Info mengenai Loveletter virus dari www.nai.com. BTW, saya baca di newsletter WOW (Woody's Office Newsletter) kalau virus ini bisa menyebar kalau Windows Scripting Host (WSH) di-install di PC ybs. Berarti Win98 & Win2000 bisa terinfeksi. Kalau Win95 dan NT mungkin terinfeksi kalau ada IE5-nya (ini menurut WOW, bukan saya lho). Juga bisa menular melalui IRC. Di bawah ada kutipan dari WOW dan dari nai.com. rotty ================START of WOW=============== To be infected: All you need is a computer that has Windows Scripting Host (WSH) installed. That means Windows 98, 2000 or even Windows ME if you're a beta tester. Windows 95 and NT systems which have Internet Explorer 5.x will most likely have WSH (it's part of the default installation). WSH can also be downloaded from the Microsoft web site and installed onto any Windows 95/NT system. If unsure then you should assume that any Windows 95, 98, NT or 2000 machine can be infected and damaged. It doesn't matter which email program you are running, for if you open the virus attachment you'll be infected. That includes all forms of Outlook, Outlook Express and other non-Microsoft email programs. Macintosh systems and other operating systems cannot be infected. To spread the virus: The primary method for the virus to spread is to send itself to other computers via email, for that you must have either Outlook 98 or Outlook 2000 (NOT Outlook 97) The only way other email programs could spread the virus is if you're silly enough to manually send the infected attachment in one of your messages. However any email software can receive an infected attachment and if you have one of the above versions of Windows then your system can be damaged even if it can't spread to other computers. The virus can also be spread by Internet Relay Chat (if you have mIRC) or by overwriting VBS, JS, etc. files on remote network drives. ================END of WOW=============== ================START of NAI=============== VBS/Loveletter Virus <http://www.mcafeeb2b.com/asp_set/anti_virus/alerts/intro.asp> This is a VBS worm. It mails itself to everyone in the address book. It comes with the subject "I Love You," and the attachment "\LOVE-LETTER-FOR-YOU.TXT.vbs" It also has the ability to download an executable, which when run can steal passwords. Here is the link with a preliminary description: http://vil.nai.com/villib/dispVirus.asp?virus_k=98617 Characteristics: This is a VBScript worm with virus qualities. This worm will arrive in an email message with this format: Subject "ILOVEYOU" Message "kindly check the attached LOVELETTER coming from me." Attachment "LOVE-LETTER-FOR-YOU.TXT.vbs" If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not normally present on Windows 9x or Windows NT unless Internet Explorer 5 is installed. When the worm is first run it drops copies of itself in the following places : C:\WINDOWS\SYSTEM\MSKERNEL32.VBS C:\WINDOWS\WIN32DLL.VBS C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS It also adds the registry keys : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices\Win32DLL=C:\WINDOWS\Win32DLL.vbs in order to run the worm at system startup. The worm replaces the following files: *.JPG *.JPEG *.MP3 *.MP2 with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm. The worm also overwrites the following files: *.VBS *.VBE *.JS *.JSE *.CSS *.WSH *.SCT *.HTA with copies of itself and renames the files to *.VBS. The worm creates a file "LOVE-LETTER-FOR-YOU.HTM" which contains the worm and this is then sent to the IRC channels if the mIRC client is installed. This is accomplished by the worm replacing the file SCRIPT.INI. After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address book. The mails will be of the same format as the original mail. This worm also has onother trick up it's sleeve in that it tries to download and install an executable file called WIN-BUGSFIX.EXE from the Internet. This exe file is a password stealing program that will email any cached passwords to the mail address [EMAIL PROTECTED] In order to facilitate this download the worm sets the start-up page of Microsoft Internet Explorer to point to the web-page containing the password stealing trojan. The email sent by this program is as follows : -------------copy of email sent----------- From: [EMAIL PROTECTED]: [EMAIL PROTECTED] Subject: Barok... email.passwords.sender.trojan X-Mailer: Barok... email.passwords.sender. trojan---by: spyder Host: [machine name] Username: [user name] IP Address: [victim IP address] RAS Passwords:...[victim password info] Cache Passwords:...[victim password info] -------------copy of email sent----------- The password stealing trojan is also installed via the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run\WIN-BUGSFIX to autorun at system startup. After it has been run the password stealing trojan copies itself to WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ WinFAT32=WinFAT32.EXE ================END of NAI=============== - Perbesar peluang bisnis Anda dengan www.jatimmall.com To unsubscribe, e-mail : [EMAIL PROTECTED] To subscribe, e-mail : [EMAIL PROTECTED] Netika BerInternet : [EMAIL PROTECTED]
