heres a nice breakdown of what it does
A new VB worm is on the loose. This would normally not be bugtraq
material as it exploits no new flaws but it has spread enough that it
warrants some coverage. This is a quick and dirty analysis of what it
does.
The worm spreads via email as an attachments and via IRC as a DCC
download.
The first thing the worm does when executed is save itself to three
different locations. Under the system directory as MSKernel32.vbs and
LOVE-LETTER-FOR-YOU.TXT.vbs and under the windows directory as
Win32DLL.vbs.
It then creates a number of registry entries to execute these programs
when the machine restarts. These entries are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
It will also modify Internet Explorer's start page to point to a web
page
that downloads a binary called WIN-BUGSFIX.exe. It randomly selects
between
four different URLs:
http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe
http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe
I've not been able to obtain copy of the binary to figure out what it
does.
This does mean the worm has a dynamic components that may change its
behavior any time the binary is changed and a new one downloaded.
The worm then changes a number of registry keys to run the downloaded
binary
and to clean up after itself.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
The worm then creates an HTML file that helps it spread,
LOVE-LETTER-FOR-YOU.HTM. This is the file DCC'ed to others on IRC.
The worm then spreads to all addresses in the Windows Address Book by
sending the file LOVE-LETTER-FOR-YOU.TXT.vbs as an attachment. The
email starts:
kindly check the attached LOVELETTER coming from me.
Then the virus searches for attached drives looking for files with
certain extensions. It overwrites files ending with vbs, and vbe.
It overwrites files ending with js, jse, css, wsh, sct, and hta, and
then renames them to end with vbs. It overwrites files ending with jpg
and jpeg and appends .vbs to their name. It finds files with the name
mp3 and mp3, creates vbs files with the same name and sets the hidden
attribute in the original mp* files.
The it looks for the mIRC windows IRC client and overwrites the
script.ini
file if found. It modifies this file to that it will DCC the
LOVE-LETTER-FOR-YOU.HTM file to any people that join a channel the
client is in.
You can find the source of the worm at:
http://www.securityfocus.com/templates/archive.pike?list=82&[EMAIL PROTECTED]&part=.1
KELLY DEW wrote:
>
> This virus is in the wild now, and is definitely hitting many folks. I am on
> multiple mailing lists, and the majority of them are reporting hits. We (USPS)
> have been hit, although it is not really wide spread in our organization yet.
> There are companies out there that can detect this virus, and there is already a
> minor variant in the wild. Check out the following link for more info. I don't
> know if Sophos has a plug-in for any firewalls though.
>
> Name: VBS/LoveLet-A
> Aliases: The Love Bug
> Type: Visual Basic Script worm
> Detection: Detected by Sophos Anti-Virus version 3.34 or later. An update (IDE
> file) is available for earlier versions from the Latest virus identities
> section.
>
> http://www.sophos.com/virusinfo/analyses/vbsloveleta.html
>
> Kelly Dew
> Sr. Information Systems Specialist
> USPS
>
> <snip>
>
> It is VB Script and can be safely viewed with any text editor. The bad thing
> is that this message has no attachments, so it passes trough my AV software
> which unfortunately checks every incoming E-mail message, but only if it has
> attachments. Now I am actively looking for AV package which is parsing the
> text in messages as well.
>
> Any help or information will be greatly appreciated.
>
> Best regards.
>
> Emil Tchomonev
> Senior IT manager
> Alexandra Group
> 1000 Sofia, Bulgaria
> <snip>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
