ripped straight from mcaffee.. sorry about clogging the list :) mike
Characteristics: Aliases: VBS.Loveletter.a Variants: None Date Added: 5/4/00 Virus Information Discovery Date: 5/4/00 Origin:Phillipines Type: Virus SubType: VbScript Risk Assessment: High-Outbreak Minimum Dat: 4077 Minimum Engine: 4.0.35 Virus Characteristics: This is a VBScript worm with virus qualities. This worm will arrive in an email message with this format: Subject "ILOVEYOU" Message "kindly check the attached LOVELETTER coming from me." Attachment "LOVE-LETTER-FOR-YOU.TXT.vbs" If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not normally present on Windows 9x or Windows NT unless Internet Explorer 5 is installed. When the worm is first run it drops copies of itself in the following places : C:\WINDOWS\SYSTEM\MSKERNEL32.VBS C:\WINDOWS\WIN32DLL.VBS C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS It also adds the registry keys : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers ion\Run\MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers ion\RunServices\Win32DLL=C:\WINDOWS\Win32DLL.vbs in order to run the worm at system startup. The worm replaces the following files: *.JPG *.JPEG *.MP3 *.MP2 with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm. The worm also overwrites the following files: *.VBS *.VBE *.JS *.JSE *.CSS *.WSH *.SCT *.HTA with copies of itself and renames the files to *.VBS. The worm creates a file "LOVE-LETTER-FOR-YOU.HTM" which contains the worm and this is then sent to the IRC channels if the mIRC client is installed. This is accomplished by the worm replacing the file SCRIPT.INI. After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address book. The mails will be of the same format as the original mail. This worm also has another trick up it's sleeve in that it tries to download and install an executable file called WIN-BUGSFIX.EXE from the Internet. This exe file is a password stealing program that will email any cached passwords to the mail address: [EMAIL PROTECTED] In order to facilitate this download the worm sets the start-up page of Microsoft Internet Explorer to point to the web-page containing the password stealing trojan. The email sent by this program is as follows: -------------copy of email sent----------- From: [EMAIL PROTECTED]: [EMAIL PROTECTED] Subject: Barok... email.passwords.sender.trojan X-Mailer: Barok... email.passwords.sender. trojan---by: spyder Host: [machine name] Username: [user name] IP Address: [victim IP address] RAS Passwords:...[victim password info] Cache Passwords:...[victim password info] -------------copy of email sent----------- The password stealing trojan is also installed via the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers ion\Run\WIN-BUGSFIX to autorun at system startup. After it has been run the password stealing trojan copies itself to: WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers ion\Run\WinFAT32=WinFAT32.EXE Symptoms VirusScan 4.0.3+ Toolkit 8 Method Of Infection VirusScan 4.0.3+ Toolkit 8 Removal Instructions: Script,Batch,Macro and non memory-resident: Use specified engine and DAT files for detection and removal. Note- It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled. PE,Trojan,Internet Worm and memory resident: Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use an emergency boot diskette and use the command line scanner such as "SCANPM C:/CLEAN /ALL" DAT not yet available: In the event you have this virus, trojan or Internet worm on your system(s) and the specified DAT is not yet available, refer to the documentation posted for submitting a sample to McAfee AVERT for resolution.