ripped straight from mcaffee.. sorry about clogging the list :)
mike
Characteristics:
Aliases: VBS.Loveletter.a
Variants: None
Date Added: 5/4/00
Virus Information
Discovery Date: 5/4/00
Origin:Phillipines
Type: Virus
SubType: VbScript
Risk Assessment: High-Outbreak
Minimum Dat: 4077
Minimum Engine: 4.0.35
Virus Characteristics:
This is a VBScript worm with virus qualities. This worm will arrive in
an email message with this format:
Subject "ILOVEYOU"
Message "kindly check the attached LOVELETTER coming from
me."
Attachment "LOVE-LETTER-FOR-YOU.TXT.vbs"
If the user runs the attachment the worm runs using the Windows
Scripting Host program. This is not normally present on Windows
9x or Windows NT unless Internet Explorer 5 is installed.
When the worm is first run it drops copies of itself in the following
places :
C:\WINDOWS\SYSTEM\MSKERNEL32.VBS
C:\WINDOWS\WIN32DLL.VBS
C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS
It also adds the registry keys :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers
ion\Run\MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers
ion\RunServices\Win32DLL=C:\WINDOWS\Win32DLL.vbs
in order to run the worm at system startup.
The worm replaces the following files:
*.JPG
*.JPEG
*.MP3
*.MP2
with copies of itself and it adds the extension .VBS to the original
filename. So PICT.JPG would be replaced with PICT.JPG.VBS and
this would contain the worm.
The worm also overwrites the following files:
*.VBS
*.VBE
*.JS
*.JSE
*.CSS
*.WSH
*.SCT
*.HTA
with copies of itself and renames the files to *.VBS.
The worm creates a file "LOVE-LETTER-FOR-YOU.HTM" which
contains the worm and this is then sent to the IRC channels if the
mIRC client is installed. This is accomplished by the worm
replacing the file SCRIPT.INI.
After a short delay the worm uses Microsoft Outlook to send
copies of itself to all entries in the address book. The mails will be
of the same format as the original mail.
This worm also has another trick up it's sleeve in that it tries to
download and install an executable file called WIN-BUGSFIX.EXE
from the Internet. This exe file is a password stealing program that
will email any cached passwords to the mail address:
[EMAIL PROTECTED]
In order to facilitate this download the worm sets the start-up page
of Microsoft Internet Explorer to point to the web-page containing
the password stealing trojan.
The email sent by this program is as follows:
-------------copy of email sent-----------
From: [EMAIL PROTECTED]: [EMAIL PROTECTED]
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok... email.passwords.sender.
trojan---by: spyder
Host: [machine name]
Username: [user name]
IP Address: [victim IP address]
RAS Passwords:...[victim password info]
Cache Passwords:...[victim password info]
-------------copy of email sent-----------
The password stealing trojan is also installed via the
following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers
ion\Run\WIN-BUGSFIX
to autorun at system startup. After it has been run the password
stealing trojan copies itself to:
WINDOWS\SYSTEM\WinFAT32.EXE
and replaces the registry key with:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers
ion\Run\WinFAT32=WinFAT32.EXE
Symptoms
VirusScan 4.0.3+
Toolkit 8
Method Of Infection
VirusScan 4.0.3+
Toolkit 8
Removal Instructions:
Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and removal.
Note- It is very common for macro viruses to disable options within
Office applications for example in Word, the macro protection
warning commonly is disabled. After cleaning macro viruses,
ensure that your previously set options are again enabled.
PE,Trojan,Internet Worm and memory resident:
Use specified engine and DAT files for detection. To remove, boot
to MS-DOS mode or use an emergency boot diskette and use the
command line scanner such as "SCANPM C:/CLEAN /ALL"
DAT not yet available:
In the event you have this virus, trojan or Internet worm on your
system(s) and the specified DAT is not yet available, refer to the
documentation posted for submitting a sample to McAfee AVERT
for resolution.
