Bugtraq mailing list archives
Re: ILOVEYOU worm
From: j.kase () PRIVADOR COM (Jaanus Kase)
Date: Thu, 4 May 2000 20:44:45 +0200
-----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Elias Levy Sent: 04. mai 2000. A. 18:56 To: BUGTRAQ () SECURITYFOCUS COM Subject: ILOVEYOU worm I've not been able to obtain copy of the binary to figure out what it does.
F-secure has a nice analysis on this: http://www.europe.f-secure.com/v-descs/love.htm According to the site, "The executable part that the LoveLetter worm downloads from the web is a password stealing trojan. On startup the trojan tries to find a hidden window named 'BAROK...'. If it is present, the trojan exits immediately, if not - the main routine takes control. The trojan checks for the WinFAT32 subkey in the following Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run If the WinFAT32 subkey key is not found, the trojan creates it, copies itself to \Windows\System\ directory as WINFAT32.EXE and then runs the file from that location. The above registry key modification makes the trojan become active every time Windows starts. Then the trojan sets Internet Explorer startup page to 'about:blank'. After that the trojan tries to find and delete the following keys: Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideShar ePwds .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisableP wdCaching Then trojan registers a new window class and creates a hidden window titled 'BAROK...' and remains resident in Windows memory as a hidden application. Immediately after startup and when timer counters reaches the certain values, the trojan loads MPR.DLL library, calls WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords to 'mailme () super net ph' e-mail address that most likely belongs to trojan's author. The trojan uses the 'smpt.super.net.ph' mail server to send e-mails. The e-mail's subject is 'Barok... email.passwords.sender.trojan'. " Several antivirus software vendors (including F-secure, Symantec and others) have already provided updates for their software that deal with this. Check with your vendor. If you need to disinfect systems without having up-to-date antivirus software, Magnus Hiie of mega.ee also provided what appears to be a fix for this - handy if hundreds of computers at your network need to be disinfected quickly before more damage is done. It is attached to this mail as "disinfect_vbs.txt" (in order not to trigger trojan autolaunch...). NOTE: I haven't verified it to be working. I am not the author. I just downloaded it and changed the strings to English language. BE SURE to check the file contents yourself before launching it (such as should have been done in the first place?). Save the file, see that it really DOES do what it claims to do, rename it to "disinfect.vbs", and launch it with "cscript //T:0 //NoLogo Disinfect.vbs". Regards, Jaanus Kase Privador AS http://www.privador.com/ <HR NOSHADE> <UL> <LI>text/plain attachment: disinfect_vbs.txt </UL>
Current thread:
- Reminder: MaxClientRequestBuffer, (continued)
- Reminder: MaxClientRequestBuffer Marc (May 03)
- Internet Security Systems Security Advisory: Vulnerability in Quake3Arena Auto-Download Feature Aleph One (May 03)
- Alert: DMailWeb buffer overflow Cerberus Security Team (May 03)
- Security Bulletins Digest (fwd) Justin Tripp (May 04)
- Aladdin eToken 3.3.3.x Hardware USB Key Private Data Extraction Kingpin (May 04)
- Trend Micro InterScan VirusWall Remote Overflow NAI Labs (May 04)
- How we defaced www.apache.org Peter van Dijk (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Mac OS X Signature Omachonu Ogali (May 03)
- Re: IL0VEY0U worm Elias Levy (May 05)
- Re: ILOVEYOU worm Jaanus Kase (May 04)