|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Outlook/IE VBasic Script virus also affects IRC!!! (love lett ers)
From: Jason Wicker (Jason.Wicker
FUNDAMENTALSOFTWARE.COM)Date: Thu May 04 2000 - 11:30:18 CDT
- Next message: Benjamin Leidner: "Re: Outlook/IE VBasic Script virus (love letters)"
- Previous message: Sunder: "Outlook/IE VBasic Script virus also affects IRC!!! (love letters)"
- Next in thread: Ken Williams: "Re: Outlook/IE VBasic Script virus also affects IRC!!! (love lett ers)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
It does not run off of the preview pane. You have to run the .vbs to infect.
-----Original Message-----
From: Sunder [mailto:sunderSUNDER.NET]
Sent: Thursday, May 04, 2000 10:13 AM
To: win2ksecadviceLISTSERV.NTSECURITY.NET
Subject: Outlook/IE VBasic Script virus also affects IRC!!! (love
letters)
This thing just hit us. It sends messages like this:
Subject: ILOVEYOU
kindly check the attached LOVELETTER coming from me.
And the attachment.
I've not attached it here for obvious reasons, but if you wish to analyze
it,
email me privately for a copy.
The comments are:
rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispydermail.com / GRAMMERSoft
Group
/ Manila,Philippines
It does several nasty things from the looks of it. I'm not a VB programmer,
so
my analysis might be flawed.
It creates MSKernel32.vbs and Win32DLL.vbs files in your system (I presume
with
copies of itself.)
It changes the default IE startup page to one of several user web sites off
http://www.skyinet.net and attempts to download a binary called
WIN-BUGSFIX.exe
and then once downloaded, sets it up to run via a registry entry, and resets
the IE start page to "about:blank."
It also seems to do something with your hard drive, and checks for
WinFAT32.dll
to see if the FAT32 file system is installed. It might be infecting other
files, or it might be collecting a list of files, I'm unsure - again, I'm
not a
VB guy. :)
It seems to be specifically targetting other VBS, VBE, JS (JavaScript), CSS
(???), WSH (Win Shell???), sct, and hta files. It also seems to look for
jpg,
mp3, mp2 files. Likely it does something with these.
It then looks for mIRC (also mlink32.exe???), and if it finds it, it
modifies
the mIRC script.ini file to attempt to DCC itself to users in IRC.
From the non-Unix guys, I've heard that if you have Previews enabled in
Outlook, when you preview this email, the virus will run and infect your
machine.
-- ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :Surveillance cameras|Passwords are like underwear. You don't /|\ \|/ :aren't security. A |share them, you don't hang them on your/\|/\ <--*-->:camera won't stop a |monitor, or under your keyboard, you \/|\/ /|\ :masked killer, but |don't email them, or put them on a web \|/ + v + :will violate privacy|site, and you must change them very often. --------_sunder______________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv
_____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv
- Next message: Benjamin Leidner: "Re: Outlook/IE VBasic Script virus (love letters)"
- Previous message: Sunder: "Outlook/IE VBasic Script virus also affects IRC!!! (love letters)"
- Next in thread: Ken Williams: "Re: Outlook/IE VBasic Script virus also affects IRC!!! (love lett ers)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]