1 Analysis of the LOVE-LETTER-FOR-YOU virus/worm 16th November 2009, 6:27 pm
ogre
Moderator
Analysis of the LOVE-LETTER-FOR-YOU virus/worm
------------------------------------------------------------------------------------------------
The virus/worm hit Belgium and the rest of the world on Thursday 15/04/2000. A lot of important
companies were struck including banks, factories and my dads work .That's where I got the
little bugger. The virus/worm is a big vbscript that spreads by email (smells like Melissa )
and infects every script on your computer.
Lifecycle
------------------------------------------------------------------------------------------------
All starts by opening an attachment on an email, then the script starts.
It copies itself into:
$windir/Win32DLL.vbs ($windir = c:\windows on most windows systems)
$systemdir/MSKernel32.vbs ($systemdir = c:\windows\system)
$windir/LOVE-LETTER-FOR-YOU.TXT.vbs
Next it adds those files in the registry so they auto-start on boot.
After that it changes the default page of internet explorer, that way it downloads an executable
from a site when IE opens. If the file has already been downloaded it also adds that into the
registry and changes the default page to "about:blank".
Then it starts sending emails with the script attached to all the people in your addresslist
Finally the big mess starts, the virus scans every harddisk and networkdisk for extentions:
Vbs, vbe, js, jse, css, wsh, sct, hta, vbs, jpg, jpeg
All files found are overwritten by the virus and when mp2's or mp3's are found it copies itself
to a vbs script in the same directory. And when mIRC is found a small mIRC script is created
which sends an html page, which tries to infect you using IE, to every user that joins a channel
you're in.
executable
------------------------------------------------------------------------------------------------
It cracks the share passwords and sends those + ipaddr by email to the creator of this virus
(I couldn't get this program because the server was shutdown, thanks to G0Dfarter for checking it)
Disinfection
------------------------------------------------------------------------------------------------
Open regedit and start deleting the malicious entries
HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\MSKernel32
HKEY_HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\RunServer\Win32DLL
HKEY_HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\WIN_BUGSFIX
Search for WIN-BUGSFIX.exe and remove it.
Remove $dirsystem\LOVE-LETTER-FOR-YOU.HTM
Check files with extensions: Vbs, vbe, js, jse, css, wsh, sct, hta, vbs, jpg, jpeg and check for
infection, if so delete them (and replace them with the original).
If you have mIRC is installed remove the script.ini file.
Remove all the emails, maybe warn the people in your addresslist so they don't open the attachment.
Prevention
------------------------------------------------------------------------------------------------
There is only 1 rule in these cases: do NOT open suspicious files
The number one cause why this virus is so affective is that in windows everything is linked.
You can control your entire computer from a simple wordmacro (and worst).
The best thing to do is turn off all sorts of scripting in windows (if possible).
Lamagra [You must be registered and logged in to see this link.]
Member of b0f/buffer0verfl0w security [You must be registered and logged in to see this link.]
------------------------------------------------------------------------------------------------
The virus/worm hit Belgium and the rest of the world on Thursday 15/04/2000. A lot of important
companies were struck including banks, factories and my dads work .That's where I got the
little bugger. The virus/worm is a big vbscript that spreads by email (smells like Melissa )
and infects every script on your computer.
Lifecycle
------------------------------------------------------------------------------------------------
All starts by opening an attachment on an email, then the script starts.
It copies itself into:
$windir/Win32DLL.vbs ($windir = c:\windows on most windows systems)
$systemdir/MSKernel32.vbs ($systemdir = c:\windows\system)
$windir/LOVE-LETTER-FOR-YOU.TXT.vbs
Next it adds those files in the registry so they auto-start on boot.
After that it changes the default page of internet explorer, that way it downloads an executable
from a site when IE opens. If the file has already been downloaded it also adds that into the
registry and changes the default page to "about:blank".
Then it starts sending emails with the script attached to all the people in your addresslist
Finally the big mess starts, the virus scans every harddisk and networkdisk for extentions:
Vbs, vbe, js, jse, css, wsh, sct, hta, vbs, jpg, jpeg
All files found are overwritten by the virus and when mp2's or mp3's are found it copies itself
to a vbs script in the same directory. And when mIRC is found a small mIRC script is created
which sends an html page, which tries to infect you using IE, to every user that joins a channel
you're in.
executable
------------------------------------------------------------------------------------------------
It cracks the share passwords and sends those + ipaddr by email to the creator of this virus
(I couldn't get this program because the server was shutdown, thanks to G0Dfarter for checking it)
Disinfection
------------------------------------------------------------------------------------------------
Open regedit and start deleting the malicious entries
HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\MSKernel32
HKEY_HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\RunServer\Win32DLL
HKEY_HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\WIN_BUGSFIX
Search for WIN-BUGSFIX.exe and remove it.
Remove $dirsystem\LOVE-LETTER-FOR-YOU.HTM
Check files with extensions: Vbs, vbe, js, jse, css, wsh, sct, hta, vbs, jpg, jpeg and check for
infection, if so delete them (and replace them with the original).
If you have mIRC is installed remove the script.ini file.
Remove all the emails, maybe warn the people in your addresslist so they don't open the attachment.
Prevention
------------------------------------------------------------------------------------------------
There is only 1 rule in these cases: do NOT open suspicious files
The number one cause why this virus is so affective is that in windows everything is linked.
You can control your entire computer from a simple wordmacro (and worst).
The best thing to do is turn off all sorts of scripting in windows (if possible).
Lamagra [You must be registered and logged in to see this link.]
Member of b0f/buffer0verfl0w security [You must be registered and logged in to see this link.]