TECHNET Archives

May 2000

TechNet@IPC.ORG
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
(Fwd) Loveletter worm - really technical details
From:
Matthias Mansfeld <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Thu, 4 May 2000 19:55:57 +0200
Content-Type:
text/plain
Parts/Attachments:
text/plain (120 lines) 
Sorry, the first one I posted was not so much informative. Let me try
again.

If it is interesting for people who got hit from this worm and need
to desinfect their computers manually:

I got this detailed description what it does and where it makes
changes from the NTBUGTRAQ mailing list. I hope this is not too much
Off-Topic but can help somebody.

It seems that older systems with Win 3.x cannot be infected...
(hopefully)

------- Forwarded Message Follows -------
Date:          Thu, 4 May 2000 09:56:18 -0700
Reply-to:      [log in to unmask]
From:          Elias Levy <[log in to unmask]>
Subject:       [BUGTRAQ] ILOVEYOU worm
X-To:          [log in to unmask]
To:            [log in to unmask]

A new VB worm is on the loose. This would normally not be bugtraq
material as it exploits no new flaws but it has spread enough that it
warrants some coverage. This is a quick and dirty analysis of what it
does.

The worm spreads via email as an attachments and via IRC as a DCC
download.

The first thing the worm does when executed is save itself to three
different locations. Under the system directory as MSKernel32.vbs and
LOVE-LETTER-FOR-YOU.TXT.vbs and under the windows directory as
Win32DLL.vbs.

It then creates a number of registry entries to execute these programs
when the machine restarts. These entries are:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKer
nel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServic
es\Win32DLL

It will also modify Internet Explorer's start page to point to a web
page that downloads a binary called WIN-BUGSFIX.exe. It randomly
selects between four different URLs:

http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw
6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe5
46786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmP
OhfgER67b3Vbvg/WIN-BUGSFIX.exe
http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhY
UgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BU
GSFIX.exe

I've not been able to obtain copy of the binary to figure out what it
does. This does mean the worm has a dynamic components that may change
its behavior any time the binary is changed and a new one downloaded.

The worm then changes a number of registry keys to run the downloaded
binary and to clean up after itself.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-B
UGSFIX HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Start Page
        about:blank

The worm then creates an HTML file that helps it spread,
LOVE-LETTER-FOR-YOU.HTM. This is the file DCC'ed to others on IRC.

The worm then spreads to all addresses in the Windows Address Book by
sending the file LOVE-LETTER-FOR-YOU.TXT.vbs as an attachment. The
email starts:

 kindly check the attached LOVELETTER coming from me.

Then the virus searches for attached drives looking for files with
certain extensions. It overwrites files ending with vbs, and vbe. It
overwrites files ending with js, jse, css, wsh, sct, and hta, and then
renames them to end with vbs. It overwrites files ending with jpg and
jpeg and appends .vbs to their name. It finds files with the name mp3
and mp3, creates vbs files with the same name and sets the hidden
attribute in the original mp* files.

The it looks for the mIRC windows IRC client and overwrites the
script.ini file if found. It modifies this file to that it will DCC
the LOVE-LETTER-FOR-YOU.HTM file to any people that join a channel the
client is in.

You can find the source of the worm at:

http://www.securityfocus.com/templates/archive.pike?list=82&msg=391184
[log in to unmask]&part=.1

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
-----------------------------------------------
Matthias Mansfeld Elektronik
* Leiterplattenlayout, Bestueckung
Am Langhoelzl 11, 85540 Haar; Tel.: 089/4620 093-7, Fax: -8
Internet: http://www.mansfeld-elektronik.de

##############################################################
TechNet Mail List provided as a free service by IPC using LISTSERV 1.8c
##############################################################
To subscribe/unsubscribe, send a message to [log in to unmask] with following text in
the body:
To subscribe:   SUBSCRIBE TECHNET <your full name>
To unsubscribe:   SIGNOFF TECHNET
##############################################################
Please visit IPC web site (http://www.ipc.org/html/forum.htm) for additional
information.
If you need assistance - contact Keach Sasamori at [log in to unmask] or
847-509-9700 ext.5315
##############################################################

ATOM RSS1 RSS2