Vulnerability Development mailing list archives
Info on the VBS/LoveLetter virus
From: roelof () SENSEPOST COM (Roelof Temmingh)
Date: Thu, 4 May 2000 16:23:57 +0200
Here are some information on the VBS/Loveletter virus. Hope it is not old news.. ---cut--- Info obtained from http://www.gas.co.za VBS/LoveLetter is a VBScript worm. It spreads thru email as a chain letter. The worm uses the Outlook e-mail application to spread. LoveLetter is also a overwriting VBS virus, and it spreads itself using mIRC client as well. When it is executed, it first copies itself to Windows System directory as: - MSKernel32.vbs - LOVE-LETTER-FOR-YOU.TXT.vbs and to Windows directory: - Win32DLL.vbs Then it adds itself to registry, so it will be executed when the system is restarted. The registry keys that it adds are: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win 32DLL Next the worm replaces the Internet Explorer home page with a link that points to an executable program, "WIN-BUGSFIX.exe". If the file is downloaded, the worm adds this to registry as well; causing that the program will be executed when the system is restarted. After that, the worm creates a HTML file, "LOVE-LETTER-FOR-YOU.HTM", to the Windows System directory. This file contains the worm, and it will be sent using mIRC whenever the user joins an IRC channel. Then the worm will use Outlook to mass mail itself to everyone in each address book. The message that it sends will be as follows: Subject: ILOVEYOU Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs LoveLetter sends the mail once to each recipient. After a mail has been sent, it adds a marker to the registry and does not mass mail itself any more. The virus then searches for certain filetypes on all folders on all local and remote drives and overwrites them with its own code. The files that are overwritten have one of these extensions: ".vbs", ".vbe", ".js", ".jse", ".css", ".wsh", ".sct", ".hta" The virus also tries to use companion techniques, adding a secondary file next to existing file - hoping that the user will click on the wrong file. This is done so that the virus locates files with jpg, jpeg, mp3 and mp2 and adds a new file next to it. For example, a picture named "pic.jpg" will cause a new file called "pic.jpg.vbs" to be created. LoveLetter was found globally in-the-wild on May 4th, 2000. It looks like the virus is Philippine origin. At the beginning of the code, the virus contains the following text: rem barok -loveletter(vbe) <i hate go to school> rem by: spyder / ispyder () mail com / @GRAMMERSoft Group / Manila,Philippines ------------------------------------------------------ Roelof W Temmingh SensePost IT security roelof () sensepost com +27 83 448 6996 http://www.sensepost.com
Current thread:
- Ascii-x86 was: Blind Remote Buffer Overflow, (continued)
- Ascii-x86 was: Blind Remote Buffer Overflow Bluefish (May 03)
- Re: Ascii-x86 was: Blind Remote Buffer Overflow Robert Collins (May 03)
- Re: Ascii-x86 was: Blind Remote Buffer Overflow Bill Weiss (May 03)
- firewall audit LEOW Chiun-Yi Jonathan (May 03)
- Re: firewall audit Ron DuFresne (May 03)
- Re: firewall audit antirez (May 04)
- Re: firewall audit Bennett Todd (May 04)
- Re: firewall audit Ron DuFresne (May 04)
- ethernet cards & promisc mode Security Team (May 03)
- Re: ethernet cards & promisc mode R (May 04)
- Info on the VBS/LoveLetter virus Roelof Temmingh (May 04)
- Re: ethernet cards & promisc mode Todd Garrison (May 04)
- Re: ethernet cards & promisc mode RioTek (May 04)
- ILOVEYOU worm Elias Levy (May 04)
- don't open email w/ subject line "I love you." (Was: Re: I love you.) Ken Williams (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- I Love You.. Repair Program James Wilkins (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 05)
- New worm? Blue Boar (May 04)