From: Sean Lewis (firstname.lastname@example.org)
Date: Thu May 04 2000 - 10:49:40 PDT
T-shirts we'd like to see: "Uncle Sam sent me to the Persian
Gulf, and all I got was this lousy syndrome!"
>--- Original Message ---
>From: Tom Whore <email@example.com>
>Date: 5/4/00 10:17:04 AM
> [---===tomwhore@ wsmf.org inetarena.com slack.net===---]
> WSMF's web site ----http://wsmf.org
>---------- Forwarded message ----------
>Date: Thu, 4 May 2000 09:56:18 -0700
>From: Elias Levy <firstname.lastname@example.org>
>Subject: ILOVEYOU worm
>A new VB worm is on the loose. This would normally not be bugtraq
>material as it exploits no new flaws but it has spread enough
>warrants some coverage. This is a quick and dirty analysis of
what it does.
>The worm spreads via email as an attachments and via IRC as
a DCC download.
>The first thing the worm does when executed is save itself to
>different locations. Under the system directory as MSKernel32.vbs
>LOVE-LETTER-FOR-YOU.TXT.vbs and under the windows directory
>It then creates a number of registry entries to execute these
>when the machine restarts. These entries are:
>It will also modify Internet Explorer's start page to point
to a web page
>that downloads a binary called WIN-BUGSFIX.exe. It randomly
>four different URLs:
>I've not been able to obtain copy of the binary to figure out
what it does.
>This does mean the worm has a dynamic components that may change
>behavior any time the binary is changed and a new one downloaded.
>The worm then changes a number of registry keys to run the downloaded
>and to clean up after itself.
>The worm then creates an HTML file that helps it spread,
>LOVE-LETTER-FOR-YOU.HTM. This is the file DCC'ed to others on
>The worm then spreads to all addresses in the Windows Address
>sending the file LOVE-LETTER-FOR-YOU.TXT.vbs as an attachment.
> kindly check the attached LOVELETTER coming from me.
>Then the virus searches for attached drives looking for files
>certain extensions. It overwrites files ending with vbs, and
>It overwrites files ending with js, jse, css, wsh, sct, and
>then renames them to end with vbs. It overwrites files ending
>and jpeg and appends .vbs to their name. It finds files with
>mp3 and mp3, creates vbs files with the same name and sets the
>attribute in the original mp* files.
>The it looks for the mIRC windows IRC client and overwrites
>file if found. It modifies this file to that it will DCC the
>LOVE-LETTER-FOR-YOU.HTM file to any people that join a channel
>client is in.
>You can find the source of the worm at:
>Si vis pacem, para bellum
Geek.com WebBox - http://www.geek.com
A free service provided by WebBox - http://webbox.com
This archive was generated by hypermail 2b29 : Thu May 04 2000 - 10:51:14 PDT