Bugtraq mailing list archives

Re: ILOVEYOU worm

From: j.kase () PRIVADOR COM (Jaanus Kase)
Date: Thu, 4 May 2000 20:44:45 +0200

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Elias
Levy
Sent: 04. mai 2000. A. 18:56
To: BUGTRAQ () SECURITYFOCUS COM
Subject: ILOVEYOU worm

I've not been able to obtain copy of the binary to figure out
what it does.


F-secure has a nice analysis on this:
http://www.europe.f-secure.com/v-descs/love.htm

According to the site,

"The executable part that the LoveLetter worm downloads from the web is a
password stealing trojan. On startup the trojan tries to find a hidden
window named 'BAROK...'. If it is present, the trojan exits immediately, if
not - the main routine takes control. The trojan checks for the WinFAT32
subkey in the following Registry key:

 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

If the WinFAT32 subkey key is not found, the trojan creates it, copies
itself to \Windows\System\ directory as WINFAT32.EXE and then runs the file
from that location. The above registry key modification makes the trojan
become active every time Windows starts.

Then the trojan sets Internet Explorer startup page to 'about:blank'. After
that the trojan tries to find and delete the following keys:

 Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds

Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideShar
ePwds

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisableP
wdCaching

Then trojan registers a new window class and creates a hidden window titled
'BAROK...' and remains resident in Windows memory as a hidden application.

Immediately after startup and when timer counters reaches the certain
values, the trojan loads MPR.DLL library, calls WNetEnumCashedPasswords
function and sends stolen RAS passwords and all cached Windows passwords to
'mailme () super net ph' e-mail address that most likely belongs to trojan's
author. The trojan uses the 'smpt.super.net.ph' mail server to send e-mails.
The e-mail's subject is 'Barok... email.passwords.sender.trojan'. "

Several antivirus software vendors (including F-secure, Symantec and others)
have already provided updates for their software that deal with this. Check
with your vendor.

If you need to disinfect systems without having up-to-date antivirus
software, Magnus Hiie of mega.ee also provided what appears to be a fix for
this - handy if hundreds of computers at your network need to be disinfected
quickly before more damage is done. It is attached to this mail as
"disinfect_vbs.txt" (in order not to trigger trojan autolaunch...).

NOTE: I haven't verified it to be working. I am not the author. I just
downloaded it and changed the strings to English language. BE SURE to check
the file contents yourself before launching it (such as should have been
done in the first place?).

Save the file, see that it really DOES do what it claims to do, rename it to
"disinfect.vbs", and launch it with "cscript //T:0 //NoLogo Disinfect.vbs".

Regards,
Jaanus Kase
Privador AS
http://www.privador.com/

<HR NOSHADE>
<UL>
<LI>text/plain attachment: disinfect_vbs.txt
</UL>

Current thread:

Reminder: MaxClientRequestBuffer, (continued)
- - - Reminder: MaxClientRequestBuffer Marc (May 03)
    - Internet Security Systems Security Advisory: Vulnerability in Quake3Arena Auto-Download Feature Aleph One (May 03)
    - Alert: DMailWeb buffer overflow Cerberus Security Team (May 03)
    - Security Bulletins Digest (fwd) Justin Tripp (May 04)
    - Aladdin eToken 3.3.3.x Hardware USB Key Private Data Extraction Kingpin (May 04)
    - Trend Micro InterScan VirusWall Remote Overflow NAI Labs (May 04)
    - How we defaced www.apache.org Peter van Dijk (May 04)
    - Re: IL0VEY0U worm Elias Levy (May 04)
    - Mac OS X Signature Omachonu Ogali (May 03)
    - Re: IL0VEY0U worm Elias Levy (May 05)
- Re: ILOVEYOU worm Jaanus Kase (May 04)