WARNING - VIRUS ALERT No.44
Date:  Thursday, 4th. May 2000 15:24:28 GMT
 

Brief Description

VBS/LoveLetter.worm arrives via an email message with the subject line "ILOVEYOU".
The text reads "kindly check the attached LOVELETTER coming from me." The
worm is included in the attachment, called "LOVE-LETTER-FOR-YOU.TXT.vbs". This worm attempts to send copies of itself through mIRC to the IRC channels and through
Outlook to all address book entries.

VBS/LoveLetter.worm also attempts to download and install an executable file called WIN-BUGSFIX.EXE, a password stealing program that will email any cached passwords it finds to the mail address  : MAILME@SUPER.NET.PH.

Detailed Description
 

VBS/LoveLetter is a VBScript worm. It is spread through email as a chain letter.

The worm uses the Outlook e-mail application to spread. LoveLetter is also an overwriting
VBS virus, and it spreads itself using the mIRC client as well.

When it is executed, it first copies itself to the Windows System directory as:

                     - MSKernel32.vbs
                     - LOVE-LETTER-FOR-YOU.TXT.vbs

and to the Windows directory as:

                     - Win32DLL.vbs

Then it adds itself to the registry, so it will be executed when the system is restarted. The
registry keys that it adds are:

                     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
                     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL

Then the worm replaces the Internet Explorer home page with a link that points to an
executable program, "WIN-BUGSFIX.exe". If the file is downloaded, the worm adds this to the registry as well; with the result that the program will be executed when the system is restarted.

After that, the worm creates an HTML file, "LOVE-LETTER-FOR-YOU.HTM", to the
Windows System directory. This file contains the worm, and it will be sent using mIRC
whenever the user joins an IRC channel.

Then the worm will use Outlook to mass mail itself to everyone in each address book. The
message that it sends will be as follows:

                     Subject:    ILOVEYOU
                     Body:       kindly check the attached LOVELETTER coming from me.
                     Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

LoveLetter sends the mail once to each recipient. After a mail has been sent, it adds a
marker to the registry and does not mass mail itself any more.

The virus then searches for certain file types on all folders on all local and remote drives
and overwrites them with its own code. The files that are overwritten have either a "vbs" or "vbe" extension.

For the files with the following extensions: ".js", ".jse", ".css", ".wsh", ".sct" and ".hta", the virus will create a new file with the same name, but using the extension ".vbs". The original file will be deleted.

Next the the virus locates files with ".jpg", ".jpeg", ".mp3" or ".mp2", adds a new file next to it and deletes the original file. For example, a picture named "joe.jpg" will cause a new file called "joe.jpg.vbs" to be created.

LoveLetter was found globally in-the-wild on May 4th, 2000. It looks like the virus is of
Philippine origin, however this is not certain yet. At the beginning of the code, the virus contains the following text:

rem  barok -loveletter(vbe) <i hate go to school>
rem  by spyder  /  ispyder@mail.com  /   @GRAMMERSoft Group  /  Manila,Philippines


Rate This Ezine

The Ezine Directory

We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !



ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.




IMPORTANT NOTICE: ALL those who are receiving this advise and in the "name" field they find 'FAILED' and a 6 or 8 digit figure after it,  should be advised that at least once, emails to that address  have been received back by us.  As the list of subscribers now exceeds 100,000, and since this  is a  free service, we kindly urge you to become a  registered  subscriber to this service and ensure delivery by subscribing  under  a  reliable email address. WE REGRET THAT AS  AFTER THIS ISSUE, ALL ADDRESSES  THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.


DISCLAIMER:

The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST

PLEASE ALSO NOTE THE FOLLOWING:

1) You are currently SUBSCRIBED to our mailing list

2) If you are receiving more than one copy of this warning please click here

3) If you DO NOT wish to receive anymore of these alerts, please click here

4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be sent to the Webmaster     by themselves so that a record of all requests can be kept in case somebody cries "SPAM" ! Simply click here
    and send the email as it appears.

5)THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY

FABIAN ENTERPRISES LTD.

   AND THERE WILL NEVER BE ANY CHARGE FOR IT.

6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL NEVER BE SOLD, EXCHANGED OR IN     ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
    ******

Fabian Brincat
Webmaster
Fabian Enterprises Ltd.

SEE PREVIOUS VIRUS ALERT

RETURN TO VIRUS ALERT MAIN INDEX


FABIAN ENTERPRISES LTD.
18-20, MSIDA ROAD,
GZIRA. GZR 03.
MALTA.
TELEPHONE: (++356) 21 31 32 83 or 21 32 08 45
FAX: (++356) 21 33 80 87
E-MAIL CONTACT
sales@fabian.com.mt

©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.

All Trade names and Trade marks are hereby acknowledged as being the property of the Registered Owners


ALPHABETICAL LIST OF PRODUCTS: click on section you wish to view:

A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X| Y|Z


EXIT TO QUICK INDEX




040500/010700/250101/261201/110904/041004