Print

Print

 
CSS Internet News Report VBS/LoveLetter VBScript Worm

VBS/LoveLetter VBScript Worm

http://www.cert.org/current/

The morning of 5/4/2000, we began to receive numerous reports of a 
VBScript worm being called "Love Letter" circulating in the wild. Early 
reports we have received indicate this is not a hoax. Reports indicate 
the worm is distributed via e-mail with the following characteristics: 


  Subject: ILOVEYOU

  The body of the message contains:

    kindly check the attached LOVELETTER coming from me

  A file attachment is included, named:

    LOVE-LETTER-FOR-YOU.TXT.vbs


More information is available from: 

http://www.f-secure.com/v-descs/love.htm 


If your site has been affected by VBS/LoveLetter, we would appreciate 
knowing the scope of the infection at your site. Please let us know by 
submitting an incident report using our Incident Reporting Form, and be 
sure to specify how many hosts were affected. 

http://www.cert.org/ftp/incident_reporting_form

We will provide updates as we gather more information. 


F-Secure Virus Information Pages

http://www.f-secure.com/v-descs/love.htm

Index Navigation 

NAME:LoveLetter 

VBS/LoveLetter is a VBScript worm. It spreads thru email as a chain 
letter. 

The worm uses the Outlook e-mail application to spread. LoveLetter is 
also a overwriting VBS virus, and it spreads itself using mIRC client as 
well. 

When it is executed, it first copies itself to Windows System directory 
as: 

    - MSKernel32.vbs
    - LOVE-LETTER-FOR-YOU.TXT.vbs




and to Windows directory: 

    - Win32DLL.vbs




Then it adds itself to registry, so it will be executed when the system 
is restarted. The registry keys that it adds are: 





HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win
32DLL




Next the worm replaces the Internet Explorer home page with a link that 
points to an executable program, "WIN-BUGSFIX.exe". If the file is 
downloaded, the worm adds this to registry as well; causing that the 
program will be executed when the system is restarted. 

The executable part that the LoveLetter worm downloads from the web is a 
password stealing trojan. On startup the trojan tries to find a hidden 
window named 'BAROK...'. If it is present, the trojan exits immediately, 
if not - the main routine takes control. The trojan checks for the 
WinFAT32 subkey in the following Registry key: 



 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run




If the WinFAT32 subkey key is not found, the trojan creates it, copies 
itself to \Windows\System\ directory as WINFAT32.EXE and then runs the 
file from that location. The above registry key modification makes the 
trojan become active every time Windows starts. 

Then the trojan sets Internet Explorer startup page to 'about:blank'. 
After that the trojan tries to find and delete the following keys: 



 Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
 Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
 Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideShar
ePwds

ePwds

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisableP
wdCaching




Then trojan registers a new window class and creates a hidden window 
titled 'BAROK...' and remains resident in Windows memory as a hidden 
application. 

Immediately after startup and when timer counters reaches the certain 
values, the trojan loads MPR.DLL library, calls WNetEnumCashedPasswords 
function and sends stolen RAS passwords and all cached Windows passwords 
to [log in to unmask] e-mail address that most likely belongs to 
trojan's author. The trojan uses the 'smpt.super.net.ph' mail server to 
send e-mails. The e-mail's subject is 'Barok... 
email.passwords.sender.trojan'. 

There's the author's copyright message inside the trojan's body: 



 barok ...i hate go to school suck ->by:spyder @Copyright (c) 2000
GRAMMERSoft Group >Manila,Phils.




There are also some encrypted text messages in the trojan's body used 
for its internal purposes. 

After that, the worm creates a HTML file, "LOVE-LETTER-FOR-YOU.HTM", to 
the Windows System directory. This file contains the worm, and it will 
be sent using mIRC whenever the user joins an IRC channel. 



Then the worm will use Outlook to mass mail itself to everyone in each 
address book. The message that it sends will be as follows: 



    Subject:    ILOVEYOU
    Body:       kindly check the attached LOVELETTER coming from me.
    Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs






LoveLetter sends the mail once to each recipient. After a mail has been 
sent, it adds a marker to the registry and does not mass mail itself any 
more. 

The virus then searches for certain filetypes on all folders on all 
local and remote drives and overwrites them with its own code. The files 
that are overwritten have either "vbs" or "vbe" extension. 

For the files with the following extensions: ".js", ".jse", ".css", 
".wsh", ".sct" and ".hta", the virus will create a new file with the 
same name, but using the extension ".vbs". The original file will be 
deleted. 

Next the the virus locates files with ".jpg" and ".jpeg" extension, adds 
a new file next to it and deletes the original file. Then the virus 
locates ".mp3" and ".mp2" files, creates a new file and hides the 
original file. For above two cases, the new files created will have the 
original name added with the extension ".vbs". For example, a picture 
named "pic.jpg" will cause a new file called "pic.jpg.vbs" to be 
created. 

LoveLetter was found globally in-the-wild on May 4th, 2000. It looks 
like the virus is Philippine origin. At the beginning of the code, the 
virus contains the following text: 



    rem  barok -loveletter(vbe) <i hate go to school>
    rem                         by: spyder  /  [log in to unmask]  /  @GRAMMERSoft Group  /
Manila,Philippines




[Analysis: Katrin Tocheva, Mikko Hypponen, Alexey Podrezov and Sami 
Rautiainen, F-Secure]  

 


On-line Learning Series of Courses
http://www.bestnet.org/~jwalker/course.htm

Member: Association for International Business
-------------------------------

Excerpt from CSS Internet News (tm)  ,-~~-.____
For subscription details email      / |  '     \
[log in to unmask] with              (   )        0
SUBINFO CSSINEWS in the             \_/-, ,----'
subject line.                          ====           //
                                       /  \-'~;    /~~~(O)
"On the Internet no one               /  __/~|   /       |
knows you're a dog"                 =(  _____| (_________|

http://www.bestnet.org/~jwalker

-------------------------------