thanks for the heads up re the virus Hans, it looks like a nasty one
tex
----- Original Message -----
From: "Hans van der Genugten" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, May 04, 2000 11:34 AM
Subject: VIRUSWARNING: High risk e-mail virus "I love you"
> Virus Name: VBS/LoveLetter.worm
> Aliases: none known
> Date Discovered: Thursday May 4th 2000
> DAT included: 4077
> Risk: High
>
> Characteristics:
>
> This worm is a VBS program that is sent attached to an email with the
> subject ILOVEYOU.
> The mail contains the message "kindly check the attached LOVELETTER coming
> from me."
> The attachment is called LOVE-LETTER-FOR-YOU.TXT.vbs
> If the user runs the attachment the worm runs using the Windows Scripting
> Host program. This is not normally present on Windows 95 or Windows NT
> unless Internet Explorer 5 is installed.
>
> When the worm is first run it drops copies of itself in the following
> places :-
>
> C:\WINDOWS\SYSTEM\MSKERNEL32.VBS
> C:\WINDOWS\WIN32DLL.VBS
> C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS
>
> It also adds the registry keys :-
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
> MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
> Win32DLL=C:\WINDOWS\Win32DLL.vbs
> in order to run the worm at system start-up.
>
> The worm replaces the following files :-
> *.JPG
> *.JPEG
> *.MP3
> *.MP2
> with copies of itself and it adds the extension .VBS to the original
> filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would
> contain the worm.
>
> The worm also overwrites the following files :-
> *.VBS
> *.VBE
> *.JS
> *.JSE
> *.CSS
> *.WSH
> *.SCT
> *.HTA
> with copies of itself and renames the files to *.VBS.
>
> The worm creates a file LOVE-LETTER-FOR-YOU.HTM which contains the worm
and
> this is then sent to the IRC channels if the mIRC client is installed.
This
> is accomplished by the worm replacing the file SCRIPT.INI with the
following
> script :-
>
> [script]
> n0=on 1:JOIN:#:{
> n1= /if ( $nick == $me ) { halt }
> n2= /.dcc send $nick C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.HTM
> n3=}
>
> After a short delay the worm uses Microsoft Outlook to send copies of
itself
> to all entries in the address book.
> The mails will be of the same format as the original mail.
>
> This worm also has another trick up it's sleeve in that it tries to
download
> and install an executable file called WIN-BUGSFIX.EXE from the Internet.
> This exe file is a password stealing program that will email any cached
> passwords to the mail address [log in to unmask]
>
> In order to facilitate this download the worm sets the start-up page of
> Microsoft Internet Explorer to point to the web-page containing the
password
> stealing trojan.
>
> The email sent by this program is as follows :-
> From: [log in to unmask]: [log in to unmask]: Barok...
> email.passwords.sender.trojanX-Mailer: Barok...
> email.passwords.sender.trojan---by: spyderHost: goat1Username: Goat1IP
> Address: 192.168.0.2
> RAS Passwords:...
> <password information goes here>
> ...
> Cache Passwords:...
> <password information goes here>
> ...
> goatserver.goatnet/goatserver.goatnet : GOATNET\goat1:
> MAPI : MAPI
>
> The password stealing trojan is also installed via the following registry
> key :-
>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
> to auto run at system start-up.
>
> After it has been run the password stealing trojan copies itself to
> WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with
>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinFAT32=Wi
> nFAT32.EXE
>
