Re[2]: email virus's: I-Worm.LoveLetter OT

Thu, 04 May 2000 20:09:00 -0700 


Hello Tom & TBUDL group,

Thursday, May 04, 2000, 1:04:05 PM, you wrote:

TP> I've always wondered where that stuff is actually stored, since
TP> there's no "TIF" directory under Windows...  Ahh well, the secrets
TP> that nobody will ever learn.  ;)

I-Worm.LoveLetter is a Visual Basic Script worm that is spreading
through internet via an Microsoft Outlook e-mail message that reads
as a chain letter .

The worm uses the Outlook e-mail application to spread.  

I-Worm.LoveLetter is also a overwriting Visual Basic Script virus,
and it can spread itself using mIRC client as well.

Technical Details:

When the worm is executed, it first copies itself to Windows System 
directory as:  

    - MSKernel32.vbs
    - LOVE-LETTER-FOR-YOU.TXT.vbs

and to Windows directory:  

    - Win32DLL.vbs

Then it adds the registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Wi
n32DLL

The worm replaces the Internet Explorer home page with a link to an 
executable program, "WIN-BUGSFIX.exe" and creates a HTML file, " LOVE-
LETTER-FOR-YOU.HTM", to the Windows System directory.  

I-Worm.LoveLetter will use Outlook to mail a copy of itself to everyone
in 
each address book.  

The message will be addressed:


Subject:    ILOVEYOU
Body:       kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

The worm then searches for file with an extension of .jpeg, .mp3, 
.mp2,.jpg .js, .jse, .css, .wsh, .sct, and .hta on local and remote
drives 
and overwrites them with itself. Once overwritten the worm changes the 
extension of the overwritten files to .vbs or .vbe.  

From: [EMAIL PROTECTED]

Douglas Hinds

-- 
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   <mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
   <mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------

You are subscribed as : [email protected]

Reply via email to