OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Outlook/IE VBasic Script virus also affects IRC!!! (love letters)
From: Craig Lett (clettISERV.NET)
Date: Thu May 04 2000 - 11:46:18 CDT

VBS-Love Letter.A Worm
Love Letter is a Visual Basic Script (VBS) based e-mail worm. It arrives as
an attachment of an e-mail with the subject line:
ILOVEYOU

The e-mail body reads:
kindly check the attached LOVELETTER coming from me.

And the e-mail has a attachment called:
LOVE-LETTER-FOR-YOU.TXT.vbs

Depending on the system configuration the extension .VBS might be displayed
or not displayed.

If you receive an e-mail that fits the above description do not open the
attachment. Delete the e-mail right away.

The worm spreads itself by generating an e-mail like described above,
attaching itself and send that e-mail to all recipients in all Outlook
address books. In big organizations the volume of e-mail generated has the
potential to overload e-mail servers.

The worm will spread targeting Windows 98, Windows 2000 by default and
Windows NT 4.0 and Windows 95 if the Windows Scripting Host (WSH) engine is
installed. The worm will copy itself to multiple subdirectories using
different names:

In the Windows directory the name is Win32DLL.vbs, in the Windows system
directory the names are MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs.

The worm modifies the registry information to make itself run during next
boot-up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32=
C:\WINDOWS\SYSTEM\MSKernel32.vbs

Also it sets the default page of Internet Explorer to download a copy of
WIN_BUGFIX.exe, which appears to be a backdoor server. The actual location
of the files on the Web is currently shut down.

It searches through the all subdirectories and overwrites all files with the
extensions JPG, VBS, JS, JSE, CSS, WSH, SCT, HTA, MP3, MP2 with its own copy
and adding the extension VBS. A file called Satisfaction.MP3 would become
Satisfaction.MP3.VBS. Next time the affected file is clicked or activated
the worm will start.

If the Internet Relay Chat (IRC) client is present in the system the worm
will generate an HTML file to send itself over the IRC channels.

InoculateIT signature update 11.16 detects all components of the
VBS/LoveLetter.A worm. To clean an infected system all detected files have
to be deleted and the registry key mentioned above has to be removed. Make
sure that VBS is in your list of file types to scan.

For more Virus info:

http://www.ca.com/virusinfo/virusalert.htm

-----Original Message-----
From: Sunder [mailto:sunderSUNDER.NET]
Sent: Thursday, May 04, 2000 12:13 PM
To: win2ksecadviceLISTSERV.NTSECURITY.NET
Subject: Outlook/IE VBasic Script virus also affects IRC!!! (love
letters)

This thing just hit us. It sends messages like this:

Subject: ILOVEYOU

kindly check the attached LOVELETTER coming from me.

And the attachment.

I've not attached it here for obvious reasons, but if you wish to analyze
it,
email me privately for a copy.

The comments are:

rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispydermail.com / GRAMMERSoft
Group
/ Manila,Philippines

It does several nasty things from the looks of it. I'm not a VB programmer,
so
my analysis might be flawed.

It creates MSKernel32.vbs and Win32DLL.vbs files in your system (I presume
with
copies of itself.)

It changes the default IE startup page to one of several user web sites off
http://www.skyinet.net and attempts to download a binary called
WIN-BUGSFIX.exe
and then once downloaded, sets it up to run via a registry entry, and resets
the IE start page to "about:blank."

It also seems to do something with your hard drive, and checks for
WinFAT32.dll
to see if the FAT32 file system is installed. It might be infecting other
files, or it might be collecting a list of files, I'm unsure - again, I'm
not a
VB guy. :)

It seems to be specifically targetting other VBS, VBE, JS (JavaScript), CSS
(???), WSH (Win Shell???), sct, and hta files. It also seems to look for
jpg,
mp3, mp2 files. Likely it does something with these.

It then looks for mIRC (also mlink32.exe???), and if it finds it, it
modifies
the mIRC script.ini file to attempt to DCC itself to users in IRC.

>From the non-Unix guys, I've heard that if you have Previews enabled in
Outlook, when you preview this email, the virus will run and infect your
machine. 

--
----------------------Kaos-Keraunos-Kybernetos---------------------------
 + ^ + :Surveillance cameras|Passwords are like underwear. You don't /|\
  \|/  :aren't security.  A |share them, you don't hang them on your/\|/\
<--*-->:camera won't stop a |monitor, or under your keyboard, you   \/|\/
  /|\  :masked killer, but  |don't email them, or put them on a web  \|/
 + v + :will violate privacy|site, and you must change them very often.
--------_sunder__sunder_._net_------- http://www.sunder.net ------------

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net