OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Outlook/IE VBasic Script virus (love letters)
From: Benjamin Leidner (BLeidnerGASPRA.COM)
Date: Thu May 04 2000 - 11:34:32 CDT

More info can be found at the following URL (per the CERT advisory):

http://www.europe.f-secure.com/v-descs/love.htm

Benjamin Leidner - Gaspra Technologies
Senior Network Engineer
MCSE, CNE, A+

> -----Original Message-----
> From: Sunder [mailto:sunderSUNDER.NET]
> Sent: Thursday, May 04, 2000 12:13 PM
> To: win2ksecadviceLISTSERV.NTSECURITY.NET
> Subject: Outlook/IE VBasic Script virus also affects IRC!!! (love
> letters)
>
>
> This thing just hit us. It sends messages like this:
>
> Subject: ILOVEYOU
>
> kindly check the attached LOVELETTER coming from me.
>
> And the attachment.
>
> I've not attached it here for obvious reasons, but if you
> wish to analyze it,
> email me privately for a copy.
>
> The comments are:
>
> rem barok -loveletter(vbe) <i hate go to school>
> rem by: spyder / ispydermail.com /
> GRAMMERSoft Group
> / Manila,Philippines
>
>
> It does several nasty things from the looks of it. I'm not a
> VB programmer, so
> my analysis might be flawed.
>
> It creates MSKernel32.vbs and Win32DLL.vbs files in your
> system (I presume with
> copies of itself.)
>
> It changes the default IE startup page to one of several user
> web sites off
> http://www.skyinet.net and attempts to download a binary
> called WIN-BUGSFIX.exe
> and then once downloaded, sets it up to run via a registry
> entry, and resets
> the IE start page to "about:blank."
>
> It also seems to do something with your hard drive, and
> checks for WinFAT32.dll
> to see if the FAT32 file system is installed. It might be
> infecting other
> files, or it might be collecting a list of files, I'm unsure
> - again, I'm not a
> VB guy. :)
>
> It seems to be specifically targetting other VBS, VBE, JS
> (JavaScript), CSS
> (???), WSH (Win Shell???), sct, and hta files. It also seems
> to look for jpg,
> mp3, mp2 files. Likely it does something with these.
>
> It then looks for mIRC (also mlink32.exe???), and if it finds
> it, it modifies
> the mIRC script.ini file to attempt to DCC itself to users in IRC.
>
> From the non-Unix guys, I've heard that if you have Previews
> enabled in
> Outlook, when you preview this email, the virus will run and
> infect your
> machine.
>
> --
> ----------------------Kaos-Keraunos-Kybernetos----------------
> -----------
> + ^ + :Surveillance cameras|Passwords are like underwear.
> You don't /|\
> \|/ :aren't security. A |share them, you don't hang them
> on your/\|/\
> <--*-->:camera won't stop a |monitor, or under your keyboard,
> you \/|\/
> /|\ :masked killer, but |don't email them, or put them on
> a web \|/
> + v + :will violate privacy|site, and you must change them
> very often.
> --------_sunder__sunder_._net_------- http://www.sunder.net
> ------------
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net