Security Incidents mailing list archives
IL0VEY0U worm
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Thu, 4 May 2000 10:19:38 -0700
A new VB worm is on the loose. This would normally not be bugtraq material as it exploits no new flaws but it has spread enough that it warrants some coverage. This is a quick and dirty analysis of what it does. The worm spreads via email as an attachments and via IRC as a DCC download. The first thing the worm does when executed is save itself to three different locations. Under the system directory as MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs and under the windows directory as Win32DLL.vbs. It then creates a number of registry entries to execute these programs when the machine restarts. These entries are: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL It will also modify Internet Explorer's start page to point to a web page that downloads a binary called WIN-BUGSFIX.exe. It randomly selects between four different URLs: http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe I've not been able to obtain copy of the binary to figure out what it does. This does mean the worm has a dynamic components that may change its behavior any time the binary is changed and a new one downloaded. The worm then changes a number of registry keys to run the downloaded binary and to clean up after itself. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page about:blank The worm then creates an HTML file that helps it spread, LOVE-LETTER-FOR-YOU.HTM. This is the file DCC'ed to others on IRC. The worm then spreads to all addresses in the Windows Address Book by sending the file LOVE-LETTER-FOR-YOU.TXT.vbs as an attachment. The email starts: kindly check the attached LOVELETTER coming from me. Then the virus searches for attached drives looking for files with certain extensions. It overwrites files ending with vbs, and vbe. It overwrites files ending with js, jse, css, wsh, sct, and hta, and then renames them to end with vbs. It overwrites files ending with jpg and jpeg and appends .vbs to their name. It finds files with the name mp3 and mp3, creates vbs files with the same name and sets the hidden attribute in the original mp* files. The it looks for the mIRC windows IRC client and overwrites the script.ini file if found. It modifies this file to that it will DCC the LOVE-LETTER-FOR-YOU.HTM file to any people that join a channel the client is in. You can find the source of the worm at: 3911840F.D7597030 () thievco com&part=.1">http://www.securityfocus.com/templates/archive.pike?list=82&msg=3911840F.D7597030 () thievco com&part=.1</A> -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- IL0VEY0U worm Elias Levy (May 04)
- <Possible follow-ups>
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 05)
- Re: IL0VEY0U worm Elias Levy (May 04)