TekWarrior- To Protect And Inform The Public

Free Web Hosting Provider - Web Hosting - E-commerce - High Speed Internet - Free Web Page

Main office

Home
Message board
Tech board

News Room

Breaking News
Recent Stories

Security Fortress

Security Home
Virus Central

Bug Alert

Bug Alert Home
Latest Bugs& Patches

Download Center

Latest Downloads
Browser & Add-ons
Compression
E-Mail
Financial
Graphics
Internet
Misc
Multimedia
PC Accelerators
Security/Antivirus
Utilities
Web Accelerators

Reviews

Software Reviews
Hardware Reviews
Miscellearnous Reviews

Site Resources

Archives
FAQ
Staff & Contact
Support Team

Virus Central - The Place for Virus Info

Virus Profile- VBS/LoveLetter.A Worm

VBS/LoveLetter.A Letter is a Visual Basic Script (VBS) VBS based e-mail worm. It arrives as an attachment of an e-mail with the subject line (all uppercase, no blanks): ILOVEYOU The e-mail body reads: kindly check the attached LOVELETTER coming from me. And the e-mail has an attachment called LOVE-LETTER-FOR-YOU.TXT.vbs Depending on the system configuration the extension .VBS might be displayed or not displayed. If you receive an e-mail that fits the above description do not open the attachment. Delete the e-mail right away. The worm spreads itself by generating an e-mail like described above, attaching itself and send that e-mail to all recipients in all Outlook address books. In big organizations the volume of e-mail generated has the potential to overload e-mail servers. The worm will spread targeting Windows 98, Windows 2000 by default and Windows NT 4.0 and Windows 95 if the Windows Scripting Host (WSH) engine is installed. The worm will copy itself to multiple subdirectories using different names: In the Windows directory the name is Win32DLL.vbs, in the Windows system directory the names are MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs. The worm modifies the registry information to make itself run during next boot-up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32= C:\WINDOWS\SYSTEM\MSKernel32.vbs HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win 32DLL=C:\WINDOWS\Win32DLL.vbs Also it sets the default page of Internet Explorer to download a copy of WIN_BUGFIX.exe, which appears to be a backdoor server. The actual location of the files on the Web are currently shut down. To prevent the download of the executable in case that site comes back up, Computer Associates recommends to block the following URLs in the proxy configuration if possible: http://www.skyinet.net/~young1s http://www.skyinet.net/~angelcat http://www.skyinet.net/~koichi http://www.skyinet.net/~chu The executable will be renamed and installed to run on start-up as well: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinFAT32=C: \WINDOWS\SYSTEM\WinFAT32 It searches through the all subdirectories and overwrites all files with the extensions JPG, VBS, JS, JSE, CSS, WSH, SCT, HTA, MP3, MP2 with its own copy and adding the extension VBS for non-VBS. A file called Satisfaction.MP3 would become Satisfaction.MP3.VBS. Next time the affected file is clicked or activated the worm will start. If the Internet Relay Chat (IRC) client is present in the system the worm will generate an HTML file to send itself over the IRC channels. InoculateIT signature update 11.16 detects all components of the VBS/LoveLetter.A worm. To guarantee protection, that VBS files are included in the list of files to scan. To clean an infected system all detected files have to be deleted and the registry keys mentioned above has to be removed. To remove the registry keys automatically click http://www.cai.com/virusinfo/encyclopedia/descriptions/reg/loveletter.reg

VBS/LoveLetter.Variant VBS/LoveLetter.Variant is a generic detection for minor variants of the original VBS/LoveLetter.Worm series of infections. "Mother's Day" is one such popular variant detected as VBS/LoveLetter.Variant. The subject used by the Mother's Day variant is "Mothers Day Order Confirmation" instead of the original "ILOVEYOU" subject line. The name of the attachment is mothersday.vbs instead of LOVE-LETTER-FOR-YOU.TXT.vbs. The HTML file sent through IRC is called "mothersday.HTM" instead of LOVE-LETTER-FOR-YOU.HTM. The four URL's have also changed: "http://www.hackers.com" "http://www.l0pht.com" "http://www.2600.com" "http://www.hackers.com"

Instead of overwriting .JPG and .JPEG files, this variant is set to overwrite .INI and .BAT files which results in more severe damage to the infected system. This variant will not download the file WIN_BUGFIX.exe which is confirmed to be a password stealing trojan.

SUBJECT: "ILOVEYOU" MESSAGE: "kindly check the attached LOVELETTER coming from me." ATTACHMENT: "LOVE-LETTER-FOR-YOU.TXT.vbs"

SUBJECT: "Virus ALERT!!!" MESSAGE: A long message that pretends to be information from Symantec Corp. about VBS/LoveLetter.worm ATTACHMENT: "protect.vbs"

SUBJECT: "Dangerous Virus Warning" MESSAGE: "There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it." ATTACHMENT: "virus_warning.jpg.vbs"

SUBJECT: "Joke" MESSAGE: NONE ATTACHMENT: "VeryFunny.vbs"

SUBJECT: "Important ! Read carefully !!" MESSAGE: "Checked the attached IMPORTANT coming from me !" ATTACHMENT: "IMPORTANT.TXT.vbs"

SUBJECT: "Mothers Day Order Confirmation" MESSAGE: "We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place.Thanks Again and Have a Happy Mothers Day!" ATTACHMENT: " mothersday.vbs"

SUBJECT: "Susitikim shi vakara kavos puodukui..." MESSAGE: "kindly check the attached LOVELETTER coming from me." ATTACHMENT: "LOVE-LETTER-FOR-YOU.TXT.VBS"

Network

TekWebNetwork
Tekzone
Tekwarrior
TekWebDesign

Join Network:

Quick Bar

File of the week

IE 5.5

Free file

AdSubtract 1.66 SE

Beta releases

Paint Shop Pro 7 Beta

New releases

WinZip 8.0