CSS Internet News Report VBS/LoveLetter VBScript Worm VBS/LoveLetter VBScript Worm http://www.cert.org/current/ The morning of 5/4/2000, we began to receive numerous reports of a VBScript worm being called "Love Letter" circulating in the wild. Early reports we have received indicate this is not a hoax. Reports indicate the worm is distributed via e-mail with the following characteristics: Subject: ILOVEYOU The body of the message contains: kindly check the attached LOVELETTER coming from me A file attachment is included, named: LOVE-LETTER-FOR-YOU.TXT.vbs More information is available from: http://www.f-secure.com/v-descs/love.htm If your site has been affected by VBS/LoveLetter, we would appreciate knowing the scope of the infection at your site. Please let us know by submitting an incident report using our Incident Reporting Form, and be sure to specify how many hosts were affected. http://www.cert.org/ftp/incident_reporting_form We will provide updates as we gather more information. F-Secure Virus Information Pages http://www.f-secure.com/v-descs/love.htm Index Navigation NAME:LoveLetter VBS/LoveLetter is a VBScript worm. It spreads thru email as a chain letter. The worm uses the Outlook e-mail application to spread. LoveLetter is also a overwriting VBS virus, and it spreads itself using mIRC client as well. When it is executed, it first copies itself to Windows System directory as: - MSKernel32.vbs - LOVE-LETTER-FOR-YOU.TXT.vbs and to Windows directory: - Win32DLL.vbs Then it adds itself to registry, so it will be executed when the system is restarted. The registry keys that it adds are: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win 32DLL Next the worm replaces the Internet Explorer home page with a link that points to an executable program, "WIN-BUGSFIX.exe". If the file is downloaded, the worm adds this to registry as well; causing that the program will be executed when the system is restarted. The executable part that the LoveLetter worm downloads from the web is a password stealing trojan. On startup the trojan tries to find a hidden window named 'BAROK...'. If it is present, the trojan exits immediately, if not - the main routine takes control. The trojan checks for the WinFAT32 subkey in the following Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run If the WinFAT32 subkey key is not found, the trojan creates it, copies itself to \Windows\System\ directory as WINFAT32.EXE and then runs the file from that location. The above registry key modification makes the trojan become active every time Windows starts. Then the trojan sets Internet Explorer startup page to 'about:blank'. After that the trojan tries to find and delete the following keys: Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideShar ePwds ePwds .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisableP wdCaching Then trojan registers a new window class and creates a hidden window titled 'BAROK...' and remains resident in Windows memory as a hidden application. Immediately after startup and when timer counters reaches the certain values, the trojan loads MPR.DLL library, calls WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords to [log in to unmask] e-mail address that most likely belongs to trojan's author. The trojan uses the 'smpt.super.net.ph' mail server to send e-mails. The e-mail's subject is 'Barok... email.passwords.sender.trojan'. There's the author's copyright message inside the trojan's body: barok ...i hate go to school suck ->by:spyder @Copyright (c) 2000 GRAMMERSoft Group >Manila,Phils. There are also some encrypted text messages in the trojan's body used for its internal purposes. After that, the worm creates a HTML file, "LOVE-LETTER-FOR-YOU.HTM", to the Windows System directory. This file contains the worm, and it will be sent using mIRC whenever the user joins an IRC channel. Then the worm will use Outlook to mass mail itself to everyone in each address book. The message that it sends will be as follows: Subject: ILOVEYOU Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs LoveLetter sends the mail once to each recipient. After a mail has been sent, it adds a marker to the registry and does not mass mail itself any more. The virus then searches for certain filetypes on all folders on all local and remote drives and overwrites them with its own code. The files that are overwritten have either "vbs" or "vbe" extension. For the files with the following extensions: ".js", ".jse", ".css", ".wsh", ".sct" and ".hta", the virus will create a new file with the same name, but using the extension ".vbs". The original file will be deleted. Next the the virus locates files with ".jpg" and ".jpeg" extension, adds a new file next to it and deletes the original file. Then the virus locates ".mp3" and ".mp2" files, creates a new file and hides the original file. For above two cases, the new files created will have the original name added with the extension ".vbs". For example, a picture named "pic.jpg" will cause a new file called "pic.jpg.vbs" to be created. LoveLetter was found globally in-the-wild on May 4th, 2000. It looks like the virus is Philippine origin. At the beginning of the code, the virus contains the following text: rem barok -loveletter(vbe) <i hate go to school> rem by: spyder / [log in to unmask] / @GRAMMERSoft Group / Manila,Philippines [Analysis: Katrin Tocheva, Mikko Hypponen, Alexey Podrezov and Sami Rautiainen, F-Secure] On-line Learning Series of Courses http://www.bestnet.org/~jwalker/course.htm Member: Association for International Business ------------------------------- Excerpt from CSS Internet News (tm) ,-~~-.____ For subscription details email / | ' \ [log in to unmask] with ( ) 0 SUBINFO CSSINEWS in the \_/-, ,----' subject line. ==== // / \-'~; /~~~(O) "On the Internet no one / __/~| / | knows you're a dog" =( _____| (_________| http://www.bestnet.org/~jwalker -------------------------------