|
The ILOVEYOU virus is an email
attachment written in Visual Basic and smartly disguised as a
love letter. Who wouldn't want to receive a love letter
afterall? The email attachment was called
LOVE-LETTER-FOR-YOU.TXT.vbs and when opened wrecked havoc
throughout a computer system by overwriting files or hiding
them throughout the system and in the case of people using
Microsoft Outlook it sent a copy of the virus to everyone in
the computer's address book.
The Love Bug infects files
with the following extensions: "vbs", "vbe", "js", "jse",
"css", "wsh", "sct", "hta", "jpg", "jpeg", "mp3", or "mp2".
Except for "mp3" and "mp2" files, the virus overwrites the
whole file with its virus code and the original file is
destroyed.
For "vbs" and "vbe"
files
The virus does not change the host
filename.
For "js", "jse", "css", "wsh",
"sct" or "hta" files
It changes the filename to
"<File Basename>.vbs" (For example: MyStyleSheetFile.css
is renamed as MyStyleSheetFile.vbs).
For "jpg" and "jpeg"
files
It changes the filename to "<Filename>.vbs"
(For example: MyJPEGFile.jpg is renamed as
MyJPEGFile.jpg.vbs).
For "mp3", or "mp2"
files
It changes the attribute of the original audio
file as the hidden system file and creates a copy of the virus
self in the filename of "<Filename>.vbs" (For example:
with MyMP3File.mp3, the virus makes a copy of itself as a file
called MyMP3File.mp3.vbs). Therefore, all "mp2" and "mp3"
files can be recovered from an infected system.
Once executed, this virus
drops the following
files:
\windows\Win32DLL.vbs
\system\MSKernel32.vbs
\system\LOVE-LETTER-FOR-YOU.TXT.vbs.
\system\LOVE-LETTER-FOR-YOU.HTM
It also modifies the
following registry entries so that the virus is executed at
each Windows starts up:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\MSKernel32"
:\windows\system
\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Win32DLL”
:\windows\\Win32DLL.vbs
It searches for a file named
WinFAT32.exe in the :\Windows\system folder. If the file does
not exist, it modifies Internet Explorer’s startup page with
one of the following sites:
http://www.skyinet.net/~young1s/
HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/
WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIy
qwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hf
FEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe
http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBh
AFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw
237461234iuy7thjg/WIN-BUGSFIX.exe
It also searches your system
for a file called WIN-BUGSFIX.exe (same as WinFAT32.exe).
Before searching the file, the virus first checks whether the
key Download Directory located at
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
contains a value. If it does, the virus proceeds to look
for the file WIN-BUGSFIX.EXE at the path specified in the
Download Directory key. But if the registry key does not
contain any value, then the virus looks for WIN-BUGSFIX.EXE at
C:\. VBS_LOVELETTER and then modifies Internet Explorer’s
startup page to “about:blank”.
It also modifies the registry
key to :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\WIN-BUGSFIX,
<download directory>\WIN-BUGSFIX.exe if Download
Directory contains a value, or to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\WIN-BUGSFIX
,C:\WIN-BUGSFIX.EXE if it does not contain a value.
The file WIN-BUGSFIX.EXE is
actually a password stealing Trojan. |
