technology or technique, just a mix of some commonly-known methods. The single semi-unique aspect is using VBScript. By using unique capitalization of files (LOVE-LETTER-FOR-YOU.TXT.vbs), it is possible to make many people think that it's just a regular text file. As to the origin of the virus, a commen section in the code claims creation by "spyder", giving an email address, what appears to be a company, and "Manila,Philippines". Whether the author would actually put a real email address and location is questionable. steve
Current thread:
- Re: Wemilo, (continued)
- Re: Wemilo daedalus (May 02)
- Possible issue with Cisco on-line help? Fernando Montenegro (May 02)
- Re: Possible issue with Cisco on-line help? Fernando Montenegro (May 04)
- Re: Possible issue with Cisco on-line help? Lisa Napier (May 09)
- Re: Possible issue with Cisco on-line help? Fernando Montenegro (May 04)
- 4ward:It's a blue world! deepquest () NETSCAPE NET (May 02)
- Denial of service attack against tcpdump bretonh () PARANOIA PGCI CA (May 02)
- Re: Denial of service attack against tcpdump antirez (May 03)
- Re: Denial of service attack against tcpdump Sebastian (May 03)
- Re: Denial of service attack against tcpdump Dragos Ruiu (May 03)
- Re: Denial of service attack against tcpdump Gerald Combs (May 03)
- "ILOVEYOU" virus analysis Steve Wolfe (May 04)
- 2.2.14 Kernel exec/open bug (?) The Cr0W (May 05)
- Re: Denial of service attack against tcpdump Hugo.van.der.Kooij () CAIW NL (May 09)
- glibc resolver weakness antirez (May 02)
- Re: glibc resolver weakness Bennett Todd (May 03)
- Re: glibc resolver weakness Valdis.Kletnieks () VT EDU (May 03)
- Re: glibc resolver weakness Andrew Brown (May 03)
- Cayman 3220-H DSL Router DOS cassius () HUSHMAIL COM (May 05)
- Fun with UltraBoard V1.6X rudi carell (May 03)
- Fwd: tcpdump workaround against dnsloop exploit. THE INFAMOUS (May 03)
- Re: tcpdump workaround against dnsloop exploit. David Schwartz (May 06)
- Fwd: tcpdump workaround against dnsloop exploit. THE INFAMOUS (May 03)
(Thread continues...)