PPRuNe Forums - View Single Post - Warning - "ILoveYou" Emails
Thread: Warning - "ILoveYou" Emails
View Single Post
Old 4th May 2000 | 20:10
  #10 (permalink)  
VelvetStrokes
Guest
 
Posts: n/a
Unhappy
I have just spent 4 hours eradicating the virus, and it keeps coming. It really is serious. It send 540 emails in only a few minutes. It also sent one back to my email box for every one sent, plus the ones it put in my sent box. BASTARDS

It destroyed my office links, my outlook mail box was shot to hell. I also spent time re-establishing my internet and intranet access. At the moment, I still dealing with the surface implications, god knows what others problems I face.


The only way to stop was to switch off and crash the machine. Exiting outlook failed to stop the sending. Certainly, I wasn't expecting it and only opened the email not the attachment. The mails came from apparently trusted colleagues, and those I've sent it to will feel the same.

VBS_Loveletter" Worm
04 May 2000
Virus Control

Alias: Loveletter, VBS/Loveletter
Discovery Date: 04 May 2000
Likelihood: High
Characteristics: The worm uses the Outlook e-mail application to spread. LoveLetter is also an overwriting VBS virus, and it spreads itself using mIRC client as well. The LoveLetter worm is a VBS script, that propagates itself using Microsoft Outlook and mIRC.

Description:

Once executed this computer worm modifies the registry and drops files for it to spread. It replicates via Microsoft Outlook by sending an email with an attachment file “LOVE-LETTER-FOR-YOU.TXT.vbs” to all email addresses listed in the address list. It also propagates using mIRC by modifying the “script.ini.” After connecting to a chat server using mIRC, the virus initiates a DCC send to all the users in the current channel and sends a copy of itself. It is also capable of infecting files with specific extensions.

The message that it sends will be as follows:

Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

Infection:

Once executed, this virus drops the following files:
<root>windows\Win32DLL.vbs
<root>windows\system\MSKernel32.vbs
<root>windows\system\LOVE-LETTER-FOR-YOU.TXT.vbs.

It also modifies the following registry entries so that the virus is run at each Windows starts up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\MSKernel32",
<root>windows\system \MSKernel32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Win32DLL”,
<root>windows\\Win32DLL.vbs.

Payload:

It searches for a file named WinFAT32.exe in the <root>windows\system folder. If the file exists, then it modifies Internet Explorer’s startup page with one of the following sites:
http://www.skyinet.net/~young1s/
HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/
WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skl...wetryDGFikjUIy
qwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/
WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/
jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/
WIN-BUGSFIX.exe http://www.skyinet.net/~chu/sdgfhjks...kKLHjkqwtuHJBh
AFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw
237461234iuy7thjg/WIN-BUGSFIX.exe