amichalWYSDOM.COM

• Next message: Cerberus Security Team: "Alert: DNewsWeb buffer overflow"
• Previous message: NAI Labs: "Trend Micro InterScan VirusWall Remote Overflow"
• In reply to: Benjamin Leidner: "Re: Outlook/IE VBasic Script virus (love letters)"
• Reply: Aaron Michal: "Re: Outlook/IE VBasic Script virus (love letters)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I wrote the following cleaner when one of our offices got hit with this.
Perhaps it will help others. No warranties stated or implied etc. It
basiclly just the code for the original virus with all the operations
reversed.

-Aaron Michal

'I-LOVE-YOU Virus cleaner. Author: amichalwysdom.com 4/06/2000, v1
On Error Resume Next

dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll

main()
sub main()
        On Error Resume Next
        MsgBox "I-LOVE-YOU Virus cleaner. Author: amichalwysdom.com 4/06/2000,
v1."

        dim wscr,rr
        set wscr=CreateObject("WScript.Shell")

        rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout")'
        if (rr>=1) then
                wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout",0,"REG_DWORD"
        end if

        Set dirwin = fso.GetSpecialFolder(0)
        Set dirsystem = fso.GetSpecialFolder(1)
        Set dirtemp = fso.GetSpecialFolder(2)

        MsgBox "Deleting Virus Files."
        'remove first set of files
        fso.DeleteFile(dirsystem&"\MSKernel32.vbs")
        fso.DeleteFile(dirwin&"\Win32DLL.vbs")
        fso.DeleteFile(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")

        MsgBox "Deleting Infected Registry Key."
        'do this if it doesnt go away
        'this will delete all vbs files on your system
        cleanregentries()

        'MsgBox "Deleting Infected Script files."
        'search for and delete infected files
        'Dont do this for now because im too lazy to write something to
        'check each file to see if its infected.
        'listadriv()

        'restore this to the default
        wscr.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout"
        MsgBox "Done."
end sub

sub cleanregentries()
        On Error Resume Next
        Dim num,downread
        regdelete
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
",dirsystem&"\MSKernel32.vbs"
        regdelete
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Wi
n32DLL",dirwin&"\Win32DLL.vbs"
        downread=""
        downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Download Directory")
        if (downread="") then
                downread="c:\"
        end if
        if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
                fso.DeleteFile downread & "\WIN-BUGSFIX.exe"
                regdelete
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFI
X",downread&"\WIN-BUGSFIX.exe"
        end if
        regdelete "HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Start Page","about:blank"
end sub

sub listadriv
  On Error Resume Next
  Dim d,dc,s
  Set dc = fso.Drives
  For Each d in dc
    If d.DriveType = 2 or d.DriveType=3 Then
      folderlist(d.path&"\")
    end if
  Next
  listadriv = s
end sub

sub deleteinfectedfiles(folderspec)
        On Error Resume Next
        dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
        set f = fso.GetFolder(folderspec)
        set fc = f.Files
        for each f1 in fc
                ext=fso.GetExtensionName(f1.path)
                ext=lcase(ext)
                s=lcase(f1.name)
                if (ext="vbs") or (ext="vbe") or (ext="js") or (ext="jse") or (ext="css")
or (ext="wsh") or (ext="sct") or (ext="hta") then
                        'perhaps we should check to see if the files are infected before we
                        'start deleting
                        'TODO

                        fso.DeleteFile(f1.path)
                end if
                if (eq<>folderspec) then
                        'we'll just get lazy her and wipe this one
                        if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or
(s="script.ini") or (s="mirc.hlp") then
                                fso.DeleteFile(folderspec&"\script.ini")
                                eq=folderspec
                        end if
                end if
        next
end sub

sub folderlist(folderspec)
  On Error Resume Next
  dim f,f1,sf
  set f = fso.GetFolder(folderspec)
  set sf = f.SubFolders
  for each f1 in sf
    deleteinfectedfiles(f1.path)
    folderlist(f1.path)
  next
end sub

sub regdelete(regkey,regvalue)
  Set regedit = CreateObject("WScript.Shell")
  regedit.RegDelete regkey,regvalue
end sub

function regget(value)
  Set regedit = CreateObject("WScript.Shell")
  regget=regedit.RegRead(value)
end function

function fileexist(filespec)
  On Error Resume Next
  dim msg
  if (fso.FileExists(filespec)) Then
    msg = 0
  else
    msg = 1
  end if
  fileexist = msg
end function

function folderexist(folderspec)
  On Error Resume Next
  dim msg
  if (fso.GetFolderExists(folderspec)) then
    msg = 0
  else
    msg = 1
  end if
  fileexist = msg
end function

