Just FYI, from USENET: >From: [EMAIL PROTECTED] (Fridrik Skulason) >Subject: Analysis of LoveLetter >Date: 4 May 2000 12:20:10 -0000 > >The following analysis is the work of the researchers at Frisk Software >International, primarily Dr. Vesselin Bontchev and Peter Ferrie. > >The worm poses a risk to users that have Windows Scripting Host (including >Win '98 users, users who have installed IE 5.x in default mode, users who >have installed WSH specifically, and probably users of Windows 2000). > >The worm will only spread from infected machines that have Outlook '98 >or Outlook 2000 installed, but it will damage/overwrite files even if >Outlook is not in use. > >The worm is received either as an e-mail attachment or via IRC. If the >user does not open (double-click on) the attached file, the worm will not >run or do any damage. > >If it is received via e-mail, the Subject: of the message >is "ILOVEYOU" and the body of the message says > > kindly check the attached LOVELETTER coming from me. > >The name of the attachment is LOVE-LETTER-FOR-YOU.TXT.vbs >(which, if the system is configured not to show the >extensions of the files, will look like a TXT file to the >user). > >If it is received via IRC, it resides in a file named >LOVE-LETTER-FOR-YOU.HTM. > >When executed, the worm makes copies of itself under >the names MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs >in the Windows System directory and under the name >Win32DLL.vbs in the Windows directory. Then it modifies >the Registry, so that the files Win32DLL.vbs and >MSKernel32.vbs will be executed every time Windows is >started. > >Then the worm modifies the Registry, changing the >startup page of the Internet Explorer, so that when IE >is started, it will download a file named WIN-BUGSFIX.exe >from one of 4 possible places on http://www.skyinet.net >(randomly selected) and the Registry is modified, so >that this file is executed the next time Windows is >started. > >Then the worm creates an HTML version of itself, in a >file named LOVE-LETTER-FOR-YOU.HTM in the Windows System >directory. > >Next, the worm starts a copy of Outlook in the >background (only Outlook 98 or 2000 will work - not >Outlook 97 or Outlook Express). It examines all Outlook >Address Books and, if an Outlook Address Book contains >more addresses than the Windows Address Book, the worm >mass-mails itself to all addresses in that Outlook >Address Book. (The worm does NOT mass-mail itself to >any addresses in the Windows Address Book.) > >Finally, the worm examines all directories on all hard >and network drives. If a file has one of the following >extensions: VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, MP2, >MP3, JPG or JPEG the worm overwrites the file with a >copy of itself. If the extension was not VBS or VBE, the >worm adds the extension VBS to the name of the file - >so that, for instance, PICTURE.JPG becomes >PICTURE.JPG.vbs. In case a MP2 or MP3 file was >overwritten, the worm also sets its file attribute to >ReadOnly. > >If, during this directory traversal, any of the following >files is found: mirc32.exe, mlink32.exe, mirc.ini, >script.ini or mirc.hlp, the worm drops in that directory >a file named SCRIPT.INI which begins with the comments > >;mIRC Script >; Please dont edit this script... mIRC will corrupt, if mIRC will > corrupt... WINDOWS will affect and will not run correctly. thanks >; >;Khaled Mardam-Bey >;http://www.mirc.com > >This file tries to send the file LOVE-LETTER-FOR-YOU.HTM >from the Windows System directory via IRC's command /DCC >to all users joining the IRC channel which the infected >user is on. > >The worm sets or modifies the following Registry keys: > >HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL >HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory >HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page > >The file WIN-BUGSFIX.exe is a Backdoor created in the >Phillippines which collects the network passwords cached >by Windows and sends them to an attacker's site when the >infected user connects to the Internet. >-- >Fridrik Skulason Frisk Software International phone: +354-5-617273 >Author of F-PROT E-mail: [EMAIL PROTECTED] fax: +354-5-617274 ********************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **********************************************************
