FW: ILOVEYOU worm (fwd)

Date view Thread view Subject view Author view

From: Sean Lewis (seant@geek.com)
Date: Thu May 04 2000 - 10:49:40 PDT

T-shirts we'd like to see: "Uncle Sam sent me to the Persian
Gulf, and all I got was this lousy syndrome!"

>--- Original Message ---
>From: Tom Whore <tomwhore@inetarena.com>
>To: linux-l@q7.com
>Date: 5/4/00 10:17:04 AM

> [---===tomwhore@ []wsmf.org []inetarena.com []slack.net===---]
> WSMF's web site ----http://wsmf.org
>---------- Forwarded message ----------
>Date: Thu, 4 May 2000 09:56:18 -0700
>From: Elias Levy <aleph1@securityfocus.com>
>Subject: ILOVEYOU worm
>A new VB worm is on the loose. This would normally not be bugtraq
>material as it exploits no new flaws but it has spread enough
that it
>warrants some coverage. This is a quick and dirty analysis of
what it does.
>The worm spreads via email as an attachments and via IRC as
a DCC download.
>The first thing the worm does when executed is save itself to
>different locations. Under the system directory as MSKernel32.vbs
>LOVE-LETTER-FOR-YOU.TXT.vbs and under the windows directory
>It then creates a number of registry entries to execute these
>when the machine restarts. These entries are:
>It will also modify Internet Explorer's start page to point
to a web page
>that downloads a binary called WIN-BUGSFIX.exe. It randomly
selects between
>four different URLs:
>I've not been able to obtain copy of the binary to figure out
what it does.
>This does mean the worm has a dynamic components that may change
>behavior any time the binary is changed and a new one downloaded.
>The worm then changes a number of registry keys to run the downloaded
>and to clean up after itself.
>HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start
> about:blank
>The worm then creates an HTML file that helps it spread,
>LOVE-LETTER-FOR-YOU.HTM. This is the file DCC'ed to others on
>The worm then spreads to all addresses in the Windows Address
Book by
>sending the file LOVE-LETTER-FOR-YOU.TXT.vbs as an attachment.
>email starts:
> kindly check the attached LOVELETTER coming from me.
>Then the virus searches for attached drives looking for files
>certain extensions. It overwrites files ending with vbs, and
>It overwrites files ending with js, jse, css, wsh, sct, and
hta, and
>then renames them to end with vbs. It overwrites files ending
with jpg
>and jpeg and appends .vbs to their name. It finds files with
the name
>mp3 and mp3, creates vbs files with the same name and sets the
>attribute in the original mp* files.
>The it looks for the mIRC windows IRC client and overwrites
the script.ini
>file if found. It modifies this file to that it will DCC the
>LOVE-LETTER-FOR-YOU.HTM file to any people that join a channel
>client is in.
>You can find the source of the worm at:
>Elias Levy
>Si vis pacem, para bellum
Geek.com WebBox - http://www.geek.com
A free service provided by WebBox - http://webbox.com

Date view Thread view Subject view Author view

This archive was generated by hypermail 2b29 : Thu May 04 2000 - 10:51:14 PDT