-----Original Message-----
From: Benjamin Leidner [mailto:BLeidnerGASPRA.COM]
Sent: Thursday, May 04, 2000 12:35 PM
To: win2ksecadviceLISTSERV.NTSECURITY.NET
Subject: Re: Outlook/IE VBasic Script virus (love letters)

More info can be found at the following URL (per the CERT advisory):

http://www.europe.f-secure.com/v-descs/love.htm

Benjamin Leidner - Gaspra Technologies
Senior Network Engineer
MCSE, CNE, A+

> -----Original Message-----
> From: Sunder [mailto:sunderSUNDER.NET]
> Sent: Thursday, May 04, 2000 12:13 PM
> To: win2ksecadviceLISTSERV.NTSECURITY.NET
> Subject: Outlook/IE VBasic Script virus also affects IRC!!! (love
> letters)
>
>
> This thing just hit us. It sends messages like this:
>
> Subject: ILOVEYOU
>
> kindly check the attached LOVELETTER coming from me.
>
> And the attachment.
>
> I've not attached it here for obvious reasons, but if you
> wish to analyze it,
> email me privately for a copy.
>
> The comments are:
>
> rem barok -loveletter(vbe) <i hate go to school>
> rem by: spyder / ispydermail.com /
> GRAMMERSoft Group
> / Manila,Philippines
>
>
> It does several nasty things from the looks of it. I'm not a
> VB programmer, so
> my analysis might be flawed.
>
> It creates MSKernel32.vbs and Win32DLL.vbs files in your
> system (I presume with
> copies of itself.)
>
> It changes the default IE startup page to one of several user
> web sites off
> http://www.skyinet.net and attempts to download a binary
> called WIN-BUGSFIX.exe
> and then once downloaded, sets it up to run via a registry
> entry, and resets
> the IE start page to "about:blank."
>
> It also seems to do something with your hard drive, and
> checks for WinFAT32.dll
> to see if the FAT32 file system is installed. It might be
> infecting other
> files, or it might be collecting a list of files, I'm unsure
> - again, I'm not a
> VB guy. :)
>
> It seems to be specifically targetting other VBS, VBE, JS
> (JavaScript), CSS
> (???), WSH (Win Shell???), sct, and hta files. It also seems
> to look for jpg,
> mp3, mp2 files. Likely it does something with these.
>
> It then looks for mIRC (also mlink32.exe???), and if it finds
> it, it modifies
> the mIRC script.ini file to attempt to DCC itself to users in IRC.
>
> From the non-Unix guys, I've heard that if you have Previews
> enabled in
> Outlook, when you preview this email, the virus will run and
> infect your
> machine.
>
> --
> ----------------------Kaos-Keraunos-Kybernetos----------------
> -----------
> + ^ + :Surveillance cameras|Passwords are like underwear.
> You don't /|\
> \|/ :aren't security. A |share them, you don't hang them
> on your/\|/\
> <--*-->:camera won't stop a |monitor, or under your keyboard,
> you \/|\/
> /|\ :masked killer, but |don't email them, or put them on
> a web \|/
> + v + :will violate privacy|site, and you must change them
> very often.
> --------_sunder__sunder_._net_------- http://www.sunder.net
> ------------
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Next message: Cerberus Security Team: "Alert: DNewsWeb buffer overflow"
• Previous message: NAI Labs: "Trend Micro InterScan VirusWall Remote Overflow"
• In reply to: Benjamin Leidner: "Re: Outlook/IE VBasic Script virus (love letters)"
• Reply: Aaron Michal: "Re: Outlook/IE VBasic Script virus (love letters)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]