FW: ILOVEYOU worm (fwd)

Date view Thread view Subject view Author view

From: Sean Lewis (seant@geek.com)
Date: Thu May 04 2000 - 10:49:40 PDT


T-shirts we'd like to see: "Uncle Sam sent me to the Persian
Gulf, and all I got was this lousy syndrome!"

>--- Original Message ---
>From: Tom Whore <tomwhore@inetarena.com>
>To: linux-l@q7.com
>Date: 5/4/00 10:17:04 AM
>

>
>
> [---===tomwhore@ []wsmf.org []inetarena.com []slack.net===---]
> WSMF's web site ----http://wsmf.org
>
>---------- Forwarded message ----------
>Date: Thu, 4 May 2000 09:56:18 -0700
>From: Elias Levy <aleph1@securityfocus.com>
>To: BUGTRAQ@SECURITYFOCUS.COM
>Subject: ILOVEYOU worm
>
>A new VB worm is on the loose. This would normally not be bugtraq
>material as it exploits no new flaws but it has spread enough
that it
>warrants some coverage. This is a quick and dirty analysis of
what it does.
>
>The worm spreads via email as an attachments and via IRC as
a DCC download.
>
>The first thing the worm does when executed is save itself to
three
>different locations. Under the system directory as MSKernel32.vbs
and
>LOVE-LETTER-FOR-YOU.TXT.vbs and under the windows directory
as
>Win32DLL.vbs.
>
>It then creates a number of registry entries to execute these
programs
>when the machine restarts. These entries are:
>
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
>
>It will also modify Internet Explorer's start page to point
to a web page
>that downloads a binary called WIN-BUGSFIX.exe. It randomly
selects between
>four different URLs:
>
>http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe
>http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe
>http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe
>http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe
>
>I've not been able to obtain copy of the binary to figure out
what it does.
>This does mean the worm has a dynamic components that may change
its
>behavior any time the binary is changed and a new one downloaded.
>
>The worm then changes a number of registry keys to run the downloaded
binary
>and to clean up after itself.
>
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
>HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start
Page
> about:blank
>
>The worm then creates an HTML file that helps it spread,
>LOVE-LETTER-FOR-YOU.HTM. This is the file DCC'ed to others on
IRC.
>
>The worm then spreads to all addresses in the Windows Address
Book by
>sending the file LOVE-LETTER-FOR-YOU.TXT.vbs as an attachment.
The
>email starts:
>
> kindly check the attached LOVELETTER coming from me.
>
>Then the virus searches for attached drives looking for files
with
>certain extensions. It overwrites files ending with vbs, and
vbe.
>It overwrites files ending with js, jse, css, wsh, sct, and
hta, and
>then renames them to end with vbs. It overwrites files ending
with jpg
>and jpeg and appends .vbs to their name. It finds files with
the name
>mp3 and mp3, creates vbs files with the same name and sets the
hidden
>attribute in the original mp* files.
>
>The it looks for the mIRC windows IRC client and overwrites
the script.ini
>file if found. It modifies this file to that it will DCC the
>LOVE-LETTER-FOR-YOU.HTM file to any people that join a channel
the
>client is in.
>
>You can find the source of the worm at:
>
>3911840F.D7597030@thievco.com&part=.1">http://www.securityfocus.com/templates/archive.pike?list=82&msg=3911840F.D7597030@thievco.com&part=.1
>
>--
>Elias Levy
>SecurityFocus.com
>http://www.securityfocus.com/
>Si vis pacem, para bellum
>
>
>
------
Geek.com WebBox - http://www.geek.com
A free service provided by WebBox - http://webbox.com


Date view Thread view Subject view Author view

This archive was generated by hypermail 2b29 : Thu May 04 2000 - 10:51:14 PDT