Another set of Worms (virus)

• Next message: subramaniyan_narayanaswami@sandwich.pfizer.com: "Thanks for PIUG 2000"
• Previous message: Lucia Akers: "Tentative Date and Very Preliminary Plans for PIUG 2001 Annual Conference"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

FYI - There are several more variants of the Loveletter worm, so beware of
any email attachments. For more information, see:

http://www.nai.com/asp_set/about_nai/press/releases/pr_template.asp?PR=/PressMedia/05052000.asp&Sel=751

William M. Murray
Information Scientist CR&D - CIS
E.I. DuPont de Nemours & CO.
Wilmington, DE 19880
(302) 992-2672
PIUG-L Sysop

------------------------------------------------

This is an update to the original message and alert

AVERT is issuing an additional alert for two variants/copycats of the
Loveletter worm.

The b variant has the subject "Susitikim shi vakara kavos puodukui..." The
DOC is the same.

The c variant has the subject "Joke" and the DOC is called VeryFunny.vbs.

We are posting updated extra.dat, and exrta.drv to the NAI/McAfeeB2B/AVERT
websites.

http://vil.nai.com/villib/dispvirus.asp?virus_k=98617

Regards,

AVERT

-----Original Message-----
From: AVERT ALERT
Sent: Thursday, May 04, 2000 10:53 AM
To: 'virus-alert@lists.nai.com'
Subject: HIGH RISK VIRUS ALERT

Approved: modempool.posting

AVERT would like to update you on a High Risk Worm as it is at Outbreak
status.

The worm is called VBS/Loveletter. Below is a description of the worm, an
extra.dat - for McAfee VirusScan users, and the extra.drv - for DrSolomon
Toolkit/FindVirus customers.

This worm has become more widespread than Melissa. If you receive and with
the subject I love you DELETE IT!

Virus Name: VBS/LoveLetter.worm
Aliases: none known

Characteristics:

This is a VBScript worm with virus qualities. This worm will arrive in an
email message with this format:<P>

<i>Subject "ILOVEYOU"<br>
Message "kindly check the attached LOVELETTER coming from me."<br>
Attachment "LOVE-LETTER-FOR-YOU.TXT.vbs"</i><P>

If the user runs the attachment the worm runs using the Windows Scripting
Host program. This is not normally present on Windows 9x or Windows NT
unless Internet Explorer 5 is installed.<P>

When the worm is first run it drops copies of itself in the following places
:<P>

<i>C:\WINDOWS\SYSTEM\MSKERNEL32.VBS<br>
C:\WINDOWS\WIN32DLL.VBS<br>
C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS</i><P>

It also adds the registry keys :<P>

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\<br>
MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs<P>

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\<br
>
Win32DLL=C:\WINDOWS\Win32DLL.vbs<P>

in order to run the worm at system startup.<P>

The worm replaces the following files:<P>

*.JPG<br>
*.JPEG<br>
*.MP3<br>
*.MP2<P>

with copies of itself and it adds the extension .VBS to the original
filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would
contain the worm.<P>

The worm also overwrites the following files:<P>

*.VBS<br>
*.VBE<br>
*.JS<br>
*.JSE<br>
*.CSS<br>
*.WSH<br>
*.SCT<br>
*.HTA<P>

with copies of itself and renames the files to *.VBS.<P>

The worm creates a file "LOVE-LETTER-FOR-YOU.HTM" which contains the worm
and this is then sent to the IRC channels if the mIRC client is installed.
This is accomplished by the worm replacing the file SCRIPT.INI.<p>

After a short delay the worm uses Microsoft Outlook to send copies of itself
to all entries in the address book.
The mails will be of the same format as the original mail.<P>

This worm also has onother trick up it's sleeve in that it tries to download
and install an executable file called WIN-BUGSFIX.EXE from the Internet.
This exe file is a password stealing program that will email any cached
passwords to the mail address MAILME@SUPER.NET.PH<P>

In order to facilitate this download the worm sets the start-up page of
Microsoft Internet Explorer to point to the web-page containing the password
stealing trojan.<P>

The email sent by this program is as follows :<P>

-------------copy of email sent-----------<br>
From: goat1@192.168.0.2To: mailme@super.net.ph<br>
Subject: Barok... email.passwords.sender.trojan<br>
X-Mailer: Barok... email.passwords.sender.<br>
trojan---by: spyder<br>
Host: [machine name]<br>
Username: [user name]<br>
IP Address: [victim IP address]<P>

RAS Passwords:...[victim password info]<br>
Cache Passwords:...[victim password info]<br>
-------------copy of email sent-----------<P>

The password stealing trojan is also installed via the following registry
key:<P>

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
<P>

to autorun at system startup. After it has been run the password stealing
trojan copies itself to WINDOWS\SYSTEM\WinFAT32.EXE and replaces the
registry key with<P>

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\<br>
WinFAT32=WinFAT32.EXE<P>

Date Discovered:Thursday May 4th 2000
DAT included: 4077
Risk: High

Regards,

AVERT

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

• Next message: subramaniyan_narayanaswami@sandwich.pfizer.com: "Thanks for PIUG 2000"
• Previous message: Lucia Akers: "Tentative Date and Very Preliminary Plans for PIUG 2001 Annual Conference"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Fri Aug 10 2001 - 15:58:23 EDT