Virus Name:
Date Added: 5/4/2000
Discovery Date: | 4/4/2000 |
---|---|
Origin: | Phillipines |
Type: | Virus |
SubType: | VbScript |
Risk Assessment: | High-Outbreak |
Minimum Dat: | 4077 |
Minimum Engine: | 4.0.35 |
This worm is a VBS program that is sent attached to an email with the subject ILOVEYOU. The mail caontains the message "kindly check the attached LOVELETTER coming from me."
The attachment is called LOVE-LETTER-FOR-YOU.TXT.vbs
If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not normally present on Windows 95 or Windows NT unless Internet Explorer 5 is installed.
When the worm is first run it drops copies of itself in the following places:
It also adds the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ Win32DLL=C:\WINDOWS\Win32DLL.vbs
in order to run the worm at system startup.
The worm replaces the following files:
with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm.
The worm also overwrites the following files:
with copies of itself and renames the files to *.VBS.
The worm creates a file LOVE-LETTER-FOR-YOU.HTM which contains the worm and this is then sent to the IRC channels if the mIRC client is installed. This is accomplished by the worm replacing the file SCRIPT.INI with the following script:
[script] n0=on 1:JOIN:#:{ n1= /if ( $nick == $me ) { halt } n2= /.dcc send $nick C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.HTM n3=}
After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address book. The mails will be of the same format as the original mail.
This worm also has onother trick up it's sleeve in that it tries to download and install an executable file called WIN-BUGSFIX.EXE from the Internet. This exe file is a password stealing program that will email any cached passwords to the mail address MAILME@SUPER.NET.PH
In order to facilitate this download the worm sets the start-up page of Microsoft Internet Explorer to point to the web-page containing the password stealing trojan.
Symptoms
VirusScan 4.0.3+
Toolkit 8
Method Of Infection
VirusScan 4.0.3+
Toolkit 8
Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and removal.
Note: It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.
PE, Trojan, Internet Worm and memory resident:
Use specified engine and DAT files for detection. To remove, boot to MS-DOS
mode or use an emergency boot diskette and use the command line scanner such
as "SCANPM C: /CLEAN /ALL"
DAT not yet available: In the event you have this virus, trojan or Internet worm on your system(s) and the specified DAT is not yet available, refer to the documentation posted for submitting a sample to McAfee AVERT for resolution.
Source: http://www.nai.com/
Last updated: 19 June 2000